[PATCH blktests v1 0/2] extend nvme/045 to reconnect with invalid key
Shinichiro Kawasaki
shinichiro.kawasaki at wdc.com
Tue Mar 5 01:44:45 PST 2024
On Mar 04, 2024 / 17:13, Daniel Wagner wrote:
> The is the test case for
>
> https://lore.kernel.org/linux-nvme/20240304161006.19328-1-dwagner@suse.de/
>
>
> Daniel Wagner (2):
> nvme/rc: add reconnect-delay argument only for fabrics transports
> nvme/048: add reconnect after ctrl key change
I apply the kernel patches in the link above to v6.8-rc7, then ran nvme/045
with the blktests patches in the series. And I observed failure of the test
case with various transports [1]. Is this failure expected?
Also, I observed KASAN double-free [2]. Do you observe it in your environment?
I created a quick fix [3], and it looks resolving the double-free.
[1]
sudo ./check nvme/045
nvme/045 (Test re-authentication) [failed]
runtime 8.069s ... 7.639s
--- tests/nvme/045.out 2024-03-05 18:09:07.267668493 +0900
+++ /home/shin/Blktests/blktests/results/nodev/nvme/045.out.bad 2024-03-05 18:10:07.735494384 +0900
@@ -9,5 +9,6 @@
Change hash to hmac(sha512)
Re-authenticate with changed hash
Renew host key on the controller and force reconnect
-disconnected 0 controller(s)
+controller "nvme1" not deleted within 5 seconds
+disconnected 1 controller(s)
Test complete
[2]
[ 938.253184] ==================================================================
[ 938.254995] BUG: KASAN: double-free in nuse_show+0x307/0x3c0 [nvme_core]
[ 938.256400] Free of addr ffff88812d318000 by task nvme/1564
[ 938.258777] CPU: 2 PID: 1564 Comm: nvme Not tainted 6.8.0-rc7+ #155
[ 938.260188] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
[ 938.261695] Call Trace:
[ 938.262780] <TASK>
[ 938.263950] dump_stack_lvl+0x57/0x90
[ 938.265157] print_report+0xcf/0x670
[ 938.266372] ? __virt_addr_valid+0x211/0x400
[ 938.267554] ? nuse_show+0x307/0x3c0 [nvme_core]
[ 938.268790] kasan_report_invalid_free+0x72/0xa0
[ 938.270025] ? nuse_show+0x307/0x3c0 [nvme_core]
[ 938.271242] ? nuse_show+0x307/0x3c0 [nvme_core]
[ 938.272447] poison_slab_object+0x141/0x170
[ 938.273574] ? nuse_show+0x307/0x3c0 [nvme_core]
[ 938.274826] __kasan_slab_free+0x2e/0x50
[ 938.276029] kfree+0x116/0x350
[ 938.277133] nuse_show+0x307/0x3c0 [nvme_core]
[ 938.278326] ? __pfx_lock_acquire+0x10/0x10
[ 938.279433] ? __pfx_nuse_show+0x10/0x10 [nvme_core]
[ 938.280669] dev_attr_show+0x42/0xc0
[ 938.281668] ? sysfs_file_ops+0x11b/0x170
[ 938.282733] sysfs_kf_seq_show+0x1f0/0x3b0
[ 938.283818] seq_read_iter+0x40c/0x11c0
[ 938.284888] ? rw_verify_area+0x179/0x470
[ 938.286016] vfs_read+0x606/0xc70
[ 938.287106] ? __pfx_vfs_read+0x10/0x10
[ 938.288153] ? kasan_quarantine_put+0xd6/0x1e0
[ 938.289234] ? lockdep_hardirqs_on+0x7d/0x100
[ 938.290313] ? __fget_light+0x53/0x1e0
[ 938.291267] ksys_read+0xf7/0x1d0
[ 938.292233] ? __pfx_ksys_read+0x10/0x10
[ 938.293301] ? kasan_quarantine_put+0xd6/0x1e0
[ 938.294300] do_syscall_64+0x9a/0x190
[ 938.295253] ? __x64_sys_openat+0x11f/0x1d0
[ 938.296292] ? lockdep_hardirqs_on+0x7d/0x100
[ 938.297277] ? __pfx___x64_sys_openat+0x10/0x10
[ 938.298328] ? ksys_read+0xf7/0x1d0
[ 938.299245] ? lockdep_hardirqs_on_prepare+0x17b/0x410
[ 938.300301] ? do_syscall_64+0xa7/0x190
[ 938.301191] ? lockdep_hardirqs_on+0x7d/0x100
[ 938.302148] ? do_syscall_64+0xa7/0x190
[ 938.303107] ? do_syscall_64+0xa7/0x190
[ 938.304009] ? do_syscall_64+0xa7/0x190
[ 938.304936] ? lockdep_hardirqs_on_prepare+0x17b/0x410
[ 938.306017] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 938.307103] RIP: 0033:0x7f57658da121
[ 938.308065] Code: 00 48 8b 15 11 fd 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 40 ce 01 00 f3 0f 1e fa 80 3d 45 82 0d 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
