blk/nvme: fix NULL deref in rq_qos_done_bio() on multipath failover#595
Open
blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
Open
blk/nvme: fix NULL deref in rq_qos_done_bio() on multipath failover#595blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
Conversation
Author
|
Upstream branch: 7dff99b |
Author
|
Upstream branch: 7dff99b |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
a8b749a to
2a0bb33
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
c475e20 to
14f6b99
Compare
Author
|
Upstream branch: a75cb86 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
2a0bb33 to
f4de7ee
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
14f6b99 to
856dc37
Compare
Author
|
Upstream branch: 4d349ee |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
f4de7ee to
ab5f144
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
856dc37 to
40967f0
Compare
Author
|
Upstream branch: 11439c4 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
ab5f144 to
fec4b07
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
40967f0 to
d4e9bad
Compare
Author
|
Upstream branch: af4e9ef |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
fec4b07 to
6c2724b
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
ecd10e2 to
d0e1bed
Compare
Author
|
Upstream branch: af4e9ef |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
6c2724b to
1629232
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
d0e1bed to
6b51c57
Compare
Author
|
Upstream branch: 0031c06 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
1629232 to
bc1591f
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
6b51c57 to
78036b2
Compare
Author
|
Upstream branch: ecc64d2 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
bc1591f to
6bd974f
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
78036b2 to
bbb3394
Compare
Author
|
Upstream branch: c107785 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
6bd974f to
b51c760
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
bbb3394 to
901a429
Compare
Author
|
Upstream branch: 5ee8dbf |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
b51c760 to
1d88dc2
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
901a429 to
1f19ba6
Compare
Author
|
Upstream branch: 1f318b9 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
1d88dc2 to
b17b28c
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
1f19ba6 to
e79276a
Compare
Author
|
Upstream branch: None |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
b17b28c to
815fd26
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
e79276a to
0dd9afc
Compare
added 2 commits
March 12, 2026 11:09
blk_steal_bios() transfers bios from a request to a bio_list when the request is requeued to a different queue. The NVMe multipath failover path (nvme_failover_req) currently open-codes clearing of REQ_POLLED, bi_cookie, and REQ_NOWAIT on each bio before calling blk_steal_bios(). Move these fixups into blk_steal_bios() itself so that any caller automatically gets correct flag state when bios cross queue boundaries. Simplify nvme_failover_req() accordingly. Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Christoph Hellwig <hch@lst.de>
When a bio goes through the rq_qos infrastructure on a path's request
queue, it gets BIO_QOS_THROTTLED or BIO_QOS_MERGED flags set. These
flags indicate that rq_qos_done_bio() should be called on completion
to update rq_qos accounting.
During path failover in nvme_failover_req(), the bio's bi_bdev is
redirected from the failed path's disk to the multipath head's disk
via bio_set_dev(). However, the BIO_QOS flags are not cleared.
When the bio eventually completes (either successfully via a new path
or with an error via bio_io_error()), rq_qos_done_bio() checks for
these flags and calls __rq_qos_done_bio(q->rq_qos, bio) where q is
obtained from the bio's current bi_bdev - which is now the multipath
head's queue, not the original path's queue.
The multipath head's queue does not have rq_qos enabled (q->rq_qos is
NULL), but the code assumes that if BIO_QOS_* flags are set, q->rq_qos
must be valid.
This breaks when a bio is moved between queues during NVMe multipath
failover, leading to a NULL pointer dereference.
Execution Context timeline :-
* =====> dd process context
[USER] dd process
[SYSCALL] write() - dd process context
submit_bio()
nvme_ns_head_submit_bio() - path selection
blk_mq_submit_bio() #### QOS FLAGS SET HERE
[USER] dd waits or returns
==== I/O in flight on NVMe hardware =====
===== End of submission path ====
------------------------------------------------------
* dd ====> Interrupt context;
[IRQ] NVMe completion interrupt
nvme_irq()
nvme_complete_rq()
nvme_failover_req() ### BIO MOVED TO HEAD
spin_lock_irqsave (atomic section)
bio_set_dev() changes bi_bdev
### BUG: QOS flags NOT cleared
kblockd_schedule_work()
* Interrupt context =====> kblockd workqueue
[WQ] kblockd workqueue - kworker process
nvme_requeue_work()
submit_bio_noacct()
nvme_ns_head_submit_bio()
nvme_find_path() returns NULL
bio_io_error()
bio_endio()
rq_qos_done_bio() ### CRASH ###
KERNEL PANIC / OOPS
Crash from blktests nvme/058 (rapid namespace remapping):
[ 1339.636033] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1339.641025] nvme nvme4: rescanning namespaces.
