From mboxrd@z Thu Jan  1 00:00:00 1970
From: hare@suse.de (Hannes Reinecke)
Date: Mon, 26 Nov 2018 20:45:38 +0100
Subject: [PATCH] nvme-fc: initialize nvme_req(rq)->ctrl after calling
 __nvme_fc_init_request()
In-Reply-To: <20181126170130.8591-1-emilne@redhat.com>
References: <20181126170130.8591-1-emilne@redhat.com>
Message-ID: <e2947a08-f23c-aba6-b3aa-6cf39a093904@suse.de>

On 11/26/18 6:01 PM, Ewan D. Milne wrote:
> __nvme_fc_init_request() invokes memset() on the nvme_fcp_op_w_sgl structure, which
> NULLed-out the nvme_req(req)->ctrl field previously set by nvme_fc_init_request().
> This apparently was not referenced until commit faf4a44fff ("nvme: support traffic
> based keep-alive") which now results in a crash in nvme_complete_rq():
> 
> [ 8386.897130] RIP: 0010:panic+0x220/0x26c
> [ 8386.901406] Code: 83 3d 6f ee 72 01 00 74 05 e8 e8 54 02 00 48 c7 c6 40 fd 5b b4 48 c7 c7 d8 8d c6 b3 31e
> [ 8386.922359] RSP: 0018:ffff99650019fc40 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> [ 8386.930804] RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000006
> [ 8386.938764] RDX: 0000000000000000 RSI: 0000000000000082 RDI: ffff8e325f8168b0
> [ 8386.946725] RBP: ffff99650019fcb0 R08: 0000000000000000 R09: 00000000000004f8
> [ 8386.954687] R10: 0000000000000000 R11: ffff99650019f9b8 R12: ffffffffb3c55f3c
> [ 8386.962648] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
> [ 8386.970613]  oops_end+0xd1/0xe0
> [ 8386.974116]  no_context+0x1b2/0x3c0
> [ 8386.978006]  do_page_fault+0x32/0x140
> [ 8386.982090]  page_fault+0x1e/0x30
> [ 8386.985786] RIP: 0010:nvme_complete_rq+0x65/0x1d0 [nvme_core]
> [ 8386.992195] Code: 41 bc 03 00 00 00 74 16 0f 86 c3 00 00 00 66 3d 83 00 41 bc 06 00 00 00 0f 85 e7 00 000
> [ 8387.013147] RSP: 0018:ffff99650019fe18 EFLAGS: 00010246
> [ 8387.018973] RAX: 0000000000000000 RBX: ffff8e322ae51280 RCX: 0000000000000001
> [ 8387.026935] RDX: 0000000000000400 RSI: 0000000000000001 RDI: ffff8e322ae51280
> [ 8387.034897] RBP: ffff8e322ae51280 R08: 0000000000000000 R09: ffffffffb2f0b890
> [ 8387.042859] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
> [ 8387.050821] R13: 0000000000000100 R14: 0000000000000004 R15: ffff8e2b0446d990
> [ 8387.058782]  ? swiotlb_unmap_page+0x40/0x40
> [ 8387.063448]  nvme_fc_complete_rq+0x2d/0x70 [nvme_fc]
> [ 8387.068986]  blk_done_softirq+0xa1/0xd0
> [ 8387.073264]  __do_softirq+0xd6/0x2a9
> [ 8387.077251]  run_ksoftirqd+0x26/0x40
> [ 8387.081238]  smpboot_thread_fn+0x10e/0x160
> [ 8387.085807]  kthread+0xf8/0x130
> [ 8387.089309]  ? sort_range+0x20/0x20
> [ 8387.093198]  ? kthread_stop+0x110/0x110
> [ 8387.097475]  ret_from_fork+0x35/0x40
> [ 8387.101462] ---[ end trace 7106b0adf5e422f8 ]---
> 
> Fixes: faf4a44fff ("nvme: support traffic based keep-alive")
> Signed-off-by: Ewan D. Milne <emilne at redhat.com>
> ---
>   drivers/nvme/host/fc.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
> index 83131e4..240d09e 100644
> --- a/drivers/nvme/host/fc.c
> +++ b/drivers/nvme/host/fc.c
> @@ -1746,12 +1746,12 @@ enum {
>   	struct nvme_fc_queue *queue = &ctrl->queues[queue_idx];
>   	int res;
>   
> -	nvme_req(rq)->ctrl = &ctrl->ctrl;
>   	res = __nvme_fc_init_request(ctrl, queue, &op->op, rq, queue->rqcnt++);
>   	if (res)
>   		return res;
>   	op->op.fcp_req.first_sgl = &op->sgl[0];
>   	op->op.fcp_req.private = &op->priv[0];
> +	nvme_req(rq)->ctrl = &ctrl->ctrl;
>   	return res;
>   }
>   
> 
Ah, that's the one. I've ran into that, too, but than had been too lazy 
to followup upon it.

Reviewed-by: Hannes Reinecke <hare at suse.com>

Cheers,

Hannes