[PATCH] nvme-core: remove head->effects to fix use-after-free

kernel test robot lkp at intel.com
Sun Nov 19 11:29:54 PST 2023


Hi Yuanyuan,

kernel test robot noticed the following build errors:

[auto build test ERROR on hch-configfs/for-next]
[also build test ERROR on linus/master v6.7-rc1 next-20231117]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Yuanyuan-Zhong/nvme-core-remove-head-effects-to-fix-use-after-free/20231116-025616
base:   git://git.infradead.org/users/hch/configfs.git for-next
patch link:    https://lore.kernel.org/r/20231115185439.2616073-1-yzhong%40purestorage.com
patch subject: [PATCH] nvme-core: remove head->effects to fix use-after-free
config: powerpc-randconfig-r133-20231119 (https://download.01.org/0day-ci/archive/20231120/202311200305.oyZkQTJh-lkp@intel.com/config)
compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project.git 4a5ac14ee968ff0ad5d2cc1ffa0299048db4c88a)
reproduce: (https://download.01.org/0day-ci/archive/20231120/202311200305.oyZkQTJh-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp at intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311200305.oyZkQTJh-lkp@intel.com/

All errors (new ones prefixed by >>):

>> drivers/nvme/host/zns.c:50:43: error: no member named 'effects' in 'struct nvme_ns_head'
      50 |         struct nvme_effects_log *log = ns->head->effects;
         |                                        ~~~~~~~~  ^
   1 error generated.


