kernel panic due to a nvmet race

Sagi Grimberg sagi at grimberg.me
Tue May 17 05:52:22 PDT 2022


> Hi All,
> 
> We observed a kernel panic which based on our analysis is due to a nvmet race.
> the race is between nvme connect and nvmet tcp port removal.
> The scenario:
> In case that nvmet_port_release is freeing the nvmet port just before nvme connect is trying to 'nvmet_find_get_subsys' (as part of nvmet_alloc_ctrl) nvmet_find_get_subsys is trying to access a port which is already freed:
> 
> nvme/target/core.c:
> static struct nvmet_subsys *nvmet_find_get_subsys(struct nvmet_port *port,
>> ------->-------const char *subsysnqn)
> ...snip
>> -------down_read(&nvmet_config_sem);
>> -------list_for_each_entry(p, &port->subsystems, entry) {
>> ------->-------if (!strncmp(p->subsys->subsysnqn, subsysnqn,
> 
> crash> bt
> PID: 30216  TASK: ffff888c1e163f00  CPU: 0   COMMAND: "nt"
>   #0 [ffffc90020153858] machine_kexec at ffffffff81062fcc
>   #1 [ffffc900201538b0] __crash_kexec at ffffffff811273ef
>   #2 [ffffc90020153978] panic at ffffffff810851f7
>   #3 [ffffc90020153a18] no_context at ffffffff8107104f
>   #4 [ffffc90020153a80] page_fault at ffffffff81801184
>      [exception RIP: nvmet_find_get_subsys+161]
>      RIP: ffffffffa0bbce01  RSP: ffffc90020153b38  RFLAGS: 00010282
>      RAX: ffff888c1e163f01  RBX: 0000000000000000  RCX: 0000000000000020
>      RDX: 0000000000000000  RSI: ffffffffa0bc5895  RDI: ffffffffa0bce040
>      RBP: ffff88aeafc3f520   R8: ffffc90020153ba0   R9: 0000000000000000
>      R10: ffffc90020153bf8  R11: ffff888cb8e97b00  R12: ffff888bb3469a00
>      R13: ffff888bb3469900  R14: ffffc9000c41ba70  R15: ffffc90020153ba0
>      ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
>   #5 [ffffc90020153b58] nvmet_alloc_ctrl at ffffffffa0bbe4c2 [nvmet]
> 
> Can you please review and provide your inputs ?

Indeed it seems that nothing is preventing this from happening..

The main issue is that ->remove_port() currently does not
guarantee teardown of all the resources, it is just triggering
it asynchronously. At least this is the case for tcp/rdma (and
appears that fc as well).




More information about the Linux-nvme mailing list