Null pointer dereference in nvme_ctrl_reconnect_delay_show
Tobias Markus
tobias at markus-regensburg.de
Mon Aug 24 18:35:15 EDT 2020
Hi all,
I hope this is the right channel for bug reports regarding the NVMe subsystem.
Trying to read sysfs attributes of an NVMe drive resulted in a null pointer dereference on 5.9.0-rc2.
The precise command was:
udevadm info --attribute-walk --path=/sys/block/nvme0n1
Using strace, I found out that the bug occurs reproducibly when reading
/sys/block/nvme0n1/device/ctrl_loss_tmo
I could further determine that ctrl->opts is not set in the struct nvme_ctrl in nvme_ctrl_reconnect_delay_show.
I could reproduce this bug with the latest NVMe fixes (commit c41c3ec4) as well.
BUG: kernel NULL pointer dereference, address: 000000000000003c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#2] PREEMPT SMP PTI
CPU: 2 PID: 1138 Comm: udevadm Tainted: G D T 5.9.0-rc2-custom #116
Hardware name: LENOVO 20HES01100/20HES01100, BIOS N1QET88W (1.63 ) 04/22/2020
RIP: 0010:nvme_ctrl_reconnect_delay_show+0x16/0x40
Code: f0 80 a2 e8 0a 00 00 fe c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 f8 48 89 d7 49 8b 40 78 48 8b >
RSP: 0018:ffffa77d81bf7e30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff9cf2ca20 RCX: 0000000000000000
RDX: ffff96ceadb84000 RSI: ffffffff9cf2ca20 RDI: ffff96ceadb84000
RBP: 0000000000001000 R08: ffff96ceafc432a8 R09: ffff96ceadb84000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff9c70a170
R13: ffff96ceafc432a8 R14: ffff96ce5c010000 R15: ffff96ceab012ce0
FS: 00007ffb8077c440(0000) GS:ffff96ceb2700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000003c CR3: 00000003f75ce006 CR4: 00000000003706e0
Call Trace:
dev_attr_show+0x19/0x40
sysfs_kf_seq_show+0x82/0x100
seq_read+0xb1/0x460
vfs_read+0xa5/0x190
ksys_read+0x70/0xf0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7ffb8151cec2
Code: c0 e9 b2 fe ff ff 50 48 8d 3d aa 36 0a 00 e8 65 eb 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 >
RSP: 002b:00007ffd82240858 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000001001 RCX: 00007ffb8151cec2
RDX: 0000000000001001 RSI: 0000562a6d612760 RDI: 0000000000000003
RBP: 0000562a6d612760 R08: 0000562a6d612760 R09: 00007ffb815eea60
R10: 0000000000000200 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000001000 R14: 0000000000000000 R15: 00007ffd82240880
Modules linked in:
CR2: 000000000000003c
---[ end trace 2027c17b64314629 ]---
RIP: 0010:nvme_ctrl_reconnect_delay_show+0x16/0x40
Code: f0 80 a2 e8 0a 00 00 fe c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 f8 48 89 d7 49 8b 40 78 48 8b >
RSP: 0018:ffffa77d81ca7e30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff9cf2ca20 RCX: 0000000000000000
RDX: ffff96cea39c2000 RSI: ffffffff9cf2ca20 RDI: ffff96cea39c2000
RBP: 0000000000001000 R08: ffff96ceafc432a8 R09: ffff96cea39c2000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff9c70a170
R13: ffff96ceafc432a8 R14: ffff96ceac5423c0 R15: ffff96ceab25a4e8
FS: 00007ffb8077c440(0000) GS:ffff96ceb2700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000003c CR3: 00000003f75ce006 CR4: 00000000003706e0
Please advise if you need any further information.
Tobias
More information about the Linux-nvme
mailing list