* [PATCH] nvme: fix memory allocator in nvme_pr_read_keys()
@ 2026-02-16 0:35 Sungwoo Kim
2026-02-22 20:42 ` Sungwoo Kim
2026-02-23 13:41 ` Christoph Hellwig
0 siblings, 2 replies; 4+ messages in thread
From: Sungwoo Kim @ 2026-02-16 0:35 UTC (permalink / raw)
To: Keith Busch, Jens Axboe, Christoph Hellwig, Sagi Grimberg,
linux-nvme, linux-kernel
Cc: Sungwoo Kim, Chao Shi, Weidong Zhu, Dave Tian
If IOC_PR_READ_KEYS is called with num_keys == PR_KEYS_MAX,
nvme_pr_read_keys() may request more than 4MB memory via kzalloc().
This always fails since kzalloc() does not allocate memory more than
4MB. As a result, ioctl() fails with ENOMEM, which is incorrect.
To fix this, use kvzalloc() instead of kzalloc().
WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272
Modules linked in:
CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216
Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d
RSP: 0018:ffffc90000fcf450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0
RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0
RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001
R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000
R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620
FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0
Call Trace:
<TASK>
alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486
alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557
___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598
__kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245
blkdev_pr_read_keys block/ioctl.c:456 [inline]
blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730
blkdev_ioctl+0x299/0x700 block/ioctl.c:786
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583
x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fb893d3108d
Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d
RDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001
</TASK>
Fixes: 5fd96a4e15de (nvme: Add pr_ops read_keys support)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
drivers/nvme/host/pr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
index ad2ecc2f4..5394b6cb0 100644
--- a/drivers/nvme/host/pr.c
+++ b/drivers/nvme/host/pr.c
@@ -242,7 +242,7 @@ static int nvme_pr_read_keys(struct block_device *bdev,
if (rse_len > U32_MAX)
return -EINVAL;
- rse = kzalloc(rse_len, GFP_KERNEL);
+ rse = kvzalloc(rse_len, GFP_KERNEL);
if (!rse)
return -ENOMEM;
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] nvme: fix memory allocator in nvme_pr_read_keys()
2026-02-16 0:35 [PATCH] nvme: fix memory allocator in nvme_pr_read_keys() Sungwoo Kim
@ 2026-02-22 20:42 ` Sungwoo Kim
2026-02-23 13:41 ` Christoph Hellwig
1 sibling, 0 replies; 4+ messages in thread
From: Sungwoo Kim @ 2026-02-22 20:42 UTC (permalink / raw)
To: Keith Busch, Jens Axboe, Christoph Hellwig, Sagi Grimberg,
linux-nvme, linux-kernel
Cc: Chao Shi, Weidong Zhu, Dave Tian
Gentle ping.
On Sun, Feb 15, 2026 at 7:35 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> If IOC_PR_READ_KEYS is called with num_keys == PR_KEYS_MAX,
> nvme_pr_read_keys() may request more than 4MB memory via kzalloc().
> This always fails since kzalloc() does not allocate memory more than
> 4MB. As a result, ioctl() fails with ENOMEM, which is incorrect.
> To fix this, use kvzalloc() instead of kzalloc().
