From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Ewan D. Milne" <emilne@redhat.com>,
Keith Busch <kbusch@kernel.org>
Subject: [PATCH 6.1 028/107] nvme: check for valid nvme_identify_ns() before using it
Date: Tue, 5 Dec 2023 12:16:03 +0900 [thread overview]
Message-ID: <20231205031533.329260009@linuxfoundation.org> (raw)
In-Reply-To: <20231205031531.426872356@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ewan D. Milne <emilne@redhat.com>
commit d8b90d600aff181936457f032d116dbd8534db06 upstream.
When scanning namespaces, it is possible to get valid data from the first
call to nvme_identify_ns() in nvme_alloc_ns(), but not from the second
call in nvme_update_ns_info_block(). In particular, if the NSID becomes
inactive between the two commands, a storage device may return a buffer
filled with zero as per 4.1.5.1. In this case, we can get a kernel crash
due to a divide-by-zero in blk_stack_limits() because ns->lba_shift will
be set to zero.
PID: 326 TASK: ffff95fec3cd8000 CPU: 29 COMMAND: "kworker/u98:10"
#0 [ffffad8f8702f9e0] machine_kexec at ffffffff91c76ec7
#1 [ffffad8f8702fa38] __crash_kexec at ffffffff91dea4fa
#2 [ffffad8f8702faf8] crash_kexec at ffffffff91deb788
#3 [ffffad8f8702fb00] oops_end at ffffffff91c2e4bb
#4 [ffffad8f8702fb20] do_trap at ffffffff91c2a4ce
#5 [ffffad8f8702fb70] do_error_trap at ffffffff91c2a595
#6 [ffffad8f8702fbb0] exc_divide_error at ffffffff928506e6
#7 [ffffad8f8702fbd0] asm_exc_divide_error at ffffffff92a00926
[exception RIP: blk_stack_limits+434]
RIP: ffffffff92191872 RSP: ffffad8f8702fc80 RFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff95efa0c91800 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: 00000000ffffffff R8: ffff95fec7df35a8 R9: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff95fed33c09a8
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#8 [ffffad8f8702fce0] nvme_update_ns_info_block at ffffffffc06d3533 [nvme_core]
#9 [ffffad8f8702fd18] nvme_scan_ns at ffffffffc06d6fa7 [nvme_core]
This happened when the check for valid data was moved out of nvme_identify_ns()
into one of the callers. Fix this by checking in both callers.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218186
Fixes: 0dd6fff2aad4 ("nvme: bring back auto-removal of deleted namespaces during sequential scan")
Cc: stable@vger.kernel.org
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2058,6 +2058,13 @@ static int nvme_update_ns_info_block(str
if (ret)
return ret;
+ if (id->ncap == 0) {
+ /* namespace not allocated or attached */
+ info->is_removed = true;
+ ret = -ENODEV;
+ goto error;
+ }
+
blk_mq_freeze_queue(ns->disk->queue);
lbaf = nvme_lbaf_index(id->flbas);
ns->lba_shift = id->lbaf[lbaf].ds;
@@ -2107,6 +2114,8 @@ out:
set_bit(NVME_NS_READY, &ns->flags);
ret = 0;
}
+
+error:
kfree(id);
return ret;
}
next prev parent reply other threads:[~2023-12-05 3:30 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:15 [PATCH 6.1 000/107] 6.1.66-rc1 review Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 001/107] cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 002/107] cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after " Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 003/107] smb: client: report correct st_size for SMB and NFS symlinks Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 004/107] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 005/107] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 006/107] mmc: sdhci-pci-gli: Disable LPM during initialization Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 007/107] mmc: cqhci: Increase recovery halt timeout Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 008/107] mmc: cqhci: Warn of halt or task clear failure Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 009/107] mmc: cqhci: Fix task clearing in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 010/107] mmc: block: Retry commands " Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 011/107] mmc: block: Do not lose cache flush during " Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 012/107] mmc: block: Be sure to wait while busy in " Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 013/107] ALSA: hda: Disable power-save on KONTRON SinglePC Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 014/107] ALSA: hda/realtek: Headset Mic VREF to 100% Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 015/107] ALSA: hda/realtek: Add supported ALC257 for ChromeOS Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 016/107] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 017/107] scsi: Change SCSI device boolean fields to single bit flags Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 018/107] scsi: sd: Fix system start for ATA devices Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 019/107] drm/amd: Enable PCIe PME from D3 Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 020/107] drm/amdgpu: Force order between a read and write to the same address Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 021/107] drm/amd/display: Include udelay when waiting for INBOX0 ACK Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 022/107] drm/amd/display: Remove min_dst_y_next_start check for Z8 Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 023/107] drm/amd/display: Use DRAM speed from validation for dummy p-state Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 6.1 024/107] drm/amd/display: Update min Z8 residency time to 2100 for DCN314 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 025/107] drm/amd/display: fix ABM disablement Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 026/107] dm verity: initialize fec io before freeing it Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 027/107] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:16 ` Greg Kroah-Hartman [this message]
2023-12-05 3:16 ` [PATCH 6.1 029/107] powercap: DTPM: Fix unneeded conversions to micro-Watts Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 030/107] cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 031/107] dma-buf: fix check in dma_resv_add_fence Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 032/107] bcache: revert replacing IS_ERR_OR_NULL with IS_ERR Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 033/107] iommu/vt-d: Add MTL to quirk list to skip TE disabling Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 034/107] KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 035/107] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 036/107] parisc: Mark ex_table entries 32-bit aligned in assembly.h Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 037/107] parisc: Mark ex_table entries 32-bit aligned in uaccess.h Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 038/107] parisc: Use natural CPU alignment for bug_table Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 039/107] parisc: Mark lock_aligned variables 16-byte aligned on SMP Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 040/107] parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 041/107] parisc: Mark jump_table naturally aligned Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 042/107] parisc: Ensure 32-bit alignment on parisc unwind section Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 043/107] parisc: Mark altinstructions read-only and 32-bit aligned Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 044/107] btrfs: add dmesg output for first mount and last unmount of a filesystem Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 045/107] btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 046/107] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 047/107] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 048/107] btrfs: make error messages more clear when getting a chunk map Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 049/107] btrfs: fix 64bit compat send ioctl arguments not initializing version member Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 050/107] Input: xpad - add HyperX Clutch Gladiate Support Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 051/107] auxdisplay: hd44780: move cursor home after clear display command Greg Kroah-Hartman
