nvme-tcp: kernel NULL pointer dereference, address: 0000000000000034

[Sagi Grimberg]

>>> And since we're talking about this, what happens if a command is dispatched to
>>> a polled queue, but has no data transfer? The nvme driver doesn't attach a bio
>>> to the request in that case, so no cookie?
>>
>> IIRC, initially NONE was called once, and the loop in blk_execute_rq looped
>> until the completion was met.
>>
>> I would assume that any other cookie other than NONE would work here,
>> because the driver .poll() would be invoked at least once (maybe set
>> ONESHOT as well).
> 
> As long as the cookie points to the correct hctx, then it would work.

The only commands that can go to a polling hctx today either have a bio 
or they are connect... I don't think that any other sync commands has an
interface to end up on a polling hctx.

So perhaps we should just verify that with:
--
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index d4be525f8100..29b31d8d9d8e 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1051,6 +1051,11 @@ int __nvme_submit_sync_cmd(struct request_queue 
*q, struct nvme_command *cmd,
                 ret = blk_rq_map_kern(q, req, buffer, bufflen, GFP_KERNEL);
                 if (ret)
                         goto out;
+       } else if (req->cmd_flags & REQ_POLLED) {
+               dev_err(nvme_req(req)->ctrl->device,
+                       "cannot issue a polled request with no bio\n");
+               ret = -EINVAL;
+               goto out;
         }

         ret = nvme_execute_rq(req, at_head);
--

Thoughts?