blk-mq: nvme: Fix general protection fault in nvme_setup_descriptor_pools()#624
Open
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
Open
blk-mq: nvme: Fix general protection fault in nvme_setup_descriptor_pools()#624blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
Conversation
Author
|
Upstream branch: 1f318b9 |
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
1f19ba6 to
e79276a
Compare
…ools()
The numa_node can be < 0 since NUMA_NO_NODE = -1. However,
struct blk_mq_hw_ctx{} defines numa_node as unsigned int. As a result,
numa_node is set to UINT_MAX for NUMA_NO_NODE in blk_mq_alloc_hctx().
Later, nvme_setup_descriptor_pools() accesses
descriptor_pools[numa_node]. Due to the above, it tries to access
descriptor_pools[UINT_MAX]. The address is garbage but accessible
because it is canonical and still within the slab memory range.
Therefore, no page fault occurs, and KASAN cannot detect this since it
is beyond the redzones.
Subsequently, normal I/O calls dma_pool_alloc() with the garbage pool
address. pool->next_block contains a wild pointer, causing a general
protection fault (GPF).
To fix this, this patch changes the type of numa_node to int and adds
a check for NUMA_NO_NODE.
Log:
Oops: general protection fault, probably for non-canonical address 0xe9803b040854d02c: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x4c01f82042a68160-0x4c01f82042a68167][FEMU] Err: I/O cmd failed: opcode=0x2 status=0x4002
CPU: 0 UID: 0 PID: 112363 Comm: systemd-udevd Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:pool_block_pop mm/dmapool.c:187 [inline]
RIP: 0010:dma_pool_alloc+0x110/0x990 mm/dmapool.c:417
Code: 00 0f 85 a4 07 00 00 4c 8b 63 58 4d 85 e4 0f 84 12 01 00 00 e8 41 1d 93 ff 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 a7 07 00 00 49 8b 04 24 48 8d 7b 68 48 89 fa 48
RSP: 0018:ffffc90002b9efd0 EFLAGS: 00010003
RAX: dffffc0000000000 RBX: ffff888005466800 RCX: ffffffff94faab7f
RDX: 09803f040854d02c RSI: 6c9b26c9b26c9b27 RDI: ffff88800c725ea0
RBP: ffffc90002b9f060 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000000 R12: 4c01f82042a68164
R13: ffff888005466800 R14: 0000000000000820 R15: ffff888007b29000
FS: 00007f2abc4ff8c0(0000) GS:ffff8880d1ff7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056360eb89000 CR3: 000000000a480000 CR4: 00000000000006f0
Call Trace:
<TASK>
nvme_pci_setup_data_prp drivers/nvme/host/pci.c:906 [inline]
nvme_map_data drivers/nvme/host/pci.c:1114 [inline]
nvme_prep_rq.part.0+0x17d3/0x3c90 drivers/nvme/host/pci.c:1243
nvme_prep_rq drivers/nvme/host/pci.c:1239 [inline]
nvme_prep_rq_batch drivers/nvme/host/pci.c:1321 [inline]
nvme_queue_rqs+0x37b/0x8a0 drivers/nvme/host/pci.c:1336
__blk_mq_flush_list block/blk-mq.c:2848 [inline]
__blk_mq_flush_list+0xaa/0xe0 block/blk-mq.c:2844
blk_mq_dispatch_queue_requests+0x4f5/0x990 block/blk-mq.c:2893
blk_mq_flush_plug_list+0x232/0x650 block/blk-mq.c:2981
__blk_flush_plug+0x2c3/0x510 block/blk-core.c:1225
blk_finish_plug block/blk-core.c:1252 [inline]
blk_finish_plug+0x64/0xc0 block/blk-core.c:1249
read_pages+0x6bd/0x9d0 mm/readahead.c:176
page_cache_ra_unbounded+0x659/0x950 mm/readahead.c:269
do_page_cache_ra mm/readahead.c:332 [inline]
force_page_cache_ra+0x282/0x3a0 mm/readahead.c:361
page_cache_sync_ra+0x201/0xbf0 mm/readahead.c:579
filemap_get_pages+0x3be/0x1990 mm/filemap.c:2690
filemap_read+0x3ea/0xdf0 mm/filemap.c:2800
blkdev_read_iter+0x1b8/0x520 block/fops.c:856
new_sync_read fs/read_write.c:491 [inline]
vfs_read+0x90f/0xd80 fs/read_write.c:572
ksys_read+0x14e/0x280 fs/read_write.c:715
__do_sys_read fs/read_write.c:724 [inline]
__se_sys_read fs/read_write.c:722 [inline]
__x64_sys_read+0x7b/0xc0 fs/read_write.c:722
x64_sys_call+0x17ec/0x21b0 arch/x86/include/generated/asm/syscalls_64.h:1
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8b/0x1200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f2abc7b204e
Code: 0f 1f 40 00 48 8b 15 79 af 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
RSP: 002b:00007fff07113cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056360eb6a528 RCX: 00007f2abc7b204e
RDX: 0000000000040000 RSI: 000056360eb6a538 RDI: 000000000000000f
RBP: 000056360e8d23d0 R08: 000056360eb6a510 R09: 00007f2abc79abe0
R10: 0000000000040050 R11: 0000000000000246 R12: 000000003ff80000
R13: 0000000000040000 R14: 000056360eb6a510 R15: 000056360e8d2420
</TASK>
Modules linked in:
Fixes: 320ae51 ("blk-mq: new multi-queue block IO queueing mechanism")
Fixes: d977506 ("nvme-pci: make PRP list DMA pools per-NUMA-node")
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Author
|
Upstream branch: None |
blktests-ci
bot
force-pushed
the
series/1063431=>linus-master
branch
from
5e57fb6 to
662e7af
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: blk-mq: nvme: Fix general protection fault in nvme_setup_descriptor_pools()
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1063431