vim +50 drivers/nvme/host/zns.c

240e6ee272c07a Keith Busch       2020-06-29   47  
d525c3c0232216 Christoph Hellwig 2020-08-20   48  int nvme_update_zone_info(struct nvme_ns *ns, unsigned lbaf)
240e6ee272c07a Keith Busch       2020-06-29   49  {
240e6ee272c07a Keith Busch       2020-06-29  @50  	struct nvme_effects_log *log = ns->head->effects;
d525c3c0232216 Christoph Hellwig 2020-08-20   51  	struct request_queue *q = ns->queue;
240e6ee272c07a Keith Busch       2020-06-29   52  	struct nvme_command c = { };
240e6ee272c07a Keith Busch       2020-06-29   53  	struct nvme_id_ns_zns *id;
240e6ee272c07a Keith Busch       2020-06-29   54  	int status;
240e6ee272c07a Keith Busch       2020-06-29   55  
240e6ee272c07a Keith Busch       2020-06-29   56  	/* Driver requires zone append support */
2f4c9ba23b887e Javier González   2020-12-01   57  	if ((le32_to_cpu(log->iocs[nvme_cmd_zone_append]) &
240e6ee272c07a Keith Busch       2020-06-29   58  			NVME_CMD_EFFECTS_CSUPP)) {
2f4c9ba23b887e Javier González   2020-12-01   59  		if (test_and_clear_bit(NVME_NS_FORCE_RO, &ns->flags))
240e6ee272c07a Keith Busch       2020-06-29   60  			dev_warn(ns->ctrl->device,
2f4c9ba23b887e Javier González   2020-12-01   61  				 "Zone Append supported for zoned namespace:%d. Remove read-only mode\n",
2f4c9ba23b887e Javier González   2020-12-01   62  				 ns->head->ns_id);
2f4c9ba23b887e Javier González   2020-12-01   63  	} else {
2f4c9ba23b887e Javier González   2020-12-01   64  		set_bit(NVME_NS_FORCE_RO, &ns->flags);
2f4c9ba23b887e Javier González   2020-12-01   65  		dev_warn(ns->ctrl->device,
2f4c9ba23b887e Javier González   2020-12-01   66  			 "Zone Append not supported for zoned namespace:%d. Forcing to read-only mode\n",
240e6ee272c07a Keith Busch       2020-06-29   67  			 ns->head->ns_id);
240e6ee272c07a Keith Busch       2020-06-29   68  	}
240e6ee272c07a Keith Busch       2020-06-29   69  
240e6ee272c07a Keith Busch       2020-06-29   70  	/* Lazily query controller append limit for the first zoned namespace */
240e6ee272c07a Keith Busch       2020-06-29   71  	if (!ns->ctrl->max_zone_append) {
240e6ee272c07a Keith Busch       2020-06-29   72  		status = nvme_set_max_append(ns->ctrl);
240e6ee272c07a Keith Busch       2020-06-29   73  		if (status)
240e6ee272c07a Keith Busch       2020-06-29   74  			return status;
240e6ee272c07a Keith Busch       2020-06-29   75  	}
240e6ee272c07a Keith Busch       2020-06-29   76  
240e6ee272c07a Keith Busch       2020-06-29   77  	id = kzalloc(sizeof(*id), GFP_KERNEL);
240e6ee272c07a Keith Busch       2020-06-29   78  	if (!id)
240e6ee272c07a Keith Busch       2020-06-29   79  		return -ENOMEM;
240e6ee272c07a Keith Busch       2020-06-29   80  
240e6ee272c07a Keith Busch       2020-06-29   81  	c.identify.opcode = nvme_admin_identify;
240e6ee272c07a Keith Busch       2020-06-29   82  	c.identify.nsid = cpu_to_le32(ns->head->ns_id);
240e6ee272c07a Keith Busch       2020-06-29   83  	c.identify.cns = NVME_ID_CNS_CS_NS;
240e6ee272c07a Keith Busch       2020-06-29   84  	c.identify.csi = NVME_CSI_ZNS;
240e6ee272c07a Keith Busch       2020-06-29   85  
240e6ee272c07a Keith Busch       2020-06-29   86  	status = nvme_submit_sync_cmd(ns->ctrl->admin_q, &c, id, sizeof(*id));
240e6ee272c07a Keith Busch       2020-06-29   87  	if (status)
240e6ee272c07a Keith Busch       2020-06-29   88  		goto free_data;
240e6ee272c07a Keith Busch       2020-06-29   89  
240e6ee272c07a Keith Busch       2020-06-29   90  	/*
240e6ee272c07a Keith Busch       2020-06-29   91  	 * We currently do not handle devices requiring any of the zoned
240e6ee272c07a Keith Busch       2020-06-29   92  	 * operation characteristics.
240e6ee272c07a Keith Busch       2020-06-29   93  	 */
240e6ee272c07a Keith Busch       2020-06-29   94  	if (id->zoc) {
240e6ee272c07a Keith Busch       2020-06-29   95  		dev_warn(ns->ctrl->device,
240e6ee272c07a Keith Busch       2020-06-29   96  			"zone operations:%x not supported for namespace:%u\n",
240e6ee272c07a Keith Busch       2020-06-29   97  			le16_to_cpu(id->zoc), ns->head->ns_id);
a9e0e6bc728ebc Christoph Hellwig 2021-04-07   98  		status = -ENODEV;
240e6ee272c07a Keith Busch       2020-06-29   99  		goto free_data;
240e6ee272c07a Keith Busch       2020-06-29  100  	}
240e6ee272c07a Keith Busch       2020-06-29  101  
240e6ee272c07a Keith Busch       2020-06-29  102  	ns->zsze = nvme_lba_to_sect(ns, le64_to_cpu(id->lbafe[lbaf].zsze));
240e6ee272c07a Keith Busch       2020-06-29  103  	if (!is_power_of_2(ns->zsze)) {
240e6ee272c07a Keith Busch       2020-06-29  104  		dev_warn(ns->ctrl->device,
240e6ee272c07a Keith Busch       2020-06-29  105  			"invalid zone size:%llu for namespace:%u\n",
240e6ee272c07a Keith Busch       2020-06-29  106  			ns->zsze, ns->head->ns_id);
a9e0e6bc728ebc Christoph Hellwig 2021-04-07  107  		status = -ENODEV;
240e6ee272c07a Keith Busch       2020-06-29  108  		goto free_data;
240e6ee272c07a Keith Busch       2020-06-29  109  	}
240e6ee272c07a Keith Busch       2020-06-29  110  
6b2bd274744e64 Christoph Hellwig 2022-07-06  111  	disk_set_zoned(ns->disk, BLK_ZONED_HM);
240e6ee272c07a Keith Busch       2020-06-29  112  	blk_queue_flag_set(QUEUE_FLAG_ZONE_RESETALL, q);
982977df48179c Christoph Hellwig 2022-07-06  113  	disk_set_max_open_zones(ns->disk, le32_to_cpu(id->mor) + 1);
982977df48179c Christoph Hellwig 2022-07-06  114  	disk_set_max_active_zones(ns->disk, le32_to_cpu(id->mar) + 1);
240e6ee272c07a Keith Busch       2020-06-29  115  free_data:
240e6ee272c07a Keith Busch       2020-06-29  116  	kfree(id);
240e6ee272c07a Keith Busch       2020-06-29  117  	return status;
240e6ee272c07a Keith Busch       2020-06-29  118  }
240e6ee272c07a Keith Busch       2020-06-29  119  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki



More information about the Linux-nvme mailing list