[PATCH v2] nvme: don't WARN on I/O to a namespace revalidated to unusable metadata
Chao Shi
coshi036 at gmail.com
Sat May 16 22:36:35 PDT 2026
nvme_setup_rw() fires WARN_ON_ONCE(!nvme_ns_has_pi(ns->head)) for a
namespace with head->ms != 0 but no PI and no REQ_INTEGRITY. This
occurs when Identify Namespace reports flbas META_EXT, lbaf[].ms != 0
and dps == 0: on PCIe nvme_configure_metadata() sets EXT_LBAS without
METADATA_SUPPORTED, nvme_init_integrity() registers no profile, and
capacity is forced to 0. It is the host-unaware geometry change Keith
described -- an out-of-band format on a shared namespace, or a
non-compliant device seen on rescan -- not the host's own Format NVM,
which freezes first.
The freeze in nvme_update_ns_info_block() is not defeated; the WARN
just does not depend on q->limits. It depends on ns->head->ms (read
live at dispatch, set inside the freeze window) and on REQ_INTEGRITY,
never set for this geometry. capacity == 0 only gates submission
(bio_check_eod()), not dispatch: a writeback bio that passed
bio_check_eod() under the old capacity sits on the task plug holding
no q_usage_counter reference and is flushed by blk_finish_plug() after
the update committed head->ms != 0 (dmesg confirms: the capacity-change
line prints before the WARN).
The I/O is already rejected correctly (BLK_STS_NOTSUPP, capacity 0).
The assertion fires on a device-reachable, already-handled condition
-- a panic under panic_on_warn -- and its premise does not hold:
metadata without PI or a registrable profile is a legitimate, unusable
state. Add that explicit case and emit one dev_warn_once() instead.
Fully fencing already-submitted bios over a revalidation is larger,
TP-level work and is out of scope here.
Tested: built on linux-kcov-debug (6.19.0+, KASAN); boot-tested under
FEMU, 4x dd + 500 rescans, no splat; reject path verified by code
inspection.
Found by FuzzNvme (Syzkaller with FEMU fuzzing framework).
Link: https://lore.kernel.org/linux-nvme/20260427003457.1264511-1-coshi036@gmail.com/
Acked-by: Sungwoo Kim <iam at sung-woo.kim>
Acked-by: Dave Tian <daveti at purdue.edu>
Acked-by: Weidong Zhu <weizhu at fiu.edu>
Signed-off-by: Chao Shi <coshi036 at gmail.com>
---
v2: drop 2/2 (faking an integrity profile); supersede 1/2 with an
explicit unusable-metadata case + one dev_warn_once() instead of
downgrading the WARN; rewrite the log with the requested mechanism.
RFC v1: https://lore.kernel.org/linux-nvme/20260427003457.1264511-1-coshi036@gmail.com/
drivers/nvme/host/core.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index d1711ef59fb8..32ccb56c4aaf 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1039,8 +1039,23 @@ static inline blk_status_t nvme_setup_rw(struct nvme_ns *ns,
* namespace capacity to zero to prevent any I/O.
*/
if (!blk_integrity_rq(req)) {
- if (WARN_ON_ONCE(!nvme_ns_has_pi(ns->head)))
+ /*
+ * A namespace with metadata but neither PI nor a block
+ * layer integrity profile is unusable: nvme_init_integrity()
+ * registers no profile, blk_get_integrity() is NULL, no bio
+ * ever gets REQ_INTEGRITY, and the capacity is forced to 0.
+ * A bio that passed bio_check_eod() under the old capacity
+ * and was batched on a plug before the namespace revalidated
+ * can still be dispatched here afterwards. Reject it; this
+ * is the expected terminal handling of I/O to a namespace
+ * that revalidated to an unusable geometry, not a bug.
+ */
+ if (!nvme_ns_has_pi(ns->head)) {
+ dev_warn_once(ns->ctrl->device,
+ "%s: I/O to namespace with metadata but no usable integrity profile (ms=%u), rejecting\n",
+ ns->disk->disk_name, ns->head->ms);
return BLK_STS_NOTSUPP;
+ }
control |= NVME_RW_PRINFO_PRACT;
nvme_set_ref_tag(ns, cmnd, req);
}
--
2.43.0
More information about the Linux-nvme
mailing list