On Mar 04, 2024 / 17:13, Daniel Wagner wrote: > The is the test case for > > https://lore.kernel.org/linux-nvme/20240304161006.19328-1-dwagner@xxxxxxx/ > > > Daniel Wagner (2): > nvme/rc: add reconnect-delay argument only for fabrics transports > nvme/048: add reconnect after ctrl key change I apply the kernel patches in the link above to v6.8-rc7, then ran nvme/045 with the blktests patches in the series. And I observed failure of the test case with various transports [1]. Is this failure expected? Also, I observed KASAN double-free [2]. Do you observe it in your environment? I created a quick fix [3], and it looks resolving the double-free. [1] sudo ./check nvme/045 nvme/045 (Test re-authentication) [failed] runtime 8.069s ... 7.639s --- tests/nvme/045.out 2024-03-05 18:09:07.267668493 +0900 +++ /home/shin/Blktests/blktests/results/nodev/nvme/045.out.bad 2024-03-05 18:10:07.735494384 +0900 @@ -9,5 +9,6 @@ Change hash to hmac(sha512) Re-authenticate with changed hash Renew host key on the controller and force reconnect -disconnected 0 controller(s) +controller "nvme1" not deleted within 5 seconds +disconnected 1 controller(s) Test complete [2] [ 938.253184] ================================================================== [ 938.254995] BUG: KASAN: double-free in nuse_show+0x307/0x3c0 [nvme_core] [ 938.256400] Free of addr ffff88812d318000 by task nvme/1564 [ 938.258777] CPU: 2 PID: 1564 Comm: nvme Not tainted 6.8.0-rc7+ #155 [ 938.260188] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 [ 938.261695] Call Trace: [ 938.262780] <TASK> [ 938.263950] dump_stack_lvl+0x57/0x90 [ 938.265157] print_report+0xcf/0x670 [ 938.266372] ? __virt_addr_valid+0x211/0x400 [ 938.267554] ? nuse_show+0x307/0x3c0 [nvme_core] [ 938.268790] kasan_report_invalid_free+0x72/0xa0 [ 938.270025] ? nuse_show+0x307/0x3c0 [nvme_core] [ 938.271242] ? nuse_show+0x307/0x3c0 [nvme_core] [ 938.272447] poison_slab_object+0x141/0x170 [ 938.273574] ? nuse_show+0x307/0x3c0 [nvme_core] [ 938.274826] __kasan_slab_free+0x2e/0x50 [ 938.276029] kfree+0x116/0x350 [ 938.277133] nuse_show+0x307/0x3c0 [nvme_core] [ 938.278326] ? __pfx_lock_acquire+0x10/0x10 [ 938.279433] ? __pfx_nuse_show+0x10/0x10 [nvme_core] [ 938.280669] dev_attr_show+0x42/0xc0 [ 938.281668] ? sysfs_file_ops+0x11b/0x170 [ 938.282733] sysfs_kf_seq_show+0x1f0/0x3b0 [ 938.283818] seq_read_iter+0x40c/0x11c0 [ 938.284888] ? rw_verify_area+0x179/0x470 [ 938.286016] vfs_read+0x606/0xc70 [ 938.287106] ? __pfx_vfs_read+0x10/0x10 [ 938.288153] ? kasan_quarantine_put+0xd6/0x1e0 [ 938.289234] ? lockdep_hardirqs_on+0x7d/0x100 [ 938.290313] ? __fget_light+0x53/0x1e0 [ 938.291267] ksys_read+0xf7/0x1d0 [ 938.292233] ? __pfx_ksys_read+0x10/0x10 [ 938.293301] ? kasan_quarantine_put+0xd6/0x1e0 [ 938.294300] do_syscall_64+0x9a/0x190 [ 938.295253] ? __x64_sys_openat+0x11f/0x1d0 [ 938.296292] ? lockdep_hardirqs_on+0x7d/0x100 [ 938.297277] ? __pfx___x64_sys_openat+0x10/0x10 [ 938.298328] ? ksys_read+0xf7/0x1d0 [ 938.299245] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 938.300301] ? do_syscall_64+0xa7/0x190 [ 938.301191] ? lockdep_hardirqs_on+0x7d/0x100 [ 938.302148] ? do_syscall_64+0xa7/0x190 [ 938.303107] ? do_syscall_64+0xa7/0x190 [ 938.304009] ? do_syscall_64+0xa7/0x190 [ 938.304936] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 938.306017] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 938.307103] RIP: 0033:0x7f57658da121 [ 938.308065] Code: 00 48 8b 15 11 fd 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 40 ce 01 00 f3 0f 1e fa 80 3d 45 82 0d 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec [ 938.310749] RSP: 002b:00007ffe0fd8ef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 938.312023] RAX: ffffffffffffffda