fix sbitmap initialization and null_blk tagset setup #44
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: 89be9a8 |
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
81f31a4 to
87bbbbc
Compare
Author
|
Upstream branch: 25fae0b |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
4cc8be2 to
af24d2a
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
6637119 to
f092a9b
Compare
Author
|
Upstream branch: 260f6f4 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
af24d2a to
66b032c
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
f092a9b to
0b59764
Compare
Author
|
Upstream branch: d6084bb |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
66b032c to
ddf0ba1
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
0b59764 to
aee5bd3
Compare
Author
|
Upstream branch: 831462f |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
ddf0ba1 to
4ced250
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
aee5bd3 to
ef18525
Compare
Author
|
Upstream branch: c93529a |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
4ced250 to
c81ac97
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
ef18525 to
3851b3f
Compare
Author
|
Upstream branch: cbbf0a7 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
c81ac97 to
f1d1184
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
3851b3f to
28b3384
Compare
Author
|
Upstream branch: 6a68cec |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
f1d1184 to
ff9a3a1
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
28b3384 to
8ab9be5
Compare
Author
|
Upstream branch: f2d282e |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
ff9a3a1 to
66f0e52
Compare
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
d6c1665 to
f6f9618
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
404c2ca to
b39b4d5
Compare
Author
|
Upstream branch: 8742b2d |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
f6f9618 to
5032047
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
b39b4d5 to
d7e410a
Compare
Author
|
Upstream branch: 91325f3 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
5032047 to
28995e1
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
d7e410a to
ee33a84
Compare
Author
|
Upstream branch: 3a4a036 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
28995e1 to
f068d0a
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
ee33a84 to
44c61ab
Compare
Author
|
Upstream branch: dfc0f63 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
f068d0a to
8abcf37
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
44c61ab to
89d0c23
Compare
Author
|
Upstream branch: 0cc5352 |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
8abcf37 to
9c123bd
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
89d0c23 to
1cd470e
Compare
Author
|
Upstream branch: 24ea63e |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
9c123bd to
85db7d7
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
1cd470e to
38c66a9
Compare
We observed a kernel crash when the I/O scheduler allocates an sbitmap for a hardware queue (hctx) that has no associated software queues (ctx), and later attempts to free it. When no software queues are mapped to a hardware queue, the sbitmap is initialized with a depth of zero. In such cases, the sbitmap_init_node() function should set sb->alloc_hint to NULL. However, if this is not done, sb->alloc_hint may contain garbage, and calling sbitmap_free() will pass this invalid pointer to free_percpu(), resulting in a kernel crash. Example crash trace: ================================================================== Kernel attempted to read user page (28) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000028 Faulting instruction address: 0xc000000000708f88 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries [...] CPU: 5 UID: 0 PID: 5491 Comm: mk_nullb_shared Kdump: loaded Tainted: G B 6.16.0-rc5+ #294 VOLUNTARY Tainted: [B]=BAD_PAGE Hardware name: IBM,9043-MRX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_028) hv:phyp pSeries [...] NIP [c000000000708f88] free_percpu+0x144/0xba8 LR [c000000000708f84] free_percpu+0x140/0xba8 Call Trace: free_percpu+0x140/0xba8 (unreliable) kyber_exit_hctx+0x94/0x124 blk_mq_exit_sched+0xe4/0x214 elevator_exit+0xa8/0xf4 elevator_switch+0x3b8/0x5d8 elv_update_nr_hw_queues+0x14c/0x300 blk_mq_update_nr_hw_queues+0x5cc/0x670 nullb_update_nr_hw_queues+0x118/0x1f8 [null_blk] nullb_device_submit_queues_store+0xac/0x170 [null_blk] configfs_write_iter+0x1dc/0x2d0 vfs_write+0x5b0/0x77c ksys_write+0xa0/0x180 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ec If the sbitmap depth is zero, sb->alloc_hint memory is NOT allocated, but the pointer is not explicitly set to NULL. Later, during sbitmap_free(), the kernel attempts to free sb->alloc_hint, which is a per cpu pointer variable, regardless of whether it was valid, leading to a crash. This patch ensures that sb->alloc_hint is explicitly set to NULL in sbitmap_init_node() when the requested depth is zero. This prevents free_percpu() from freeing sb->alloc_hint and thus avoids the observed crash. Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
When setting up a null block device, we initialize a tagset that includes a driver_data field—typically used by block drivers to store a pointer to driver-specific data. In the case of null_blk, this should point to the struct nullb instance. However, due to recent tagset refactoring in the null_blk driver, we missed initializing driver_data when creating a shared tagset. As a result, software queues (ctx) fail to map correctly to new hardware queues (hctx). For example, increasing the number of submit queues triggers an nr_hw_queues update, which invokes null_map_queues() to remap queues. Since set->driver_data is unset, null_map_queues() fails to map any ctx to the new hctxs, leading to hctx->nr_ctx == 0, effectively making the hardware queues unusable for I/O. This patch fixes the issue by ensuring that set->driver_data is properly initialized to point to the struct nullb during tagset setup. Fixes: 72ca287 ("null_blk: refactor tag_set setup") Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
Author
|
Upstream branch: d7ee5bd |
blktests-ci
bot
force-pushed
the
series/984084=>linus-master
branch
from
85db7d7 to
2173de6
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
38c66a9 to
593e738
Compare
Author
|
Upstream branch: b19a97d |
blktests-ci bot
pushed a commit
that referenced
this pull request
Sep 6, 2025
…() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> ---[ end trace 0000000000000000 ]--- To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning. If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it. Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ Fixes: 62e7151 ("netfilter: bridge: confirm multicast packets before passing them up the stack") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Wang Liang <wangliang74@huawei.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: fix sbitmap initialization and null_blk tagset setup
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=984340