[ 1339.642064] #PF: supervisor read access in kernel mode
[ 1339.642067] #PF: error_code(0x0000) - not-present page
[ 1339.642070] PGD 0 P4D 0
[ 1339.642073] Oops: Oops: 0000 [#1] SMP NOPTI
[ 1339.642078] CPU: 35 UID: 0 PID: 4579 Comm: kworker/35:2H
Tainted: G O N 6.17.0-rc3nvme+ #5 PREEMPT(voluntary)
[ 1339.642084] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 1339.673446] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 1339.682359] Workqueue: kblockd nvme_requeue_work [nvme_core]
[ 1339.686613] RIP: 0010:__rq_qos_done_bio+0xd/0x40
[ 1339.690161] Code: 75 dd 5b 5d 41 5c c3 cc cc cc cc 66 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 f5
53 48 89 fb <48> 8b 03 48 8b 40 30 48 85 c0 74 0b 48 89 ee
48 89 df ff d0 0f 1f
[ 1339.703691] RSP: 0018:ffffc900066f3c90 EFLAGS: 00010202
[ 1339.706844] RAX: ffff888148b9ef00 RBX: 0000000000000000 RCX: 0000000000000000
[ 1339.711136] RDX: 00000000000001c0 RSI: ffff8882aaab8a80 RDI: 0000000000000000
[ 1339.715691] RBP: ffff8882aaab8a80 R08: 0000000000000000 R09: 0000000000000000
[ 1339.720472] R10: 0000000000000000 R11: fefefefefefefeff R12: ffff8882aa3b6010
[ 1339.724650] R13: 0000000000000000 R14: ffff8882338bcef0 R15: ffff8882aa3b6020
[ 1339.729029] FS: 0000000000000000(0000) GS:ffff88985c0cf000(0000) knlGS:0000000000000000
[ 1339.734525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1339.738563] CR2: 0000000000000000 CR3: 0000000111045000 CR4: 0000000000350ef0
[ 1339.742750] DR0: ffffffff845ccbec DR1: ffffffff845ccbed DR2: ffffffff845ccbee
[ 1339.745630] DR3: ffffffff845ccbef DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 1339.748488] Call Trace:
[ 1339.749512] <TASK>
[ 1339.750449] bio_endio+0x71/0x2e0
[ 1339.751833] nvme_ns_head_submit_bio+0x290/0x320 [nvme_core]
[ 1339.754073] __submit_bio+0x222/0x5e0
[ 1339.755623] ? rcu_is_watching+0xd/0x40
[ 1339.757201] ? submit_bio_noacct_nocheck+0x131/0x370
[ 1339.759210] submit_bio_noacct_nocheck+0x131/0x370
[ 1339.761189] ? submit_bio_noacct+0x20/0x620
[ 1339.762849] nvme_requeue_work+0x4b/0x60 [nvme_core]
[ 1339.764828] process_one_work+0x20e/0x630
[ 1339.766528] worker_thread+0x184/0x330
[ 1339.768129] ? __pfx_worker_thread+0x10/0x10
[ 1339.769942] kthread+0x10a/0x250
[ 1339.771263] ? __pfx_kthread+0x10/0x10
[ 1339.772776] ? __pfx_kthread+0x10/0x10
[ 1339.774381] ret_from_fork+0x273/0x2e0
[ 1339.775948] ? __pfx_kthread+0x10/0x10
[ 1339.777504] ret_from_fork_asm+0x1a/0x30
[ 1339.779163] </TASK>
Fix this by clearing both BIO_QOS_THROTTLED and BIO_QOS_MERGED flags
when bios are redirected to the multipath head in nvme_failover_req().
This is consistent with the existing code that clears REQ_POLLED and
REQ_NOWAIT flags when the bio changes queues.
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Author
|
Upstream branch: 80234b5 |
blktests-ci
bot
force-pushed
the
series/1058117=>linus-master
branch
from
815fd26 to
4933fdf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: blk/nvme: fix NULL deref in rq_qos_done_bio() on multipath failover
version: 2
url: https://patchwork.kernel.org/project/linux-block/list/?series=1058117