From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EED1C433E2 for ; Wed, 16 Sep 2020 20:52:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 03FE820731 for ; Wed, 16 Sep 2020 20:52:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600289555; bh=Ggu67kQ5Z6Y2gHRAwgKBqvNHtiu2B+7/8drm5WugluM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=mHmv+KKxAVMy2oePRdzNqxfzlko7aiCmnHr/rDRZHLrOiVpCgDlUC2yulVRQPozL4 Nd23gmV1oNExvbK5zkaouCsLmd0Ad88aG/dRdmYdLGsPOqoeEhvIxYns/1NLI18ETI 6x0eFbVinjMecvNHQ2DIH27Bcc5YByCfSj7sUz80= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728457AbgIPUwb (ORCPT ); Wed, 16 Sep 2020 16:52:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:53234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726518AbgIPQy4 (ORCPT ); Wed, 16 Sep 2020 12:54:56 -0400 Received: from dhcp-10-100-145-180.wdl.wdc.com (unknown [199.255.45.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B9762221F1; Wed, 16 Sep 2020 16:54:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600275276; bh=Ggu67kQ5Z6Y2gHRAwgKBqvNHtiu2B+7/8drm5WugluM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=GVRuy/9TjeVkfwZYcbT1oCJkkYu7TBej+6nKXQPKxmKMxqFJOPxa88bFP+19ymmrj BSHB8MAMBhLTkjfpsB0sD20wGRZsKz3zj2biOWQFMxA4mHfLPCatUp+q9jZmf3SRVm 8bt0/gIzYHAei9/QHb9+C/J2x0ZEfHpq1GjYWSOk= Date: Wed, 16 Sep 2020 09:54:33 -0700 From: Keith Busch To: Tong Zhang Cc: Jens Axboe , Christoph Hellwig , Sagi Grimberg , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nvme: fix NULL pointer dereference Message-ID: <20200916165433.GA3675881@dhcp-10-100-145-180.wdl.wdc.com> References: <20200916153648.5475-1-ztong0001@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200916153648.5475-1-ztong0001@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 16, 2020 at 11:36:49AM -0400, Tong Zhang wrote: > @@ -960,6 +960,8 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx) > } > > req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), cqe->command_id); > + if (!req) > + return; As I mentioned before, blk_mq_tag_to_rq() returns NULL if the tag exceeds the depth. We already verify the tag prior to calling this function, so what's the real root cause for how we're winding up with NULL here? I'm only asking this because it sounds like there's a bug somewhere else and this change is masking over it. > trace_nvme_sq(req, cqe->sq_head, nvmeq->sq_tail); > if (!nvme_try_complete_req(req, cqe->status, cqe->result)) > nvme_pci_complete_rq(req);