Public bug reported:

[Impact]
When mounting LVM snapshots using xfs, it's possible to hit a BUG_ON() in nvme 
driver.

Upstream commit 729204ef49ec ("block: relax check on sg gap") introduced
a way to merge bios if they are physically contiguous. This can lead to
issues if one rq starts with a non-aligned buffer, as it can cause the
merged segment to end in an unaligned virtual boundary. In some AWS
instances, it's possible to craft such a request when attempting to
mount LVM snapshots using xfs. This will then cause a kernel spew due to
a BUG_ON in nvme_setup_prps(), which checks if dma_len is aligned to the
page size.

[Fix]
Upstream commit 5a8d75a1b8c9 ("block: fix bio_will_gap() for first bvec with 
offset") disallows requests that begin with an unaligned buffer from being 
merged.

[Test Case]
This has been verified on AWS with c5d.large instances:

1) Prepare the LVM device + snapshot
$ sudo vgcreate vg0 /dev/nvme1n1
$ sudo lvcreate -L5G -n data0 vg0
$ sudo mkfs.xfs /dev/vg0/data0
$ sudo mount /dev/vg0/data0 /mnt
$ sudo touch /mnt/test
$ sudo touch /mnt/test2
$ sudo ls /mnt
$ sudo umount /mnt
$ sudo lvcreate -l100%FREE -s /dev/vg0/data0 -n data0_snap

2) Attempting to mount the previously created snapshot results in the Oops:
$ sudo mount /dev/vg0/data0_snap /mnt 
Segmentation fault (core dumped)

[Regression Potential]
The fix prevents some bios from being merged, so it can have a performance 
impact in certain scenarios. The patch only targets misaligned segments, so the 
impact should be less noticeable in the general case.
The commit is also present in mainline kernels since 4.13, and hasn't been 
changed significantly, so potential for other regressions should be low.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: linux (Ubuntu Xenial)
     Importance: Undecided
         Status: New


** Tags: sts

** Changed in: linux (Ubuntu)
     Assignee: Heitor Alves de Siqueira (halves) => (unassigned)

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1869229

Title:
  Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  New

Bug description:
  [Impact]
  When mounting LVM snapshots using xfs, it's possible to hit a BUG_ON() in 
nvme driver.

  Upstream commit 729204ef49ec ("block: relax check on sg gap")
  introduced a way to merge bios if they are physically contiguous. This
  can lead to issues if one rq starts with a non-aligned buffer, as it
  can cause the merged segment to end in an unaligned virtual boundary.
  In some AWS instances, it's possible to craft such a request when
  attempting to mount LVM snapshots using xfs. This will then cause a
  kernel spew due to a BUG_ON in nvme_setup_prps(), which checks if
  dma_len is aligned to the page size.

  [Fix]
  Upstream commit 5a8d75a1b8c9 ("block: fix bio_will_gap() for first bvec with 
offset") disallows requests that begin with an unaligned buffer from being 
merged.

  [Test Case]
  This has been verified on AWS with c5d.large instances:

  1) Prepare the LVM device + snapshot
  $ sudo vgcreate vg0 /dev/nvme1n1
  $ sudo lvcreate -L5G -n data0 vg0
  $ sudo mkfs.xfs /dev/vg0/data0
  $ sudo mount /dev/vg0/data0 /mnt
  $ sudo touch /mnt/test
  $ sudo touch /mnt/test2
  $ sudo ls /mnt
  $ sudo umount /mnt
  $ sudo lvcreate -l100%FREE -s /dev/vg0/data0 -n data0_snap

  2) Attempting to mount the previously created snapshot results in the Oops:
  $ sudo mount /dev/vg0/data0_snap /mnt 
  Segmentation fault (core dumped)

  [Regression Potential]
  The fix prevents some bios from being merged, so it can have a performance 
impact in certain scenarios. The patch only targets misaligned segments, so the 
impact should be less noticeable in the general case.
  The commit is also present in mainline kernels since 4.13, and hasn't been 
changed significantly, so potential for other regressions should be low.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1869229/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to