RBX: 00007ffe0fd908a8 RCX: 00007f57658da121 [ 938.313215] RDX: 0000000000000fff RSI: 00007ffe0fd8efb0 RDI: 0000000000000003 [ 938.314464] RBP: 00007ffe0fd90820 R08: 0000000000000073 R09: 0000000000000001 [ 938.315668] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 938.316871] R13: 0000000000000000 R14: 00007f5765a4b000 R15: 000000000053bdc0 [ 938.318077] </TASK> [ 938.319688] Allocated by task 1564: [ 938.320623] kasan_save_stack+0x2f/0x50 [ 938.321579] kasan_save_track+0x10/0x30 [ 938.322532] __kasan_kmalloc+0xa6/0xb0 [ 938.323477] nvme_identify_ns+0xae/0x230 [nvme_core] [ 938.324529] nuse_show+0x27a/0x3c0 [nvme_core] [ 938.325546] dev_attr_show+0x42/0xc0 [ 938.326485] sysfs_kf_seq_show+0x1f0/0x3b0 [ 938.327429] seq_read_iter+0x40c/0x11c0 [ 938.328483] vfs_read+0x606/0xc70 [ 938.329401] ksys_read+0xf7/0x1d0 [ 938.330441] do_syscall_64+0x9a/0x190 [ 938.331348] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 938.333140] Freed by task 1564: [ 938.334143] kasan_save_stack+0x2f/0x50 [ 938.335067] kasan_save_track+0x10/0x30 [ 938.336078] kasan_save_free_info+0x37/0x60 [ 938.337101] poison_slab_object+0x102/0x170 [ 938.338124] __kasan_slab_free+0x2e/0x50 [ 938.339082] kfree+0x116/0x350 [ 938.339965] nvme_identify_ns+0x1c5/0x230 [nvme_core] [ 938.341006] nuse_show+0x27a/0x3c0 [nvme_core] [ 938.342003] dev_attr_show+0x42/0xc0 [ 938.342931] sysfs_kf_seq_show+0x1f0/0x3b0 [ 938.343882] seq_read_iter+0x40c/0x11c0 [ 938.344804] vfs_read+0x606/0xc70 [ 938.345708] ksys_read+0xf7/0x1d0 [ 938.346611] do_syscall_64+0x9a/0x190 [ 938.347538] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 938.349308] The buggy address belongs to the object at ffff88812d318000 which belongs to the cache kmalloc-4k of size 4096 [ 938.350299] nvmet: creating nvm controller 1 for subsystem blktests-subsystem-1 for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 with DH-HMAC-CHAP. [ 938.350311] The buggy address is located 0 bytes inside of 4096-byte region [ffff88812d318000, ffff88812d319000) [ 938.350314] The buggy address belongs to the physical page: [ 938.358511] page:00000000389f3330 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d318 [ 938.360009] head:00000000389f3330 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 938.361388] flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) [ 938.362644] page_type: 0xffffffff() [ 938.363627] raw: 0017ffffc0000840 ffff888100043040 dead000000000122 0000000000000000 [ 938.364958] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 938.366278] page dumped because: kasan: bad access detected [ 938.368303] Memory state around the buggy address: [ 938.369384] ffff88812d317f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 938.370661] ffff88812d317f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 938.371983] >ffff88812d318000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 938.373295] ^ [ 938.374311] ffff88812d318080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 938.375618] ffff88812d318100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 938.376954] ================================================================== [ 938.378356] Disabling lock debugging due to kernel taint [3] diff --git a/drivers/nvme/host/sysfs.c b/drivers/nvme/host/sysfs.c index f2832f70e7e0..4e161d3cd840 100644 --- a/drivers/nvme/host/sysfs.c +++ b/drivers/nvme/host/sysfs.c @@ -221,14 +221,10 @@ static int ns_update_nuse(struct nvme_ns *ns) ret = nvme_identify_ns(ns->ctrl, ns->head->ns_id, &id); if (ret) - goto out_free_id; + return ret; ns->head->nuse = le64_to_cpu(id->nuse); - -out_free_id: - kfree(id); - - return ret; + return 0; } static ssize_t nuse_show(struct device *dev, struct device_attribute *attr,
