From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 136DED26292 for ; Tue, 20 Jan 2026 19:35:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc: To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Qcffjioq1LL8qBjWqjhqPOUQ8YaMU+dB0OCvz0g1ENI=; b=AEDd1FAhdMoKVwd5q6ytUVl5NI sUehYOx4qYAbI3Sc1zPXlBxNuXyWeuQhqmJPY16Kj/Q9mNF7tRlGmc92FHY5KZNwat79PRQJ806V4 gSBVls0/K346qFQuCCCs/ztQPiONcNdXOa6PZmO7+/sTVuYuPI8tQcTAfy1KAskoH8r2zWsXfLYMX K9UK0wg36cDonzYuqm7mjCXxQeH4185Jn5WEfzZ1hL0pEzfekFcUmwOlQUhB56PiQsHDCx84f+Yro fMMGj3AJSHUnkgrkSlYKNPfQqmzMdh3ul+O9Lgn5EQP9AQJYRgdWnonPO5b1h1nxa/EedLa3tuFme jEhpmCGg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1viHVO-00000004NU4-3McC; Tue, 20 Jan 2026 19:35:10 +0000 Received: from sea.source.kernel.org ([172.234.252.31]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1viHVM-00000004NSu-2W9q for linux-nvme@lists.infradead.org; Tue, 20 Jan 2026 19:35:09 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 9D7FB44024; Tue, 20 Jan 2026 19:35:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 62D90C19422; Tue, 20 Jan 2026 19:35:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1768937704; bh=lcFx5eDRBp1+97JFLWXeahJ9cdFANIDo7AWztxdtCw0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g31Z6uLHoe74I5OwDGTXT44jK+/bsbhYaVHgLWxmgMjiLCFEuUPOB9YfVmp/emhVB qVs5yci54sodlqT5gIJeMhuNhkUkWUmi6dN71k35ZxkhXhWzrwVkcx17g59aE4LXpl HhLUy6gWFdtCrFktaTspYpaXguHzwCqE/dYMrZ769hSuGf1xR9LEtEODKl+Bgdwl+m CJtft4AAxxQM4vi82IuDhz5H6hH9jgCn1jwK9DNuD7+UtrimG75teZWRVIrE5U4yWb sSkwZzqz/KXgd4dT5ePgnUBNccF7FWshJZBE3I5zkMKv6szNIypLy/GRCsO4/JRr4t hoqZo5RS+QkHw== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Chaitanya Kulkarni , Yi Zhang , Justin Tee , Keith Busch , Sasha Levin , nareshgottumukkala83@gmail.com, paul.ely@broadcom.com, sagi@grimberg.me, linux-nvme@lists.infradead.org Subject: [PATCH AUTOSEL 6.18-6.1] nvme-fc: release admin tagset if init fails Date: Tue, 20 Jan 2026 14:34:47 -0500 Message-ID: <20260120193456.865383-4-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260120193456.865383-1-sashal@kernel.org> References: <20260120193456.865383-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.18.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260120_113508_694134_722989F4 X-CRM114-Status: GOOD ( 16.32 ) X-BeenThere: linux-nvme@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-nvme" Errors-To: linux-nvme-bounces+linux-nvme=archiver.kernel.org@lists.infradead.org From: Chaitanya Kulkarni [ Upstream commit d1877cc7270302081a315a81a0ee8331f19f95c8 ] nvme_fabrics creates an NVMe/FC controller in following path: nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl() nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc. Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts. Reported-by: Yi Zhang Reviewed-by: Justin Tee Signed-off-by: Chaitanya Kulkarni Signed-off-by: Keith Busch Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: This confirms the bug scenario in v6.6: 1. `nvme_alloc_admin_tag_set()` succeeds → admin tagset is allocated 2. `nvme_change_ctrl_state()` OR `queue_delayed_work()` fails 3. Code goes to `fail_ctrl` label 4. But `fail_ctrl` does NOT free the admin tagset → **MEMORY LEAK** Now let me compile my analysis: ## ANALYSIS SUMMARY ### 1. COMMIT MESSAGE ANALYSIS - **Subject:** "nvme-fc: release admin tagset if init fails" - **Clear bug description:** The commit message clearly describes a memory leak scenario where admin blk-mq resources are not freed when controller initialization fails - **Reported-by tag:** Yi Zhang from Red Hat reported this via kmemleak during blktests nvme/fc - **Reviewed-by:** Justin Tee from Broadcom reviewed this - **Testing evidence:** Discovered during blktests, so reproducible ### 2. CODE CHANGE ANALYSIS The fix is a 2-line addition: ```c if (ctrl->ctrl.admin_tagset) nvme_remove_admin_tag_set(&ctrl->ctrl); ``` **Bug mechanism:** 1. `nvme_fc_init_ctrl()` allocates admin tagset after `nvme_init_ctrl()` succeeds 2. If subsequent operations (state change, work scheduling) fail, code jumps to `fail_ctrl` 3. The `fail_ctrl` path tears down controller references but never frees the admin tagset 4. Result: Memory leak of blk-mq admin queue allocations **Why the fix is correct:** - The conditional check `if (ctrl->ctrl.admin_tagset)` ensures the cleanup only runs if the allocation occurred - `nvme_remove_admin_tag_set()` properly cleans up all admin queue resources - Placement is correct - before `nvme_uninit_ctrl()` which does the reference counting teardown ### 3. CLASSIFICATION - **Type:** Bug fix (memory leak) - **Category:** Resource leak in error path - **Not a feature:** Does not add functionality, only fixes cleanup in error path ### 4. SCOPE AND RISK ASSESSMENT - **Lines changed:** 2 lines added - **Files changed:** 1 file (drivers/nvme/host/fc.c) - **Complexity:** Very low - simple conditional cleanup - **Risk:** Very low - only affects error path, adds proper cleanup that was missing - **Subsystem:** NVMe FC driver, mature subsystem ### 5. USER IMPACT - **Who is affected:** Users of NVMe over Fibre Channel - **Severity:** Memory leak that can exhaust kernel memory over time with repeated connection failures - **Reproducibility:** Reproducible via blktests nvme/fc - **Discovery:** Found via kmemleak, indicating real-world impact ### 6. STABILITY INDICATORS - **Reviewed-by:** Yes (Justin Tee from Broadcom) - **Reported-by:** Yes (Yi Zhang from Red Hat) - **Tested:** Implicitly through blktests discovery - **Signed-off-by:** Keith Busch (NVMe maintainer) ### 7. DEPENDENCY CHECK - **Function dependency:** Requires `nvme_remove_admin_tag_set()` which exists in kernels v6.1+ - **For v5.10/v5.15/v6.0:** Would need adaptation (manual cleanup instead of helper function) - **Structural dependency:** The code structure (admin tagset allocation → fail_ctrl path) needs to exist ### BACKPORTABILITY **For kernels 6.1.y and later (v6.1+):** - The commit applies cleanly - The `nvme_remove_admin_tag_set()` helper exists - Low risk, high value fix **For kernels 5.10.y, 5.15.y, 6.0.y:** - Would require modification - the helper function doesn't exist - The fix would need to manually call the cleanup functions instead - The code structure is different (admin tagset allocation may happen in different location) ### CONCLUSION This is a classic stable kernel material: - ✅ Fixes a real bug (memory leak in error path) - ✅ Small, surgical fix (2 lines) - ✅ Obviously correct (adds missing cleanup) - ✅ Low risk (only affects error path) - ✅ Has been reviewed and tested - ✅ Discovered via automated testing (blktests/kmemleak) The fix is appropriate for backporting to stable kernels that have the required infrastructure (v6.1+). For older kernels (v5.10, v5.15, v6.0), a modified version would need to be crafted. **YES** drivers/nvme/host/fc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c index 8324230c53719..bf78faf1a4ffa 100644 --- a/drivers/nvme/host/fc.c +++ b/drivers/nvme/host/fc.c @@ -3584,6 +3584,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, ctrl->ctrl.opts = NULL; + if (ctrl->ctrl.admin_tagset) + nvme_remove_admin_tag_set(&ctrl->ctrl); /* initiate nvme ctrl ref counting teardown */ nvme_uninit_ctrl(&ctrl->ctrl); -- 2.51.0