Project

General

Profile

Bug #11969

Attempting to attach an invalid nvme namespace will cause a panic

Added by Paul Winder 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

If you try and attach an invalid namespace using nvmeadm attach the system will panic at:

#pf Page fault
Bad kernel fault at addr=0x48
pid=5570, pc=0xfffffffff7dab749, sp=0xffffc100fa795a10, eflags=0x10246
cr0: 80050033<pg,wp,ne,et,mp,pe>  cr4: 3606f8<smap,smep,osxsav,pcide,xmme,fxsr,pge,mce,pae,pse,de>
cr2: 48  
cr3: 206f256000  
cr8: 0

        rdi: ffffc100fa795a50 rsi: ffffc100fa795a50 rdx: ffffc1371bc76420
        rcx:                f  r8: ffffc131980b5678  r9:                0
        rax:                0 rbx:                0 rbp: ffffc100fa795b10
        r10: baddcafebaddcafe r11: ffffc131d6ba2b0f r12:               f0
        r13: ffffc131b4d0ad48 r14: ffffc13228d72000 r15: ffffc13648a5bc80
        fsb:                0 gsb: ffffc131d3689000  ds:               4b
         es:               4b  fs:                0  gs:              1c3
        trp:                e err:                0 rip: fffffffff7dab749
         cs:               30 rfl:            10246 rsp: ffffc100fa795a10
         ss:               38

ffffc100fa795820 unix:die+c6 ()
ffffc100fa795910 unix:trap+1191 ()
ffffc100fa795920 unix:cmntrap+e6 ()
ffffc100fa795b10 blkdev:bd_attach_handle+49 ()
ffffc100fa795b80 nvme:nvme_ioctl_attach+d6 ()
ffffc100fa795c90 nvme:nvme_ioctl+24f ()
ffffc100fa795cd0 genunix:cdev_ioctl+25 ()
ffffc100fa795d20 specfs:spec_ioctl+45 ()
ffffc100fa795db0 genunix:fop_ioctl+55 ()
ffffc100fa795ec0 genunix:ioctl+143 ()
ffffc100fa795f10 unix:brand_sys_sysenter+1c6 ()

Cause of panic is this bit of code in nvme_ioctl_attach():


        rv = bd_attach_handle(nvme->n_dip, nvme->n_ns[nsid - 1].ns_bd_hdl);
        if (rv != DDI_SUCCESS)
                rv = EBUSY;

The ns_bd_hdl is NULL when the namespace is invalid.

History

#1

Updated by Andy Fiddaman 5 months ago

See https://github.com/omniosorg/illumos-omnios/commit/603e99fcb21437588723eea7604f225924cdfe1c

We first found this problem in OmniOS and Hans provided this patch. He also fixed it in SmartOS but it has not yet been upstreamed.

#2

Updated by Jason King 5 months ago

Specifically https://smartos.org/bugview/OS-7882

commit b0dbab4410d7472fc05021b3e954c506b64b4190
Author: Hans Rosenfeld <hans.rosenfeld@joyent.com>
Date:   Mon Sep 9 18:04:22 2019 +0000

    OS-7882 nvmeadm attach/detach of ignored namespace causes panic
    Reviewed by: Robert Mustacchi <rm+illumos@fingolfin.org>
    Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
    Approved by: Jerry Jelinek <jerry.jelinek@joyent.com>

diff --git a/usr/src/uts/common/io/nvme/nvme.c b/usr/src/uts/common/io/nvme/nvme.c
index b452950e8f..03fb31ae03 100644
--- a/usr/src/uts/common/io/nvme/nvme.c
+++ b/usr/src/uts/common/io/nvme/nvme.c
@@ -4446,6 +4446,9 @@ nvme_ioctl_detach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
        if (nsid == 0)
                return (EINVAL);

+       if (nvme->n_ns[nsid - 1].ns_ignore)
+               return (0);
+
        rv = bd_detach_handle(nvme->n_ns[nsid - 1].ns_bd_hdl);
        if (rv != DDI_SUCCESS)
                rv = EBUSY;
@@ -4476,6 +4479,14 @@ nvme_ioctl_attach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,

        kmem_free(idns, sizeof (nvme_identify_nsid_t));

+       if (nvme->n_ns[nsid - 1].ns_ignore)
+               return (ENOTSUP);
+
+       if (nvme->n_ns[nsid - 1].ns_bd_hdl == NULL)
+               nvme->n_ns[nsid - 1].ns_bd_hdl = bd_alloc_handle(
+                   &nvme->n_ns[nsid - 1], &nvme_bd_ops, &nvme->n_prp_dma_attr,
+                   KM_SLEEP);
+
        rv = bd_attach_handle(nvme->n_dip, nvme->n_ns[nsid - 1].ns_bd_hdl);
        if (rv != DDI_SUCCESS)
                rv = EBUSY;

Also available in: Atom PDF