2023-12-06 0:33 ` Miguel Ojeda
2023-12-05 3:16 ` [PATCH 6.1 052/107] serial: sc16is7xx: Put IOControl register into regmap_volatile Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 053/107] serial: sc16is7xx: add missing support for rs485 devicetree properties Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 054/107] wifi: cfg80211: fix CQM for non-range use Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 055/107] USB: xhci-plat: fix legacy PHY double init Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 056/107] USB: core: Change configuration warnings to notices Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 057/107] usb: config: fix iteration issue in usb_get_bos_descriptor() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 058/107] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 059/107] dpaa2-eth: increase the needed headroom to account for alignment Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 060/107] uapi: propagate __struct_group() attributes to the container union Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 061/107] selftests/net: ipsec: fix constant out of range Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 062/107] selftests/net: fix a char signedness issue Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 063/107] selftests/net: unix: fix unused variable compiler warning Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 064/107] selftests/net: mptcp: fix uninitialized variable warnings Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 065/107] octeontx2-af: Fix possible buffer overflow Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 066/107] net: stmmac: xgmac: Disable FPE MMC interrupts Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 067/107] octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 068/107] octeontx2-af: Install TC filter rules in hardware based on priority Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 069/107] octeontx2-pf: Restore TC ingress police rules when interface is up Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 070/107] r8169: prevent potential deadlock in rtl8169_close Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 071/107] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 072/107] net: ravb: Check return value of reset_control_deassert() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 073/107] net: ravb: Use pm_runtime_resume_and_get() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 074/107] net: ravb: Make write access to CXR35 first before accessing other EMAC registers Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 075/107] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 076/107] net: ravb: Stop DMA in case of failures on ravb_open() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 077/107] net: ravb: Keep reverse order of operations in ravb_remove() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 078/107] KVM: x86: Fix lapic timer interrupt lost after loading a snapshot Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 079/107] PCI: Lengthen reset delay for VideoPropulsion Torrent QN16e card Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 080/107] powerpc/pseries/iommu: enable_ddw incorrectly returns direct mapping for SR-IOV device Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 081/107] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 082/107] PCI: qcom-ep: Add dedicated callback for writing to DBI2 registers Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 083/107] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 6.1 084/107] drivers: perf: Check find_first_bit() return value Greg Kroah-Hartman
2023-12-05 10:46 ` Conor Dooley
2023-12-05 18:25 ` Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 085/107] spi: Fix null dereference on suspend Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 086/107] drm/amd/display: Restore rptr/wptr for DMCUB as workaround Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 087/107] drm/amd/display: Guard against invalid RPTR/WPTR being set Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 088/107] cpufreq: imx6q: dont warn for disabling a non-existing frequency Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 089/107] cpufreq: imx6q: Dont disable 792 Mhz OPP unnecessarily Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 090/107] iommu/vt-d: Omit devTLB invalidation requests when TES=0 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 091/107] iommu/vt-d: Allocate pasid table in device probe path Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 092/107] iommu/vt-d: Add device_block_translation() helper Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 093/107] iommu/vt-d: Disable PCI ATS in legacy passthrough mode Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 094/107] iommu/vt-d: Make context clearing consistent with context mapping Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 095/107] drm/amd/pm: fix a memleak in aldebaran_tables_init Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 096/107] mmc: core: add helpers mmc_regulator_enable/disable_vqmmc Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 097/107] mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 098/107] drm/amd/display: Expand kernel doc for DC Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 099/107] drm/amd/display: clean code-style issues in dcn30_set_mpc_shaper_3dlut Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 100/107] drm/amd/display: Fix the delta clamping for shaper LUT Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 101/107] drm/amd/display: Fix MPCC 1DLUT programming Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 102/107] r8169: disable ASPM in case of tx timeout Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 103/107] r8169: fix deadlock on RTL8125 in jumbo mtu mode Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 104/107] xen: Allow platform PCI interrupt to be shared Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 105/107] xen: simplify evtchn_do_upcall() call maze Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 106/107] x86/xen: fix percpu vcpu_info allocation Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 6.1 107/107] x86/apic/msi: Fix misconfigured non-maskable MSI quirk Greg Kroah-Hartman
2023-12-05 10:35 ` [PATCH 6.1 000/107] 6.1.66-rc1 review Pavel Machek
2023-12-05 10:47 ` Conor Dooley
2023-12-05 11:10 ` Jon Hunter
2023-12-05 16:21 ` Naresh Kamboju
2023-12-05 18:26 ` Greg Kroah-Hartman
2023-12-05 16:55 ` Guenter Roeck
2023-12-05 17:09 ` SeongJae Park
2023-12-05 18:35 ` Florian Fainelli
2023-12-06 1:42 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031533.329260009@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=emilne@redhat.com \
--cc=kbusch@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox