Re: blktests failures with v6.17-rc1 kernel

To: Daniel Wagner <dwagner@suse.de>
Cc: "linux-block@vger.kernel.org" <linux-block@vger.kernel.org>, "linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>, "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>, "nbd@other.debian.org" <nbd@other.debian.org>, "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
Subject: Re: blktests failures with v6.17-rc1 kernel
From: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Date: Tue, 2 Sep 2025 06:00:17 +0000
Message-id: <[🔎] ldr3xa4muogowu2xeh3uq3xcifljfftssydgnhjdarfre4kg4p@midqloza2ayz>
In-reply-to: <[🔎] 7a773833-a193-4243-80f4-fc52243883a9@flourine.local>
References: <suhzith2uj75uiprq4m3cglvr7qwm3d7gi4tmjeohlxl6fcmv3@zu6zym6nmvun> <ff748a3f-9f07-4933-b4b3-b4f58aacac5b@flourine.local> <rsdinhafrtlguauhesmrrzkybpnvwantwmyfq2ih5aregghax5@mhr7v3eryci3> <6ef89cb5-1745-4b98-9203-51ba6de40799@flourine.local> <u4ttvhnn7lark5w3sgrbuy2rxupcvosp4qmvj46nwzgeo5ausc@uyrkdls2muwx> <[🔎] 629ddb72-c10d-4930-9d81-61d7322ed3b0@flourine.local> <[🔎] 7a773833-a193-4243-80f4-fc52243883a9@flourine.local>

On Sep 01, 2025 / 11:02, Daniel Wagner wrote:
> On Mon, Sep 01, 2025 at 10:34:23AM +0200, Daniel Wagner wrote:
> > The test is removing the ports while the host driver is about to
> > reconnect and accesses a stale pointer.
> > 
> > nvme_fc_create_association is calling nvme_fc_ctlr_inactive_on_rport in
> > the error path. The problem is that nvme_fc_create_association gets half
> > through the setup and then fails. In the cleanup path
> > 
> > 	dev_warn(ctrl->ctrl.device,
> > 		"NVME-FC{%d}: create_assoc failed, assoc_id %llx ret %d\n",
> > 		ctrl->cnum, ctrl->association_id, ret);
> > 
> > is issued and then nvme_fc_ctlr_inactive_on_rport is called. And there
> > is the log message above, so it's clear the error path is taken.
> > 
> > But the thing is fcloop is not supposed to remove the ports when the
> > host driver is still using it. So there is a race window where it's
> > possible to enter nvme_fc_create_assocation and fcloop removing the
> > ports.
> > 
> > So between nvme_fc_create_assocation and nvme_fc_ctlr_active_on_rport.
> 
> I think the problem is that nvme_fc_create_association is not holding
> the rport locks when checking the port_state and marking the rport
> active. This races with nvme_fc_unregister_remoteport.
> 
> diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
> index 3e12d4683ac7..03987f497a5b 100644
> --- a/drivers/nvme/host/fc.c
> +++ b/drivers/nvme/host/fc.c
> @@ -3032,11 +3032,17 @@ nvme_fc_create_association(struct nvme_fc_ctrl *ctrl)
> 
>  	++ctrl->ctrl.nr_reconnects;
> 
> -	if (ctrl->rport->remoteport.port_state != FC_OBJSTATE_ONLINE)
> +	spin_lock_irqsave(&ctrl->rport->lock, flags);
> +	if (ctrl->rport->remoteport.port_state != FC_OBJSTATE_ONLINE) {
> +		spin_unlock_irqrestore(&ctrl->rport->lock, flags);
>  		return -ENODEV;
> +	}
> 
> -	if (nvme_fc_ctlr_active_on_rport(ctrl))
> +	if (nvme_fc_ctlr_active_on_rport(ctrl)) {
> +		spin_unlock_irqrestore(&ctrl->rport->lock, flags);
>  		return -ENOTUNIQ;
> +	}
> +	spin_unlock_irqrestore(&ctrl->rport->lock, flags);
> 
>  	dev_info(ctrl->ctrl.device,
>  		"NVME-FC{%d}: create association : host wwpn 0x%016llx "
> 
> I'll to reproduce it and see if this patch does make a difference.

I applied the fix patch above together with the previous fix patch on top of
v6.17-rc3, then I repeated nvme/061 with fc transport hundreds of times. I
did not observed the KASAN suaf. The fix patch looks working good. Thanks!

Reply to:

Follow-Ups:
- Re: blktests failures with v6.17-rc1 kernel
  - From: Daniel Wagner <dwagner@suse.de>

References:
- Re: blktests failures with v6.17-rc1 kernel
  - From: Daniel Wagner <dwagner@suse.de>
- Re: blktests failures with v6.17-rc1 kernel
  - From: Daniel Wagner <dwagner@suse.de>

Prev by Date: Re: blktests failures with v6.17-rc1 kernel
Next by Date: Re: blktests failures with v6.17-rc1 kernel
Previous by thread: Re: blktests failures with v6.17-rc1 kernel
Next by thread: Re: blktests failures with v6.17-rc1 kernel
Index(es):
- Date
- Thread