Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5459387pxu; Thu, 22 Oct 2020 02:57:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzbqePbO1QX/N7wUVZLuohxQqEIyGcL01uLEQ8ngA042XewVnonxAZplFwpkbCOjLGglAX0 X-Received: by 2002:a17:906:935a:: with SMTP id p26mr1429515ejw.30.1603360678933; Thu, 22 Oct 2020 02:57:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603360678; cv=none; d=google.com; s=arc-20160816; b=F7SZDSQW86tgCAudr/DNP7EqSkNRG7tdZdsOcP8sfOTm1ZxIeLtSAOXC+kI9OLfsR3 760NISPNZyAakZTKkvQBKuamKZ1CKqAsxzpbVQBf23JUet3uzcsAlWSKBd46H/6B6zdX p043x6Mc65aQJo8GYUWkOhU2U03Err6mn4+wbApF7b3aVGwuXpYDt+2ohQ5bYjAtFyI+ YTbaNmBKw2Vo0/xOyJMaJO7JBftGGGGWZQaQEJi2lepA5+ThTI6BEF1bUQ9WR17IpPfB sYL40SfOLOLqwhu213wL+dcdddZL4KIfL25Yy4rk5nrjd+6NNnXYpFMsbeup02OlPvSH am+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=fP3bGlc9SXkr5PLKtljG1oWbV0T/7cIcgdB25mIY8hs=; b=yzNRS0juzxz5LpgCfnBCAEG0ikx56LeucTvOSQ/HAePwu/3PcZYUL/4nFLonV+LiMO CWRgKCG0IChMSmHcMBJk1PbQqE1MHmODk2256IKserzCAKOLZQSPm43NOLRe3GOVm5BY 9vREG3Snvk4nhJoSGrTafFUkxYH/OMZpbx/NAP0nW54TZPsXhsDtysjrLXvx8BFt8AWg wQG5N5CxdqiFUuLdb/cqI7lOF15R18TOV7YKkWYv0+Kl+MwQK9S5DInVIofYiCJfGZZz zIM61M68mC7hgYv4JIZ3lFcf9npZCA5obu4Dq935qvHLVepdKs6AftOpeD+h9pH3cSII ly8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o22si589410ejj.86.2020.10.22.02.57.36; Thu, 22 Oct 2020 02:57:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2896228AbgJVJ4l (ORCPT + 99 others); Thu, 22 Oct 2020 05:56:41 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:3649 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2411390AbgJVJzF (ORCPT ); Thu, 22 Oct 2020 05:55:05 -0400 Received: from DGGEMM401-HUB.china.huawei.com (unknown [172.30.72.55]) by Forcepoint Email with ESMTP id A178D100E5625DB7D5CC; Thu, 22 Oct 2020 17:55:02 +0800 (CST) Received: from dggema772-chm.china.huawei.com (10.1.198.214) by DGGEMM401-HUB.china.huawei.com (10.3.20.209) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 22 Oct 2020 17:55:02 +0800 Received: from [10.169.42.93] (10.169.42.93) by dggema772-chm.china.huawei.com (10.1.198.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Thu, 22 Oct 2020 17:55:01 +0800 Subject: Re: [PATCH] nvme-rdma: handle nvme completion data length To: zhenwei pi , , , , CC: , References: <20201022083850.1334880-1-pizhenwei@bytedance.com> From: Chao Leng Message-ID: <04a97f73-ba13-a4b5-3ea4-fc438391507e@huawei.com> Date: Thu, 22 Oct 2020 17:55:01 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <20201022083850.1334880-1-pizhenwei@bytedance.com> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.169.42.93] X-ClientProxiedBy: dggeme702-chm.china.huawei.com (10.1.199.98) To dggema772-chm.china.huawei.com (10.1.198.214) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/10/22 16:38, zhenwei pi wrote: > Hit a kernel warning: > refcount_t: underflow; use-after-free. > WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 > > RIP: 0010:refcount_warn_saturate+0xd9/0xe0 > Call Trace: > > nvme_rdma_recv_done+0xf3/0x280 [nvme_rdma] > __ib_process_cq+0x76/0x150 [ib_core] > ... > > The reason is that a zero bytes message received from target, and the > host side continues to process without length checking, then the > previous CQE is processed twice. > > Handle data length, ignore zero bytes message, and try to recovery for > corrupted CQE case. > > Signed-off-by: zhenwei pi > --- > drivers/nvme/host/rdma.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c > index 9e378d0a0c01..9f5112040d43 100644 > --- a/drivers/nvme/host/rdma.c > +++ b/drivers/nvme/host/rdma.c > @@ -1767,6 +1767,17 @@ static void nvme_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc) > return; > } > > + if (unlikely(!wc->byte_len)) { > + /* zero bytes message could be ignored */ > + return; > + } else if (unlikely(wc->byte_len < len)) { > + /* Corrupted completion, try to recovry */ > + dev_err(queue->ctrl->ctrl.device, > + "Unexpected nvme completion length(%d)\n", wc->byte_len); > + nvme_rdma_error_recovery(queue->ctrl); > + return; > + } !wc->byte_len and wc->byte_len < len may be the same type of anomaly. Why do different error handling? In which scenario zero bytes message received from target? fault inject test or normal test/run? > + > ib_dma_sync_single_for_cpu(ibdev, qe->dma, len, DMA_FROM_DEVICE); > /* > * AEN requests are special as they don't time out and can >