Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4543017pxj; Wed, 12 May 2021 07:52:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQeHHQYk45JpOirRxMQu2644sQRyisH65JX3lcLIAsymiv6zcNyc9oxWCXhCg0385LIAUp X-Received: by 2002:aa7:cb84:: with SMTP id r4mr43788969edt.187.1620831164209; Wed, 12 May 2021 07:52:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620831164; cv=none; d=google.com; s=arc-20160816; b=IqL6mSB8EeQaWOBryaQuHQ7pxoAaX1urLDJtWrxo+HdHj4ck3ZC1BSoIFQYRzY1Du6 dJjxuzDh7YJP1vKMTKFc7kD6h3t6bqZhm/gfaHUnklVxCeTTRG3OuE3f74Rmy0SiAdaU HEEruodOsQW7a0w+1ZKKZS/oMLmVrtl7B14rTHiymyNy0yvdm8v6BeobqtbSt2b2FvvN qXTrdB+04OUUWbAawjsC4fgrnRReY4Uz1EzVM4YaF7Sfa6HKS0ObCllEUfghxMzd4va5 0Cas+06AUd8oqmi/Krcv0CrBxoxnaFxjF/mu7k+OkvhdMf5+CnqRoIfK/aAC5oW7mQ6o IIvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=0XgVWqah7w6AlVmtfLt2ZhhoobwbaAAi86lMKqyBgrs=; b=BlPBbotQO/k+3aJdRBS3TtBF0BfzEAquYo7YGYVGRZa59krh+HG0xvmj4JGTZu9McX 1MTPJEZeIhcHR7g2wyqTuxzk7aw6E3fdNTLTIfUZ92s0HF/9QbLEj+TuA7yKqUskGOdk c+j5hPSApkrqZ5Tjgp0sW5PxP00xGdS32CEk7sjePERt7csQF2SHWd+4+Uy7Afu8zG8W zS9cLMIUtAw7yYaXfRfCd4we/cMzmgB1tIj0jJT6s1bb7QBGJ6QN2rArWsGGkZX3EGhb JgZdDlILLXHW2d8ybKAC6MN5yW2H6dbsC+ZB1yLLSBzcwKs7s3DYVYl1kF5LtSwg+1gv 6bsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cs15si184629ejc.258.2021.05.12.07.52.19; Wed, 12 May 2021 07:52:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231504AbhELOv6 (ORCPT + 99 others); Wed, 12 May 2021 10:51:58 -0400 Received: from mx2.suse.de ([195.135.220.15]:47096 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231622AbhELOvS (ORCPT ); Wed, 12 May 2021 10:51:18 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 7D923B17B; Wed, 12 May 2021 14:50:07 +0000 (UTC) From: Daniel Wagner To: linux-nvme@lists.infradead.org Cc: linux-kernel@vger.kernel.org, Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni , Daniel Wagner , Enzo Matsumiya Subject: [PATCH v3] nvmet: Reset ns->file when open fails Date: Wed, 12 May 2021 16:50:05 +0200 Message-Id: <20210512145005.103653-1-dwagner@suse.de> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reset the ns->file value to NULL also in the error case in nvmet_file_ns_enable(). The ns->file variable points either to file object or contains the error code after the filp_open() call. This can lead to following problem: When the user first setups an invalid file backend and tries to enable the ns, it will fail. Then the user switches over to a bdev backend and enables successfully the ns. The first received I/O will crash the system because the IO backend is chosen based on the ns->file value: static u16 nvmet_parse_io_cmd(struct nvmet_req *req) { [...] if (req->ns->file) return nvmet_file_parse_io_cmd(req); return nvmet_bdev_parse_io_cmd(req); } Reported-by: Enzo Matsumiya Signed-off-by: Daniel Wagner --- changes v3: - removed the hunk from version 1 which I copied over adding the changes notes... changes v2: - fix types mixup Reported-by: kernel test robot 8b 76 28 0f 84 c6 00 00 00 4c 8b 6e 20 31 f6 49 89 c8 48 89 d1 RSP: 0018:ffffa111c0353c98 EFLAGS: 00010202 RAX: ffff8bf7069d7f30 RBX: ffff8bf706a00008 RCX: 0000000000001000 RDX: 0000000000000001 RSI: ffffffffffffffea RDI: ffff8bf706a00008 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000100 R12: ffff8bf706a000c0 R13: 0000000000000000 R14: 0000000000000000 R15: ffff8bf706a00008 FS: 0000000000000000(0000) GS:ffff8bf73fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 000000012a394001 CR4: 00000000003606e0 Call Trace: nvmet_file_execute_io+0x1ae/0x270 [nvmet] nvmet_tcp_try_recv_pdu+0x364/0x710 [nvmet_tcp] ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 nvmet_tcp_io_work+0x6d/0xa90 [nvmet_tcp] process_one_work+0x1f4/0x3e0 worker_thread+0x2d/0x3e0 ? process_one_work+0x3e0/0x3e0 kthread+0x10d/0x130 ? kthread_park+0xa0/0xa0 ret_from_fork+0x35/0x40 Modules linked in: nvme_fabrics nvmet_tcp nvmet configfs af_packet ip_set nfnetlink iscsi_ibft iscsi_boot_sysfs rfkill x_tables bpfilter vmw_vsock_vmci_transport vsock fuse nls_iso8859_1 nls_cp437 vfat fat intel_rapl_msr intel_rapl_common sb_edac crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd cryptd nvme glue_helper nvme_core joydev pcspkr vmw_balloon vmxnet3 button ac i2c_piix4 vmw_vmci btrfs libcrc32c xor hid_generic raid6_pq usbhid sr_mod cdrom sd_mod ata_generic vmwgfx drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_piix ehci_pci drm crc32c_intel uhci_hcd serio_raw ahci libahci ehci_hcd vmw_pvscsi usbcore libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod efivarfs [last unloaded: ip_tables] Supported: Yes, External CR2: 0000000000000012 Enzo was not able reproduce it reliable so we can't really say if the patch fixes the crash he saw. But I figured ns->file should be set back to NULL. drivers/nvme/target/io-cmd-file.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c index 715d4376c997..7fdbdc496597 100644 --- a/drivers/nvme/target/io-cmd-file.c +++ b/drivers/nvme/target/io-cmd-file.c @@ -49,9 +49,11 @@ int nvmet_file_ns_enable(struct nvmet_ns *ns) ns->file = filp_open(ns->device_path, flags, 0); if (IS_ERR(ns->file)) { - pr_err("failed to open file %s: (%ld)\n", - ns->device_path, PTR_ERR(ns->file)); - return PTR_ERR(ns->file); + ret = PTR_ERR(ns->file); + pr_err("failed to open file %s: (%d)\n", + ns->device_path, ret); + ns->file = NULL; + return ret; } ret = nvmet_file_ns_revalidate(ns); -- 2.29.2