[PATCH 0/2] nvmet-tcp: fix receive path error handling and state machine
Maurizio Lombardi
mlombard at arkamax.eu
Fri Mar 13 05:16:29 PDT 2026
On Fri Mar 13, 2026 at 12:17 PM CET, Maurizio Lombardi wrote:
> On Fri Mar 13, 2026 at 6:58 AM CET, yunje shin wrote:
>
> I guess that the msg_data_left(&cmd->recv_msg) check in
> nvmet_tcp_try_recv_data() prevents the derefence of the uninitialized
> iterator, so this is why it doesn't crash.
Ah!! I got it!
The trick is to enable the data digests:
[ 4486.731644] nvmet_tcp: queue 2: cmd 12292 pdu (6) data digest error: recv 0x1ee9aab3 expected 0x4d76611a
[ 4486.791455] ------------[ cut here ]------------
[ 4486.791464] percpu ref (nvmet_sq_free [nvmet]) <= 0 (0) after switching to atomic
[ 4486.791491] WARNING: lib/percpu-refcount.c:197 at percpu_ref_switch_to_atomic_rcu+0x200/0x210, CPU#3: swapper/3/0
[ 4486.793089] Modules linked in: nvmet_tcp nvmet nvme_keyring nvme_auth hkdf rfkill vfat fat fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs virtio_net ghash_ce net_failover virtio_blk failover virtio_console dm_mirror dm_region_hash dm_log dm_mod i2c_dev
[ 4486.798659] CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 7.0.0-rc3+ #1 PREEMPT(full)
[ 4486.799172] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 4486.799579] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4486.800009] pc : percpu_ref_switch_to_atomic_rcu+0x200/0x210
[ 4486.800345] lr : percpu_ref_switch_to_atomic_rcu+0x200/0x210
[ 4486.800691] sp : ffff80008001bdf0
[ 4486.800888] x29: ffff80008001bdf0 x28: ffff0000cecc8ba0 x27: ffff00112c16a2c0
[ 4486.801320] x26: ffffb00ad9f97990 x25: ffffb00adc031c80 x24: ffff0000cecc8b80
[ 4486.801797] x23: ffff0000cecc8ba0 x22: ffffb00adc036e60 x21: ffffb00adb06b208
[ 4486.802271] x20: 0000adf96ef8a620 x19: 7fffffffffffffff x18: 00000000ffffffff
[ 4486.802746] x17: ffff5006507c9000 x16: ffffb00ad9958998 x15: ffffb00adc71b709
[ 4486.803219] x14: ffffffffffffffff x13: 0000000000000008 x12: 0101010101010101
[ 4486.803695] x11: 7f7f7f7f7f7f7f7f x10: fefefefefefeff32 x9 : ffffb00ad997f5c8
[ 4486.804167] x8 : ffffb00adc0865d4 x7 : 0000000000000000 x6 : 000000000000000f
[ 4486.804641] x5 : ffff00112c154588 x4 : 00000000ffff82e9 x3 : ffff5006507c9000
[ 4486.805114] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c0a78000
[ 4486.805584] Call trace:
[ 4486.805748] percpu_ref_switch_to_atomic_rcu+0x200/0x210 (P)
[ 4486.806125] rcu_do_batch+0x188/0x7b8
[ 4486.806372] rcu_core+0x138/0x2f0
[ 4486.806595] rcu_core_si+0x18/0x30
[ 4486.806821] handle_softirqs+0x114/0x490
[ 4486.807083] __do_softirq+0x1c/0x28
[ 4486.807320] ____do_softirq+0x18/0x30
[ 4486.807566] call_on_irq_stack+0x30/0x48
[ 4486.807827] do_softirq_own_stack+0x24/0x50
[ 4486.808105] __irq_exit_rcu+0x130/0x168
[ 4486.808360] irq_exit_rcu+0x18/0x30
[ 4486.808592] el1_interrupt+0x50/0xb8
[ 4486.808834] el1h_64_irq_handler+0x18/0x28
[ 4486.809113] el1h_64_irq+0x80/0x88
[ 4486.809340] default_idle_call+0x38/0x340 (P)
[ 4486.809629] cpuidle_idle_call+0x184/0x200
[ 4486.809904] do_idle+0xa4/0x120
[ 4486.810114] cpu_startup_entry+0x40/0x50
[ 4486.810377] secondary_start_kernel+0x12c/0x170
[ 4486.810681] __secondary_switched+0xc0/0xc8
[ 4486.810958] ---[ end trace 0000000000000000 ]---
[ 4486.811288] percpu_ref_switch_to_atomic_rcu: percpu_ref_switch_to_atomic_rcu(): percpu_ref underflow slab kmalloc-64 start ffff0000cecc8b80 pointer offset 0 size 64
Maurizio
More information about the Linux-nvme
mailing list