From nobody Fri May 17 03:01:00 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linux.dev ARC-Seal: i=1; a=rsa-sha256; t=1654290778; cv=none; d=zohomail.com; s=zohoarc; b=ULKDj7WDr8O6TKBydI4H1e59e2K5SwXX+v7gJ4KP0n3fAQs5WkuQ9jqVKIhQy1/X6M2QPUHceaRPGVSuzYmrpIKIkXGfftrhRwk0A1q4VQ4JcF2IyCRBkXJf/eKYkVdLLZt2VnUIO1Izu14onlXROmQngrhoR4n94//+i262qTU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1654290778; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=tDmMof6biaY5FCCyJcFM2cwHci3uDLN3mP2wuG42q9Q=; b=NcRLjQ6lTmZI6WTFJOXylfoegilIm/jfkB4dnFqwMHZSkqMBC9GNksOiE/Xy0358WKxeF7sx7alVaJmeBOIDMCUNc0nqbmTPlU29FjPIgbwu/IcPj50zNE2m5tdJ3Rr29+qWcF8QXZ564DWZnaPLa7fRR6W5ZEAR3hO5uJZWxfY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1654290778224751.3575801540634; Fri, 3 Jun 2022 14:12:58 -0700 (PDT) Received: from localhost ([::1]:41220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nxEbI-0003px-UP for importer@patchew.org; Fri, 03 Jun 2022 17:12:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54632) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nxClR-0002ss-Ot for qemu-devel@nongnu.org; Fri, 03 Jun 2022 15:15:20 -0400 Received: from resqmta-c1p-024063.sys.comcast.net ([2001:558:fd00:56::8]:35998) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nxClP-0008JI-J5 for qemu-devel@nongnu.org; Fri, 03 Jun 2022 15:15:17 -0400 Received: from resomta-c1p-023278.sys.comcast.net ([96.102.18.240]) by resqmta-c1p-024063.sys.comcast.net with ESMTP id xAdNnTSHIGiqUxClHnv5ZB; Fri, 03 Jun 2022 19:15:07 +0000 Received: from jderrick-mobl4.amr.corp.intel.com ([71.196.224.35]) by resomta-c1p-023278.sys.comcast.net with ESMTPA id xCkrnoELS4UPKxCkunw4o6; Fri, 03 Jun 2022 19:14:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20211018a; t=1654283707; bh=tDmMof6biaY5FCCyJcFM2cwHci3uDLN3mP2wuG42q9Q=; h=Received:Received:From:To:Subject:Date:Message-Id:MIME-Version; b=puoBb/kAdaQ9o4aMYao5JjNyCngNXmdGYfAei7RON4moKBUIoutBIcWwCSmZhHQHc k4qGA2afg5XgjYyZ2YLVHm6IOKyzbKtwTkuV9UEEFK12RVVOqimhaU35K11NW7PRyo UFP1+j0rHfvieCzdpTozWL9BCqHfSIrWd826eztXcvylnLHyuauJw1K2hikDAG5ekp mhJFVq0t9z63NoM90o0IJU76NPfqSGRHmP/Co/x7eDoYrNHkqQ87iPFQAF+626EUmw YDL7p8CKHCqra4hI33tnkngUy0rFnrckrK8nWQFQ4fLGMoTA7W9TBJzYwIhh8HtNsP PgKCkITqPQIAQ== X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvfedrleeigddufedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhipdfqfgfvpdfpqffurfetoffkrfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefufffkofgggfestdekredtredttdenucfhrhhomheplfhonhgrthhhrghnucffvghrrhhitghkuceojhhonhgrthhhrghnrdguvghrrhhitghksehlihhnuhigrdguvghvqeenucggtffrrghtthgvrhhnpedvtdejiefgueelteevudevhfdvjedvhfdtgfehjeeitdevueektdegtedttdehvdenucfkphepjedurdduleeirddvvdegrdefheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehjuggvrhhrihgtkhdqmhhosghlgedrrghmrhdrtghorhhprdhinhhtvghlrdgtohhmpdhinhgvthepjedurdduleeirddvvdegrdefhedpmhgrihhlfhhrohhmpehjohhnrghthhgrnhdruggvrhhrihgtkheslhhinhhugidruggvvhdpnhgspghrtghpthhtohepkedprhgtphhtthhopehqvghmuhdqsghlohgtkhesnhhonhhgnhhurdhorhhgpdhrtghpthhtohepqhgvmhhuqdguvghvvghlsehnohhnghhnuhdrohhrghdprhgtphhtthhopehksghushgthheskhgvrhhnvghlrdhorhhgpdhrtghpthhtohepihhtshesihhrrhgvlhgvvhgrnhhtrdgukhdprhgtphhtthhopehjohhnrghthhgrnhdruggvrhhrihgtkheslhhinhhugidruggvvhdprhgtphhtthhopehfrhgrnhgtihhsrdhmihgthhgrvghlsehsohhlihguihhgmhdrtghomhdprhgtphhtthhopehmihgthhgrvghlrdhkrhhophgrtgiivghksehsohhlihguihhgmhdrtghomhdprhgtphhtthhopehjohhnrghthhgrnhdruggvrhhrihgtkhesshholhhiughighhmrdgtohhm X-Xfinity-VMeta: sc=-100.00;st=legit From: Jonathan Derrick To: Cc: , Keith Busch , Klaus Jensen , Jonathan Derrick , Francis Pravin AntonyX Michael Raj , Michael Kropaczek , Jonathan Derrick Subject: [PATCH] hw/nvme: Fix deallocate when metadata is present Date: Fri, 3 Jun 2022 13:14:40 -0600 Message-Id: <20220603191440.3625-1-jonathan.derrick@linux.dev> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: softfail client-ip=2001:558:fd00:56::8; envelope-from=jonathan.derrick@linux.dev; helo=resqmta-c1p-024063.sys.comcast.net X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Fri, 03 Jun 2022 17:12:04 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @comcastmailservice.net) X-ZM-MESSAGEID: 