nvme-tcp: kernel NULL pointer dereference, address: 0000000000000034
Daniel Wagner
dwagner at suse.de
Tue Mar 21 03:40:09 PDT 2023
On Tue, Mar 21, 2023 at 11:37:05AM +0200, Sagi Grimberg wrote:
> admin_tagset.nr_maps = 1 (only the default map, no read, no poll)
Indeed, that would be to easy.
I've just triggered a crash where we are passing in a non-null bio. Some
more annotation. This time I am printing from blk_rq_is_poll() and
we see that that is also the case where we have a valid bio but
want to use the poll context:
[ 53.663613] rq ffff888107190000 mq_hctx ffff888106244000 type 0 bio ffff88810da4ec00
[ 53.665190] nvme nvme1: q ffff888119c40000 rq ffff888124da0000 bio ffff88810da4e600
[ 53.665230] rq ffff888124da0000 mq_hctx ffff888106241800 type 0 bio ffff88810da4e600
[ 53.666293] nvme nvme1: q ffff888119c40000 rq ffff888106c40000 bio ffff88810da4e100
[ 53.669844] rq ffff888106c40000 mq_hctx ffff888106247800 type 2 bio ffff88810da4e100
[ 53.670682] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 53.670689] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[ 53.670694] CPU: 6 PID: 6410 Comm: nvme Tainted: G W 6.3.0-rc1+ #10 5490073fe695e8e1be1b11c57a398a463ed2e52d
[ 53.670701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
[ 53.670705] RIP: 0010:blk_poll+0x31/0x350
[ 53.677417] Code: 57 41 56 41 55 41 54 53 48 83 ec 18 41 89 cd 49 89 f6 48 89 fd 48 b9 00 00 00 00 00 fc ff df 48 8d 5a 34 48 89 d8 48 c1 e8 03 <8a> 04 08 84 c0 0f 85 ea 02 00 00 44 8b 23 45 31 ff 41 83 fc ff 0f
[ 53.677422] RSP: 0018:ffff88810642f710 EFLAGS: 00010207
[ 53.677429] RAX: 0000000000000006 RBX: 0000000000000034 RCX: dffffc0000000000
[ 53.677433] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888119c40000
[ 53.677436] RBP: ffff888119c40000 R08: dffffc0000000000 R09: ffffed103e33e0f2
[ 53.677440] R10: ffffed103e33e0f2 R11: 1ffff1103e33e0f1 R12: 1ffff11020d88002
[ 53.677443] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810642f7c0
[ 53.677447] FS: 00007fd70718a780(0000) GS:ffff8881f1800000(0000) knlGS:0000000000000000
[ 53.677451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.677455] CR2: 00007f25a1c176f8 CR3: 00000001048b6003 CR4: 0000000000170ee0
[ 53.677462] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.677465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.677469] Call Trace:
[ 53.677472] <TASK>
[ 53.677476] ? blk_rq_poll+0x40/0x60
[ 53.691431] blk_execute_rq+0x418/0x640
[ 53.691445] ? blk_rq_is_poll+0x170/0x170
[ 53.691454] ? complete+0x2c/0x1e0
[ 53.691469] __nvme_submit_sync_cmd+0x3eb/0x750 [nvme_core 3b8f33cff2a9cda33de352373714dd43a47c79c4]
[ 53.694428] nvmf_connect_io_queue+0x30d/0x5e0 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[ 53.694449] ? nvmf_log_connect_error+0x470/0x470 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[ 53.694466] ? blk_set_default_limits+0x195/0x4d0
[ 53.694474] ? blk_alloc_queue+0x3a4/0x460
[ 53.694483] nvme_tcp_start_queue+0x30/0x360 [nvme_tcp 8413e4e242b091568613e66c1cbb42a8845a3aa7]
More information about the Linux-nvme
mailing list