From: Jens Axboe <axboe@kernel.dk>
To: Max Gurtovoy <maxg@mellanox.com>
Cc: "linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: NVMe induced NULL deref in bt_iter()
Date: Fri, 30 Jun 2017 11:26:49 -0600 [thread overview]
Message-ID: <bcc46757-6027-ed7f-22b4-e6964d0dedf0@kernel.dk> (raw)
Hi Max,
I remembered you reporting this. I think this is a regression introduced
with the scheduling, since ->rqs[] isn't static anymore. ->static_rqs[]
is, but that's not indexable by the tag we find. So I think we need to
guard those with a NULL check. The actual requests themselves are
static, so we know the memory itself isn't going away. But if we race
with completion, we could find a NULL there, validly.
Since you could reproduce it, can you try the below?
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index d0be72ccb091..b856b2827157 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -214,7 +214,7 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
bitnr += tags->nr_reserved_tags;
rq = tags->rqs[bitnr];
- if (rq->q == hctx->queue)
+ if (rq && rq->q == hctx->queue)
iter_data->fn(hctx, rq, iter_data->data, reserved);
return true;
}
@@ -249,8 +249,8 @@ static bool bt_tags_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
if (!reserved)
bitnr += tags->nr_reserved_tags;
rq = tags->rqs[bitnr];
-
- iter_data->fn(rq, iter_data->data, reserved);
+ if (rq)
+ iter_data->fn(rq, iter_data->data, reserved);
return true;
}
--
Jens Axboe
next reply other threads:[~2017-06-30 17:26 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-30 17:26 Jens Axboe [this message]
2017-07-02 10:45 ` NVMe induced NULL deref in bt_iter() Max Gurtovoy
2017-07-02 10:45 ` Max Gurtovoy
2017-07-02 11:56 ` Sagi Grimberg
2017-07-02 11:56 ` Sagi Grimberg
2017-07-02 14:37 ` Max Gurtovoy
2017-07-02 14:37 ` Max Gurtovoy
2017-07-02 15:08 ` Sagi Grimberg
2017-07-02 15:08 ` Sagi Grimberg
2017-07-03 9:40 ` Ming Lei
2017-07-03 9:40 ` Ming Lei
2017-07-03 10:07 ` Sagi Grimberg
2017-07-03 10:07 ` Sagi Grimberg
2017-07-03 12:03 ` Ming Lei
2017-07-03 12:03 ` Ming Lei
2017-07-03 12:46 ` Max Gurtovoy
2017-07-03 12:46 ` Max Gurtovoy
2017-07-03 15:54 ` Ming Lei
2017-07-03 15:54 ` Ming Lei
2017-07-04 6:58 ` Sagi Grimberg
2017-07-04 6:58 ` Sagi Grimberg
2017-07-04 7:56 ` Sagi Grimberg
2017-07-04 7:56 ` Sagi Grimberg
2017-07-04 8:08 ` Ming Lei
2017-07-04 8:08 ` Ming Lei
2017-07-04 9:14 ` Sagi Grimberg
2017-07-04 9:14 ` Sagi Grimberg
2017-07-03 16:01 ` Jens Axboe
2017-07-03 16:01 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bcc46757-6027-ed7f-22b4-e6964d0dedf0@kernel.dk \
--to=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=maxg@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.