nvme-tcp: kernel NULL pointer dereference, address: 0000000000000034

Daniel Wagner dwagner at suse.de
Tue Mar 21 03:40:09 PDT 2023 

On Tue, Mar 21, 2023 at 11:37:05AM +0200, Sagi Grimberg wrote:
> admin_tagset.nr_maps = 1 (only the default map, no read, no poll)

Indeed, that would be to easy.

I've just triggered a crash where we are passing in a non-null bio. Some
more annotation. This time I am printing from blk_rq_is_poll() and
we see that that is also the case where we have a valid bio but
want to use the poll context:


[   53.663613] rq ffff888107190000 mq_hctx ffff888106244000 type 0 bio ffff88810da4ec00
[   53.665190] nvme nvme1: q ffff888119c40000 rq ffff888124da0000 bio ffff88810da4e600
[   53.665230] rq ffff888124da0000 mq_hctx ffff888106241800 type 0 bio ffff88810da4e600
[   53.666293] nvme nvme1: q ffff888119c40000 rq ffff888106c40000 bio ffff88810da4e100
[   53.669844] rq ffff888106c40000 mq_hctx ffff888106247800 type 2 bio ffff88810da4e100
[   53.670682] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   53.670689] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[   53.670694] CPU: 6 PID: 6410 Comm: nvme Tainted: G        W          6.3.0-rc1+ #10 5490073fe695e8e1be1b11c57a398a463ed2e52d
[   53.670701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
[   53.670705] RIP: 0010:blk_poll+0x31/0x350
[   53.677417] Code: 57 41 56 41 55 41 54 53 48 83 ec 18 41 89 cd 49 89 f6 48 89 fd 48 b9 00 00 00 00 00 fc ff df 48 8d 5a 34 48 89 d8 48 c1 e8 03 <8a> 04 08 84 c0 0f 85 ea 02 00 00 44 8b 23 45 31 ff 41 83 fc ff 0f
[   53.677422] RSP: 0018:ffff88810642f710 EFLAGS: 00010207
[   53.677429] RAX: 0000000000000006 RBX: 0000000000000034 RCX: dffffc0000000000
[   53.677433] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888119c40000
[   53.677436] RBP: ffff888119c40000 R08: dffffc0000000000 R09: ffffed103e33e0f2
[   53.677440] R10: ffffed103e33e0f2 R11: 1ffff1103e33e0f1 R12: 1ffff11020d88002
[   53.677443] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810642f7c0
[   53.677447] FS:  00007fd70718a780(0000) GS:ffff8881f1800000(0000) knlGS:0000000000000000
[   53.677451] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.677455] CR2: 00007f25a1c176f8 CR3: 00000001048b6003 CR4: 0000000000170ee0
[   53.677462] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   53.677465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   53.677469] Call Trace:
[   53.677472]  <TASK>
[   53.677476]  ? blk_rq_poll+0x40/0x60
[   53.691431]  blk_execute_rq+0x418/0x640
[   53.691445]  ? blk_rq_is_poll+0x170/0x170
[   53.691454]  ? complete+0x2c/0x1e0
[   53.691469]  __nvme_submit_sync_cmd+0x3eb/0x750 [nvme_core 3b8f33cff2a9cda33de352373714dd43a47c79c4]
[   53.694428]  nvmf_connect_io_queue+0x30d/0x5e0 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[   53.694449]  ? nvmf_log_connect_error+0x470/0x470 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[   53.694466]  ? blk_set_default_limits+0x195/0x4d0
[   53.694474]  ? blk_alloc_queue+0x3a4/0x460
[   53.694483]  nvme_tcp_start_queue+0x30/0x360 [nvme_tcp 8413e4e242b091568613e66c1cbb42a8845a3aa7]

More information about the Linux-nvme mailing list