1654290779353100001 Content-Type: text/plain; charset="utf-8" When metadata is present in the namespace and deallocates are issued, the f= irst deallocate could fail to zero the block range, resulting in another deallocation to be issued. Normally after the deallocation completes and the range is checked for zeroes, a deallocation is then issued for the metadata space. In the failure case where the range is not zeroed, deallocation is reissued for the block range (and followed with metadata deallocation), but= the original range deallocation task will also issue a metadata deallocation: nvme_dsm_cb() *range deallocation* nvme_dsm_md_cb() if (nvme_block_status_all()) (range deallocation failure) nvme_dsm_cb() *range deallocation* nvme_dsm_md_cb() if (nvme_block_status_all()) (no failure) *metadata deallocation* *metadata deallocation* This sequence results in reentry of nvme_dsm_cb() before the metadata has b= een deallocated. During reentry, the metadata is deallocated in the reentrant t= ask. nvme_dsm_bh() is called which deletes and sets iocb->bh to NULL. When reent= ry returns from nvme_dsm_cb(), metadata deallocation takes place again, and results in a null pointer dereference on the iocb->bh: BH deletion: #0 nvme_dsm_bh (opaque=3D0x55ef893e2f10) at ../hw/nvme/ctrl.c:2316 #1 0x000055ef868eb333 in aio_bh_call (bh=3D0x55ef8a441b30) at ../util/asyn= c.c:141 #2 0x000055ef868eb441 in aio_bh_poll (ctx=3D0x55ef892c6e40) at ../util/asy= nc.c:169 #3 0x000055ef868d2789 in aio_dispatch (ctx=3D0x55ef892c6e40) at ../util/ai= o-posix.c:415 #4 0x000055ef868eb896 in aio_ctx_dispatch (source=3D0x55ef892c6e40, callba= ck=3D0x0, user_data=3D0x0) at ../util/async.c:311 #5 0x00007f5bfe4ab17d in g_main_context_dispatch () at /lib/x86_64-linux-g= nu/libglib-2.0.so.0 #6 0x000055ef868fcd98 in glib_pollfds_poll () at ../util/main-loop.c:232 #7 0x000055ef868fce16 in os_host_main_loop_wait (timeout=3D0) at ../util/m= ain-loop.c:255 #8 0x000055ef868fcf27 in main_loop_wait (nonblocking=3D0) at ../util/main-= loop.c:531 #9 0x000055ef864a2442 in qemu_main_loop () at ../softmmu/runstate.c:726 #10 0x000055ef860f957a in main (argc=3D29, argv=3D0x7ffdc9705508, envp=3D0x= 7ffdc97055f8) at ../softmmu/main.c:50 nvme_dsm_cb() called for metadata after nvme_dsm_bh() completes from reentr= ant task: Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x000055ef868eb07c in aio_bh_enqueue (bh=3D0x0, new_flags=3D2) at ../util/a= sync.c:70 70 AioContext *ctx =3D bh->ctx; (gdb) backtrace #0 0x000055ef868eb07c in aio_bh_enqueue (bh=3D0x0, new_flags=3D2) at ../ut= il/async.c:70 #1 0x000055ef868eb4cf in qemu_bh_schedule (bh=3D0x0) at ../util/async.c:186 #2 0x000055ef862db21e in nvme_dsm_cb (opaque=3D0x55ef897b41a0, ret=3D0) at= ../hw/nvme/ctrl.c:2423 #3 0x000055ef8665a662 in blk_aio_complete (acb=3D0x55ef89c6d8c0) at ../blo= ck/block-backend.c:1419 #4 0x000055ef8665a940 in blk_aio_write_entry (opaque=3D0x55ef89c6d8c0) at = ../block/block-backend.c:1486 #5 0x000055ef868edcf2 in coroutine_trampoline (i0=3D-536848976, i1=3D32602= ) at ../util/coroutine-ucontext.c:173 #6 0x00007f5bfe0bc510 in __start_context () at ../sysdeps/unix/sysv/linux/= x86_64/__start_context.S:91 #7 0x00007f5bf757bb40 in () #8 0x0000000000000000 in () The fix is to return when an nvme_dsm_cb() is reentered due to failure to deallocate the block range, so that metadata deallocate is then only issued= in the reentrant task and prevent doing it again when the reentrant task retur= ns to the original task. Reproduction steps (with emulated namespace): nvme format --lbaf=3D1 -f /dev/nvme0n1 mkfs.ext4 /dev/nvme0n1 mkfs.ext4 -F /dev/nvme0n1 Signed-off-by: Francis Pravin AntonyX Michael Raj Signed-off-by: Michael Kropaczek Signed-off-by: Jonathan Derrick Reviewed-by: Keith Busch --- hw/nvme/ctrl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 03760ddeae..74540a03d5 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -2372,6 +2372,7 @@ static void nvme_dsm_md_cb(void *opaque, int ret) } =20 nvme_dsm_cb(iocb, 0); + return; } =20 iocb->aiocb =3D blk_aio_pwrite_zeroes(ns->blkconf.blk, nvme_moff(ns, s= lba), --=20 2.25.1