Merge tag 'nvme-7.0-2026-03-12' of git://git.infradead.org/nvme into block-7.0

axboe · axboe · commit 7d0abefec48d · 2026-03-12T15:15:53.000-06:00
Pull NVMe fixes from Keith:

"- Fix nvme-pci IRQ race and slab-out-of-bounds access (Sungwoo Kim)
 - Fix recursive workqueue locking for target async events (Chaitanya)
 - Various cleanups (Maurizio Lombardi, Thorsten Blum)"

* tag 'nvme-7.0-2026-03-12' of git://git.infradead.org/nvme:
  nvme: Annotate struct nvme_dhchap_key with __counted_by
  nvme-core: do not pass empty queue_limits to blk_mq_alloc_queue()
  nvme-pci: Fix race bug in nvme_poll_irqdisable()
  nvmet: move async event work off nvmet-wq
  nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
@@ -4834,7 +4834,6 @@ EXPORT_SYMBOL_GPL(nvme_complete_async_event);
 int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
 		const struct blk_mq_ops *ops, unsigned int cmd_size)
 {
-	struct queue_limits lim = {};
 	int ret;
 
 	memset(set, 0, sizeof(*set));
@@ -4861,7 +4860,7 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
 	if (ctrl->admin_q)
 		blk_put_queue(ctrl->admin_q);
 
-	ctrl->admin_q = blk_mq_alloc_queue(set, &lim, NULL);
+	ctrl->admin_q = blk_mq_alloc_queue(set, NULL, NULL);
 	if (IS_ERR(ctrl->admin_q)) {
 		ret = PTR_ERR(ctrl->admin_q);
 		goto out_free_tagset;
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
@@ -544,7 +544,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)
 		/* Free memory and continue on */
 		nvme_dbbuf_dma_free(dev);
 
-		for (i = 1; i <= dev->online_queues; i++)
+		for (i = 1; i < dev->online_queues; i++)
 			nvme_dbbuf_free(&dev->queues[i]);
 	}
 }
@@ -1625,14 +1625,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)
 static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
 {
 	struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);
+	int irq;
 
 	WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
 
-	disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+	irq = pci_irq_vector(pdev, nvmeq->cq_vector);
+	disable_irq(irq);
 	spin_lock(&nvmeq->cq_poll_lock);
 	nvme_poll_cq(nvmeq, NULL);
 	spin_unlock(&nvmeq->cq_poll_lock);
-	enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+	enable_irq(irq);
 }
 
 static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c
@@ -1586,7 +1586,7 @@ void nvmet_execute_async_event(struct nvmet_req *req)
 	ctrl->async_event_cmds[ctrl->nr_async_event_cmds++] = req;
 	mutex_unlock(&ctrl->lock);
 
-	queue_work(nvmet_wq, &ctrl->async_event_work);
+	queue_work(nvmet_aen_wq, &ctrl->async_event_work);
 }
 
 void nvmet_execute_keep_alive(struct nvmet_req *req)
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
@@ -27,6 +27,8 @@ static DEFINE_IDA(cntlid_ida);
 
 struct workqueue_struct *nvmet_wq;
 EXPORT_SYMBOL_GPL(nvmet_wq);
+struct workqueue_struct *nvmet_aen_wq;
+EXPORT_SYMBOL_GPL(nvmet_aen_wq);
 
 /*
  * This read/write semaphore is used to synchronize access to configuration
@@ -206,7 +208,7 @@ void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type,
 	list_add_tail(&aen->entry, &ctrl->async_events);
 	mutex_unlock(&ctrl->lock);
 
-	queue_work(nvmet_wq, &ctrl->async_event_work);
+	queue_work(nvmet_aen_wq, &ctrl->async_event_work);
 }
 
 static void nvmet_add_to_changed_ns_log(struct nvmet_ctrl *ctrl, __le32 nsid)
@@ -1959,9 +1961,14 @@ static int __init nvmet_init(void)
 	if (!nvmet_wq)
 		goto out_free_buffered_work_queue;
 
