| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250405054848.3773471-1-mliang@purestorage.com>
Date: Fri, 4 Apr 2025 23:48:48 -0600
From: Michael Liang <mliang@...estorage.com>
To: Keith Busch <kbusch@...nel.org>,
Jens Axboe <axboe@...nel.dk>,
Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>
Cc: Michael Liang <mliang@...estorage.com>,
Mohamed Khalfella <mkhalfella@...estorage.com>,
Randy Jennings <randyj@...estorage.com>,
linux-nvme@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] nvme-tcp: wait socket wmem to drain in queue stop
This patch addresses a data corruption issue observed in nvme-tcp during
testing.
Issue description:
In an NVMe native multipath setup, when an I/O timeout occurs, all inflight
I/Os are canceled almost immediately after the kernel socket is shut down.
These canceled I/Os are reported as host path errors, triggering a failover
that succeeds on a different path.
However, at this point, the original I/O may still be outstanding in the
host's network transmission path (e.g., the NIC’s TX queue). From the
user-space app's perspective, the buffer associated with the I/O is considered
completed since they're acked on the different path and may be reused for new
I/O requests.
Because nvme-tcp enables zero-copy by default in the transmission path,
this can lead to corrupted data being sent to the original target, ultimately
causing data corruption.
We can reproduce this data corruption by injecting delay on one path and
triggering i/o timeout.
To prevent this issue, this change ensures that all inflight transmissions are
fully completed from host's perspective before returning from queue stop.
This aligns with the behavior of queue stopping in other NVMe fabric transports.
Reviewed-by: Mohamed Khalfella <mkhalfella@...estorage.com>
Reviewed-by: Randy Jennings <randyj@...estorage.com>
Signed-off-by: Michael Liang <mliang@...estorage.com>
---
drivers/nvme/host/tcp.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 26c459f0198d..837684918aa1 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1944,10 +1944,26 @@ static void __nvme_tcp_stop_queue(struct nvme_tcp_queue *queue)
cancel_work_sync(&queue->io_work);
}
+static void nvme_tcp_stop_queue_wait(struct nvme_tcp_queue *queue)
+{
+ int timeout = 100;
+
+ while (timeout > 0) {
+ if (!sk_wmem_alloc_get(queue->sock->sk))
+ return;
+ msleep(2);
+ timeout -= 2;
+ }
+ dev_warn(queue->ctrl->ctrl.device,
+ "qid %d: wait draining sock wmem allocation timeout\n",
+ nvme_tcp_queue_id(queue));
+}
+
static void nvme_tcp_stop_queue(struct nvme_ctrl *nctrl, int qid)
{
struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl);
struct nvme_tcp_queue *queue = &ctrl->queues[qid];
+ bool was_alive = false;
if (!test_bit(NVME_TCP_Q_ALLOCATED, &queue->flags))
return;
@@ -1956,11 +1972,14 @@ static void nvme_tcp_stop_queue(struct nvme_ctrl *nctrl, int qid)
atomic_dec(&nvme_tcp_cpu_queues[queue->io_cpu]);
mutex_lock(&queue->queue_lock);
- if (test_and_clear_bit(NVME_TCP_Q_LIVE, &queue->flags))
+ was_alive = test_and_clear_bit(NVME_TCP_Q_LIVE, &queue->flags);
+ if (was_alive)
__nvme_tcp_stop_queue(queue);
/* Stopping the queue will disable TLS */
queue->tls_enabled = false;
mutex_unlock(&queue->queue_lock);
+ if (was_alive)
+ nvme_tcp_stop_queue_wait(queue);
}
static void nvme_tcp_setup_sock_ops(struct nvme_tcp_queue *queue)
--
2.34.1
Powered by blists - more mailing lists