From: Tong Zhang <ztong0001@gmail.com>
To: Keith Busch <kbusch@kernel.org>, Jens Axboe <axboe@fb.com>,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
Cc: Tong Zhang <ztong0001@gmail.com>
Subject: [PATCH] nvme: fix NULL pointer dereference
Date: Wed, 16 Sep 2020 11:36:49 -0400 [thread overview]
Message-ID: <20200916153648.5475-1-ztong0001@gmail.com> (raw)
blk_mq_tag_to_rq can return NULL and this condition must be checked
[ 147.861050] BUG: KASAN: null-ptr-deref in nvme_irq+0xfc/0x410
[ 147.861326] Write of size 2 at addr 0000000000000122 by task kworker/u4:1/56
[ 147.861675]
[ 147.861756] CPU: 1 PID: 56 Comm: kworker/u4:1 Not tainted 5.9.0-rc4+ #83
[ 147.862657] Workqueue: nvme-wq nvme_scan_work
[ 147.862876] Call Trace:
[ 147.863002] <IRQ>
[ 147.863112] dump_stack+0x7d/0xb0
[ 147.863280] kasan_report.cold+0x6a/0x7e
[ 147.863478] ? nvme_irq+0xfc/0x410
[ 147.863650] nvme_irq+0xfc/0x410
[ 147.863815] ? __x64_sys_getrandom+0xb0/0xb0
[ 147.864030] ? nvme_del_cq_end+0x70/0x70
[ 147.864229] __handle_irq_event_percpu+0x69/0x280
[ 147.864465] handle_irq_event_percpu+0x6a/0xe0
[ 147.864689] ? __handle_irq_event_percpu+0x280/0x280
[ 147.864939] ? _raw_spin_lock+0x75/0xd0
[ 147.865131] ? _raw_read_lock_irq+0x30/0x30
[ 147.865345] handle_irq_event+0x57/0x86
[ 147.865537] handle_edge_irq+0xe5/0x2d0
[ 147.865732] asm_call_on_stack+0x12/0x20
[ 147.865929] </IRQ>
[ 147.866038] common_interrupt+0xad/0x110
[ 147.866236] asm_common_interrupt+0x1e/0x40
[ 147.866447] RIP: 0010:__asan_load4+0x40/0xa0
[ 147.866663] Code: 00 00 ff 48 39 f8 77 56 48 8d 47 03 48 89 c2 83 e2 07 48 83 fa 02 76 2f 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 0f b6 04 08 <84>0
[ 147.867577] RSP: 0000:ffff8880666e6d48 EFLAGS: 00000a06
[ 147.867837] RAX: 0000000000000000 RBX: ffff8880666e6e28 RCX: dffffc0000000000
[ 147.868190] RDX: 0000000000000003 RSI: ffffffffb053e44f RDI: ffff8880666e6e30
[ 147.868544] RBP: 0000000000000013 R08: ffffffffafb5ee6f R09: fffffbfff64977ad
[ 147.868897] R10: ffffffffb24bbd63 R11: fffffbfff64977ac R12: ffffffffb053e44f
[ 147.869250] R13: 0000000000000000 R14: ffff8880666d8040 R15: 0000000000000130
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 899d2f4d7ab6..725d2263a0f5 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -960,6 +960,8 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx)
}
req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), cqe->command_id);
+ if (!req)
+ return;
trace_nvme_sq(req, cqe->sq_head, nvmeq->sq_tail);
if (!nvme_try_complete_req(req, cqe->status, cqe->result))
nvme_pci_complete_rq(req);
--
2.25.1
next reply other threads:[~2020-09-16 17:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-16 15:36 Tong Zhang [this message]
2020-09-16 16:54 ` [PATCH] nvme: fix NULL pointer dereference Keith Busch
2020-09-17 16:56 ` Tong Zhang
2020-09-17 17:14 ` Keith Busch
2020-09-18 0:44 ` Tong Zhang
2020-09-18 3:32 ` Tong Zhang
2020-09-18 18:38 ` Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200916153648.5475-1-ztong0001@gmail.com \
--to=ztong0001@gmail.com \
--cc=axboe@fb.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).