>
> WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272
> Modules linked in:
> CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216
> Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d
> RSP: 0018:ffffc90000fcf450 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0
> RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0
> RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001
> R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000
> R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620
> FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0
> Call Trace:
> <TASK>
> alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486
> alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557
> ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598
> __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629
> __do_kmalloc_node mm/slub.c:5645 [inline]
> __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669
> kmalloc_noprof include/linux/slab.h:961 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245
> blkdev_pr_read_keys block/ioctl.c:456 [inline]
> blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730
> blkdev_ioctl+0x299/0x700 block/ioctl.c:786
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:597 [inline]
> __se_sys_ioctl fs/ioctl.c:583 [inline]
> __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583
> x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x7fb893d3108d
> Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d
> RDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003
> RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001
> </TASK>
>
> Fixes: 5fd96a4e15de (nvme: Add pr_ops read_keys support)
> Acked-by: Chao Shi <cshi008@fiu.edu>
> Acked-by: Weidong Zhu <weizhu@fiu.edu>
> Acked-by: Dave Tian <daveti@purdue.edu>
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> ---
> drivers/nvme/host/pr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
> index ad2ecc2f4..5394b6cb0 100644
> --- a/drivers/nvme/host/pr.c
> +++ b/drivers/nvme/host/pr.c
> @@ -242,7 +242,7 @@ static int nvme_pr_read_keys(struct block_device *bdev,
> if (rse_len > U32_MAX)
> return -EINVAL;
>
> - rse = kzalloc(rse_len, GFP_KERNEL);
> + rse = kvzalloc(rse_len, GFP_KERNEL);
> if (!rse)
> return -ENOMEM;
>
> --
> 2.47.3
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] nvme: fix memory allocator in nvme_pr_read_keys()
2026-02-16 0:35 [PATCH] nvme: fix memory allocator in nvme_pr_read_keys() Sungwoo Kim
2026-02-22 20:42 ` Sungwoo Kim
@ 2026-02-23 13:41 ` Christoph Hellwig
2026-02-23 16:00 ` Sungwoo Kim
1 sibling, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2026-02-23 13:41 UTC (permalink / raw)
To: Sungwoo Kim
Cc: Keith Busch, Jens Axboe, Christoph Hellwig, Sagi Grimberg,
linux-nvme, linux-kernel, Chao Shi, Weidong Zhu, Dave Tian,
Mike Christie
s/allocator/allocation/ in the subject.
> - rse = kzalloc(rse_len, GFP_KERNEL);
> + rse = kvzalloc(rse_len, GFP_KERNEL);
You'll also need it to free it using kvfree if you you use kvzalloc.
We might also want to add some upper bound to the number of keys
to not allow the user to allocate 4GB of pinned kernel memory.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] nvme: fix memory allocator in nvme_pr_read_keys()
2026-02-23 13:41 ` Christoph Hellwig
@ 2026-02-23 16:00 ` Sungwoo Kim
0 siblings, 0 replies; 4+ messages in thread
From: Sungwoo Kim @ 2026-02-23 16:00 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Keith Busch, Jens Axboe, Sagi Grimberg, linux-nvme, linux-kernel,
Chao Shi, Weidong Zhu, Dave Tian, Mike Christie
On Mon, Feb 23, 2026 at 8:41 AM Christoph Hellwig <hch@lst.de> wrote:
>
> s/allocator/allocation/ in the subject.
>
> > - rse = kzalloc(rse_len, GFP_KERNEL);
> > + rse = kvzalloc(rse_len, GFP_KERNEL);
>
> You'll also need it to free it using kvfree if you you use kvzalloc.
Will do in V2. Thanks for your review.
> We might also want to add some upper bound to the number of keys
> to not allow the user to allocate 4GB of pinned kernel memory.
Could this be a typo for 4MB? Users cannot request 4GB, since it already
has an upper bound, PR_KEYS_MAX (64K). The maximum requested memory
size is 4MB + 64 bytes as follows:
// struct_size(rse, regctl_eds, num_keys)
64K * 64 + 64 = 4M + 64 bytes.
We might still want to know that 4MB is okay. I think it is fine, but
we can shrink it as
the current upper bound is more than sufficient, according to the
relevant conversation:
>How about limiting num_keys to 64K (1u << 16)? In practice, PR keys
>are used for shared storage coordination and typical deployments have
>only a handful of hosts, so this should be more than enough for any
>realistic use case.
https://lore.kernel.org/linux-block/CADhLXY57aFmNB1v4TG2YxhOQL1+_02KkWpB3fEsn8t1GiFqdrg@mail.gmail.com/
On Mon, Feb 23, 2026 at 8:41 AM Christoph Hellwig <hch@lst.de> wrote:
>
> s/allocator/allocation/ in the subject.
>
> > - rse = kzalloc(rse_len, GFP_KERNEL);
> > + rse = kvzalloc(rse_len, GFP_KERNEL);
>
> You'll also need it to free it using kvfree if you you use kvzalloc.
>
> We might also want to add some upper bound to the number of keys
> to not allow the user to allocate 4GB of pinned kernel memory.
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-23 16:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-16 0:35 [PATCH] nvme: fix memory allocator in nvme_pr_read_keys() Sungwoo Kim
2026-02-22 20:42 ` Sungwoo Kim
2026-02-23 13:41 ` Christoph Hellwig
2026-02-23 16:00 ` Sungwoo Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox