* [PATCH v2] nvme-pci: fix dbbuf_sq_db point to freed memory @ 2018-12-21 1:07 Lulina (A) 2019-01-04 18:07 ` Christoph Hellwig 0 siblings, 1 reply; 3+ messages in thread From: Lulina (A) @ 2018-12-21 1:07 UTC (permalink / raw) To: axboe, hch; +Cc: linux-nvme, linux-kernel The case is that nvme device support NVME_CTRL_OACS_DBBUF_SUPP, and return failed when the driver sent nvme_admin_dbbuf. The nvmeq->dbbuf_sq_db point to freed memory, as nvme_dbbuf_set is called after nvme_dbbuf_init. Signed-off-by: lulina <lina.lulina@huawei.com> diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index c33bb20..a477905 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -251,16 +251,25 @@ static int nvme_dbbuf_dma_alloc(struct nvme_dev *dev) static void nvme_dbbuf_dma_free(struct nvme_dev *dev) { unsigned int mem_size = nvme_dbbuf_size(dev->db_stride); + unsigned int i; if (dev->dbbuf_dbs) { dma_free_coherent(dev->dev, mem_size, dev->dbbuf_dbs, dev->dbbuf_dbs_dma_addr); dev->dbbuf_dbs = NULL; + for (i = dev->ctrl.queue_count - 1; i > 0; i--) { + dev->queues[i].dbbuf_sq_db = NULL; + dev->queues[i].dbbuf_cq_db = NULL; + } } if (dev->dbbuf_eis) { dma_free_coherent(dev->dev, mem_size, dev->dbbuf_eis, dev->dbbuf_eis_dma_addr); dev->dbbuf_eis = NULL; + for (i = dev->ctrl.queue_count - 1; i > 0; i--) { + dev->queues[i].dbbuf_sq_ei = NULL; + dev->queues[i].dbbuf_cq_ei = NULL; + } } } -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] nvme-pci: fix dbbuf_sq_db point to freed memory 2018-12-21 1:07 [PATCH v2] nvme-pci: fix dbbuf_sq_db point to freed memory Lulina (A) @ 2019-01-04 18:07 ` Christoph Hellwig 2019-01-07 5:27 ` Lulina (A) 0 siblings, 1 reply; 3+ messages in thread From: Christoph Hellwig @ 2019-01-04 18:07 UTC (permalink / raw) To: Lulina (A); +Cc: axboe, hch, linux-kernel, linux-nvme On Fri, Dec 21, 2018 at 01:07:25AM +0000, Lulina (A) wrote: > The case is that nvme device support NVME_CTRL_OACS_DBBUF_SUPP, and > return failed when the driver sent nvme_admin_dbbuf. The nvmeq->dbbuf_sq_db > point to freed memory, as nvme_dbbuf_set is called after nvme_dbbuf_init. But we never use those pointers in that state, do we? Can you explain the problem in a little more detail? ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] nvme-pci: fix dbbuf_sq_db point to freed memory 2019-01-04 18:07 ` Christoph Hellwig @ 2019-01-07 5:27 ` Lulina (A) 0 siblings, 0 replies; 3+ messages in thread From: Lulina (A) @ 2019-01-07 5:27 UTC (permalink / raw) To: Christoph Hellwig; +Cc: axboe, hch, linux-kernel, linux-nvme Thanks for replying to my email, my description in the last email was not clear enough, so here's a supplementary note. The NVME device I used support DBBUF, but the nvme_admin_dbbuf request returned a failure that eventually led to the kernel crash. The problem occurs as follows: 1, Device support NVME_CTRL_OACS_DBBUF_SUPP,so reset worker alloc memory for dev->dbbuf_dbs。 2, In nvme_setup_io_queues process, the nvme_dbbuf_init function is called to assign values to pointers such as nvmeq->dbbuf_sq_db. 3, In nvme_dev_add function, the nvme_admin_dbbuf request is sent to the device, but the device returns failed, so the memory that dev->dbbuf_dbs points to is released. Then, the driver issued IO requests, in the nvme_write_sq_db process, nvme_dbbuf_update_and_check_event function judgment to Nvmeq->dbbuf_sq_db pointer is not NULL, write to the memory it points to, causing memory confusion and kernel crash. On 2019/1/5 2:07, Christoph Hellwig wrote: > On Fri, Dec 21, 2018 at 01:07:25AM +0000, Lulina (A) wrote: >> The case is that nvme device support NVME_CTRL_OACS_DBBUF_SUPP, and >> return failed when the driver sent nvme_admin_dbbuf. The nvmeq->dbbuf_sq_db >> point to freed memory, as nvme_dbbuf_set is called after nvme_dbbuf_init. > > But we never use those pointers in that state, do we? Can you explain > the problem in a little more detail? > > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-07 5:28 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-21 1:07 [PATCH v2] nvme-pci: fix dbbuf_sq_db point to freed memory Lulina (A) 2019-01-04 18:07 ` Christoph Hellwig 2019-01-07 5:27 ` Lulina (A)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).