From: Daniel Wagner <dwagner@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>
Cc: Keith Busch <kbusch@kernel.org>,
"Belanger, Martin" <Martin.Belanger@dell.com>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>
Subject: Re: nvme-tcp: kernel NULL pointer dereference, address: 0000000000000034
Date: Tue, 21 Mar 2023 11:40:09 +0100 [thread overview]
Message-ID: <20230321104009.nltadi6zs6iz66h4@carbon> (raw)
In-Reply-To: <316be6c1-0d90-0ea8-f9cf-1ec0086877a3@grimberg.me>
On Tue, Mar 21, 2023 at 11:37:05AM +0200, Sagi Grimberg wrote:
> admin_tagset.nr_maps = 1 (only the default map, no read, no poll)
Indeed, that would be to easy.
I've just triggered a crash where we are passing in a non-null bio. Some
more annotation. This time I am printing from blk_rq_is_poll() and
we see that that is also the case where we have a valid bio but
want to use the poll context:
[ 53.663613] rq ffff888107190000 mq_hctx ffff888106244000 type 0 bio ffff88810da4ec00
[ 53.665190] nvme nvme1: q ffff888119c40000 rq ffff888124da0000 bio ffff88810da4e600
[ 53.665230] rq ffff888124da0000 mq_hctx ffff888106241800 type 0 bio ffff88810da4e600
[ 53.666293] nvme nvme1: q ffff888119c40000 rq ffff888106c40000 bio ffff88810da4e100
[ 53.669844] rq ffff888106c40000 mq_hctx ffff888106247800 type 2 bio ffff88810da4e100
[ 53.670682] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 53.670689] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[ 53.670694] CPU: 6 PID: 6410 Comm: nvme Tainted: G W 6.3.0-rc1+ #10 5490073fe695e8e1be1b11c57a398a463ed2e52d
[ 53.670701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
[ 53.670705] RIP: 0010:blk_poll+0x31/0x350
[ 53.677417] Code: 57 41 56 41 55 41 54 53 48 83 ec 18 41 89 cd 49 89 f6 48 89 fd 48 b9 00 00 00 00 00 fc ff df 48 8d 5a 34 48 89 d8 48 c1 e8 03 <8a> 04 08 84 c0 0f 85 ea 02 00 00 44 8b 23 45 31 ff 41 83 fc ff 0f
[ 53.677422] RSP: 0018:ffff88810642f710 EFLAGS: 00010207
[ 53.677429] RAX: 0000000000000006 RBX: 0000000000000034 RCX: dffffc0000000000
[ 53.677433] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888119c40000
[ 53.677436] RBP: ffff888119c40000 R08: dffffc0000000000 R09: ffffed103e33e0f2
[ 53.677440] R10: ffffed103e33e0f2 R11: 1ffff1103e33e0f1 R12: 1ffff11020d88002
[ 53.677443] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810642f7c0
[ 53.677447] FS: 00007fd70718a780(0000) GS:ffff8881f1800000(0000) knlGS:0000000000000000
[ 53.677451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.677455] CR2: 00007f25a1c176f8 CR3: 00000001048b6003 CR4: 0000000000170ee0
[ 53.677462] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.677465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.677469] Call Trace:
[ 53.677472] <TASK>
[ 53.677476] ? blk_rq_poll+0x40/0x60
[ 53.691431] blk_execute_rq+0x418/0x640
[ 53.691445] ? blk_rq_is_poll+0x170/0x170
[ 53.691454] ? complete+0x2c/0x1e0
[ 53.691469] __nvme_submit_sync_cmd+0x3eb/0x750 [nvme_core 3b8f33cff2a9cda33de352373714dd43a47c79c4]
[ 53.694428] nvmf_connect_io_queue+0x30d/0x5e0 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[ 53.694449] ? nvmf_log_connect_error+0x470/0x470 [nvme_fabrics a56b21f9a9f011a785bd0916f38d0deca6de166d]
[ 53.694466] ? blk_set_default_limits+0x195/0x4d0
[ 53.694474] ? blk_alloc_queue+0x3a4/0x460
[ 53.694483] nvme_tcp_start_queue+0x30/0x360 [nvme_tcp 8413e4e242b091568613e66c1cbb42a8845a3aa7]
next prev parent reply other threads:[~2023-03-21 10:40 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-15 17:48 nvme-tcp: kernel NULL pointer dereference, address: 0000000000000034 Belanger, Martin
2023-03-15 18:13 ` Keith Busch
2023-03-15 18:23 ` Belanger, Martin
2023-03-15 19:39 ` Keith Busch
2023-03-16 8:57 ` Sagi Grimberg
2023-03-15 22:49 ` Chaitanya Kulkarni
2023-03-15 22:24 ` Keith Busch
2023-03-16 9:00 ` Sagi Grimberg
2023-03-16 15:20 ` Keith Busch
2023-03-16 16:11 ` Sagi Grimberg
2023-03-16 17:19 ` Keith Busch
2023-03-19 13:10 ` Sagi Grimberg
2023-03-21 8:23 ` Daniel Wagner
2023-03-21 8:49 ` Daniel Wagner
2023-03-21 8:56 ` Sagi Grimberg
2023-03-21 9:09 ` Daniel Wagner
2023-03-21 9:15 ` Sagi Grimberg
2023-03-21 9:25 ` Daniel Wagner
2023-03-21 9:37 ` Sagi Grimberg
2023-03-21 10:15 ` Sagi Grimberg
2023-03-21 16:26 ` Keith Busch
2023-03-22 7:12 ` Sagi Grimberg
2023-03-21 10:40 ` Daniel Wagner [this message]
2023-03-21 10:53 ` Sagi Grimberg
2023-03-21 11:06 ` Daniel Wagner
2023-03-21 11:10 ` Sagi Grimberg
2023-03-21 11:14 ` Sagi Grimberg
2023-03-21 12:41 ` Daniel Wagner
2023-03-21 12:58 ` Daniel Wagner
2023-03-21 13:08 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230321104009.nltadi6zs6iz66h4@carbon \
--to=dwagner@suse.de \
--cc=Martin.Belanger@dell.com \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.