[PATCH v2] nvme: don't WARN on I/O to a namespace revalidated to unusable metadata

[Chao Shi <coshi036@gmail.com>]

nvme_setup_rw() fires WARN_ON_ONCE(!nvme_ns_has_pi(ns->head)) for a
namespace with head->ms != 0 but no PI and no REQ_INTEGRITY.  This
occurs when Identify Namespace reports flbas META_EXT, lbaf[].ms != 0
and dps == 0: on PCIe nvme_configure_metadata() sets EXT_LBAS without
METADATA_SUPPORTED, nvme_init_integrity() registers no profile, and
capacity is forced to 0.  It is the host-unaware geometry change Keith
described -- an out-of-band format on a shared namespace, or a
non-compliant device seen on rescan -- not the host's own Format NVM,
which freezes first.

The freeze in nvme_update_ns_info_block() is not defeated; the WARN
just does not depend on q->limits.  It depends on ns->head->ms (read
live at dispatch, set inside the freeze window) and on REQ_INTEGRITY,
never set for this geometry.  capacity == 0 only gates submission
(bio_check_eod()), not dispatch: a writeback bio that passed
bio_check_eod() under the old capacity sits on the task plug holding
no q_usage_counter reference and is flushed by blk_finish_plug() after
the update committed head->ms != 0 (dmesg confirms: the capacity-change
line prints before the WARN).

The I/O is already rejected correctly (BLK_STS_NOTSUPP, capacity 0).
The assertion fires on a device-reachable, already-handled condition
-- a panic under panic_on_warn -- and its premise does not hold:
metadata without PI or a registrable profile is a legitimate, unusable
state.  Add that explicit case and emit one dev_warn_once() instead.
Fully fencing already-submitted bios over a revalidation is larger,
TP-level work and is out of scope here.

Tested: built on linux-kcov-debug (6.19.0+, KASAN); boot-tested under
FEMU, 4x dd + 500 rescans, no splat; reject path verified by code
inspection.

Found by FuzzNvme (Syzkaller with FEMU fuzzing framework).

Link: https://lore.kernel.org/linux-nvme/20260427003457.1264511-1-coshi036@gmail.com/
Acked-by: Sungwoo Kim <iam@sung-woo.kim>
Acked-by: Dave Tian <daveti@purdue.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Signed-off-by: Chao Shi <coshi036@gmail.com>
---
v2: drop 2/2 (faking an integrity profile); supersede 1/2 with an
    explicit unusable-metadata case + one dev_warn_once() instead of
    downgrading the WARN; rewrite the log with the requested mechanism.
RFC v1: https://lore.kernel.org/linux-nvme/20260427003457.1264511-1-coshi036@gmail.com/

 drivers/nvme/host/core.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index d1711ef59fb8..32ccb56c4aaf 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1039,8 +1039,23 @@ static inline blk_status_t nvme_setup_rw(struct nvme_ns *ns,
 		 * namespace capacity to zero to prevent any I/O.
 		 */
 		if (!blk_integrity_rq(req)) {
-			if (WARN_ON_ONCE(!nvme_ns_has_pi(ns->head)))
+			/*
+			 * A namespace with metadata but neither PI nor a block
+			 * layer integrity profile is unusable: nvme_init_integrity()
+			 * registers no profile, blk_get_integrity() is NULL, no bio
+			 * ever gets REQ_INTEGRITY, and the capacity is forced to 0.
+			 * A bio that passed bio_check_eod() under the old capacity
+			 * and was batched on a plug before the namespace revalidated
+			 * can still be dispatched here afterwards.  Reject it; this
+			 * is the expected terminal handling of I/O to a namespace
+			 * that revalidated to an unusable geometry, not a bug.
+			 */
+			if (!nvme_ns_has_pi(ns->head)) {
+				dev_warn_once(ns->ctrl->device,
+					"%s: I/O to namespace with metadata but no usable integrity profile (ms=%u), rejecting\n",
+					ns->disk->disk_name, ns->head->ms);
 				return BLK_STS_NOTSUPP;
+			}
 			control |= NVME_RW_PRINFO_PRACT;
 			nvme_set_ref_tag(ns, cmnd, req);
 		}
-- 
2.43.0