[ 938.310749] RSP: 002b:00007ffe0fd8ef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 938.312023] RAX: ffffffffffffffda RBX: 00007ffe0fd908a8 RCX: 00007f57658da121
[ 938.313215] RDX: 0000000000000fff RSI: 00007ffe0fd8efb0 RDI: 0000000000000003
[ 938.314464] RBP: 00007ffe0fd90820 R08: 0000000000000073 R09: 0000000000000001
[ 938.315668] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[ 938.316871] R13: 0000000000000000 R14: 00007f5765a4b000 R15: 000000000053bdc0
[ 938.318077] </TASK>
[ 938.319688] Allocated by task 1564:
[ 938.320623] kasan_save_stack+0x2f/0x50
[ 938.321579] kasan_save_track+0x10/0x30
[ 938.322532] __kasan_kmalloc+0xa6/0xb0
[ 938.323477] nvme_identify_ns+0xae/0x230 [nvme_core]
[ 938.324529] nuse_show+0x27a/0x3c0 [nvme_core]
[ 938.325546] dev_attr_show+0x42/0xc0
[ 938.326485] sysfs_kf_seq_show+0x1f0/0x3b0
[ 938.327429] seq_read_iter+0x40c/0x11c0
[ 938.328483] vfs_read+0x606/0xc70
[ 938.329401] ksys_read+0xf7/0x1d0
[ 938.330441] do_syscall_64+0x9a/0x190
[ 938.331348] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 938.333140] Freed by task 1564:
[ 938.334143] kasan_save_stack+0x2f/0x50
[ 938.335067] kasan_save_track+0x10/0x30
[ 938.336078] kasan_save_free_info+0x37/0x60
[ 938.337101] poison_slab_object+0x102/0x170
[ 938.338124] __kasan_slab_free+0x2e/0x50
[ 938.339082] kfree+0x116/0x350
[ 938.339965] nvme_identify_ns+0x1c5/0x230 [nvme_core]
[ 938.341006] nuse_show+0x27a/0x3c0 [nvme_core]
[ 938.342003] dev_attr_show+0x42/0xc0
[ 938.342931] sysfs_kf_seq_show+0x1f0/0x3b0
[ 938.343882] seq_read_iter+0x40c/0x11c0
[ 938.344804] vfs_read+0x606/0xc70
[ 938.345708] ksys_read+0xf7/0x1d0
[ 938.346611] do_syscall_64+0x9a/0x190
[ 938.347538] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 938.349308] The buggy address belongs to the object at ffff88812d318000
which belongs to the cache kmalloc-4k of size 4096
[ 938.350299] nvmet: creating nvm controller 1 for subsystem blktests-subsystem-1 for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 with DH-HMAC-CHAP.
[ 938.350311] The buggy address is located 0 bytes inside of
4096-byte region [ffff88812d318000, ffff88812d319000)
[ 938.350314] The buggy address belongs to the physical page:
[ 938.358511] page:00000000389f3330 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d318
[ 938.360009] head:00000000389f3330 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 938.361388] flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 938.362644] page_type: 0xffffffff()
[ 938.363627] raw: 0017ffffc0000840 ffff888100043040 dead000000000122 0000000000000000
[ 938.364958] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
[ 938.366278] page dumped because: kasan: bad access detected
[ 938.368303] Memory state around the buggy address:
[ 938.369384] ffff88812d317f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 938.370661] ffff88812d317f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 938.371983] >ffff88812d318000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 938.373295] ^
[ 938.374311] ffff88812d318080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 938.375618] ffff88812d318100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 938.376954] ==================================================================
[ 938.378356] Disabling lock debugging due to kernel taint
[3]
diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c
index f2832f70e7e0..4e161d3cd840 100644
--- a/drivers/nvme/host/sysfs.c
+++ b/drivers/nvme/host/sysfs.c
@@ -221,14 +221,10 @@ static int ns_update_nuse(struct nvme_ns *ns)
ret = nvme_identify_ns(ns->ctrl, ns->head->ns_id, &id);
if (ret)
- goto out_free_id;
+ return ret;
ns->head->nuse = le64_to_cpu(id->nuse);
-
-out_free_id:
- kfree(id);
-
- return ret;
+ return 0;
}
static ssize_t nuse_show(struct device *dev, struct device_attribute *attr,
More information about the Linux-nvme
mailing list