+	nvmet_aen_wq = alloc_workqueue("nvmet-aen-wq",
+			WQ_MEM_RECLAIM | WQ_UNBOUND, 0);
+	if (!nvmet_aen_wq)
+		goto out_free_nvmet_work_queue;
+
 	error = nvmet_init_debugfs();
 	if (error)
-		goto out_free_nvmet_work_queue;
+		goto out_free_nvmet_aen_work_queue;
 
 	error = nvmet_init_discovery();
 	if (error)
@@ -1977,6 +1984,8 @@ static int __init nvmet_init(void)
 	nvmet_exit_discovery();
 out_exit_debugfs:
 	nvmet_exit_debugfs();
+out_free_nvmet_aen_work_queue:
+	destroy_workqueue(nvmet_aen_wq);
 out_free_nvmet_work_queue:
 	destroy_workqueue(nvmet_wq);
 out_free_buffered_work_queue:
@@ -1994,6 +2003,7 @@ static void __exit nvmet_exit(void)
 	nvmet_exit_discovery();
 	nvmet_exit_debugfs();
 	ida_destroy(&cntlid_ida);
+	destroy_workqueue(nvmet_aen_wq);
 	destroy_workqueue(nvmet_wq);
 	destroy_workqueue(buffered_io_wq);
 	destroy_workqueue(zbd_wq);
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
@@ -501,6 +501,7 @@ extern struct kmem_cache *nvmet_bvec_cache;
 extern struct workqueue_struct *buffered_io_wq;
 extern struct workqueue_struct *zbd_wq;
 extern struct workqueue_struct *nvmet_wq;
+extern struct workqueue_struct *nvmet_aen_wq;
 
 static inline void nvmet_set_result(struct nvmet_req *req, u32 result)
 {
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
@@ -2088,6 +2088,7 @@ static void nvmet_rdma_remove_one(struct ib_device *ib_device, void *client_data
 	mutex_unlock(&nvmet_rdma_queue_mutex);
 
 	flush_workqueue(nvmet_wq);
+	flush_workqueue(nvmet_aen_wq);
 }
 
 static struct ib_client nvmet_rdma_ib_client = {
diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h
@@ -11,7 +11,7 @@
 struct nvme_dhchap_key {
 	size_t len;
 	u8 hash;
-	u8 key[];
+	u8 key[] __counted_by(len);
 };
 
 u32 nvme_auth_get_seqnum(void);

Original file line number	Diff line number	Diff line change
`@@ -544,7 +544,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)`
`544`	`544`	`/* Free memory and continue on */`
`545`	`545`	`nvme_dbbuf_dma_free(dev);`
`546`	`546`
`547`		`- for (i = 1; i <= dev->online_queues; i++)`
	`547`	`+ for (i = 1; i < dev->online_queues; i++)`
`548`	`548`	`nvme_dbbuf_free(&dev->queues[i]);`
`549`	`549`	`}`
`550`	`550`	`}`
`@@ -1625,14 +1625,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)`
`1625`	`1625`	`static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)`
`1626`	`1626`	`{`
`1627`	`1627`	`struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);`
	`1628`	`+ int irq;`
`1628`	`1629`
`1629`	`1630`	`WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));`
`1630`	`1631`
`1631`		`- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));`
	`1632`	`+ irq = pci_irq_vector(pdev, nvmeq->cq_vector);`
	`1633`	`+ disable_irq(irq);`
`1632`	`1634`	`spin_lock(&nvmeq->cq_poll_lock);`
`1633`	`1635`	`nvme_poll_cq(nvmeq, NULL);`
`1634`	`1636`	`spin_unlock(&nvmeq->cq_poll_lock);`
`1635`		`- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));`
	`1637`	`+ enable_irq(irq);`
`1636`	`1638`	`}`
`1637`	`1639`
`1638`	`1640`	`static int nvme_poll(struct blk_mq_hw_ctx hctx, struct io_comp_batch iob)`
Original file line number	Diff line number	Diff line change
`@@ -1586,7 +1586,7 @@ void nvmet_execute_async_event(struct nvmet_req *req)`
`1586`	`1586`	`ctrl->async_event_cmds[ctrl->nr_async_event_cmds++] = req;`
`1587`	`1587`	`mutex_unlock(&ctrl->lock);`
`1588`	`1588`
`1589`		`- queue_work(nvmet_wq, &ctrl->async_event_work);`
	`1589`	`+ queue_work(nvmet_aen_wq, &ctrl->async_event_work);`
`1590`	`1590`	`}`
`1591`	`1591`
`1592`	`1592`	`void nvmet_execute_keep_alive(struct nvmet_req *req)`
Original file line number	Diff line number	Diff line change
`@@ -501,6 +501,7 @@ extern struct kmem_cache *nvmet_bvec_cache;`
`501`	`501`	`extern struct workqueue_struct *buffered_io_wq;`
`502`	`502`	`extern struct workqueue_struct *zbd_wq;`
`503`	`503`	`extern struct workqueue_struct *nvmet_wq;`
	`504`	`+extern struct workqueue_struct *nvmet_aen_wq;`
`504`	`505`
`505`	`506`	`static inline void nvmet_set_result(struct nvmet_req *req, u32 result)`
`506`	`507`	`{`
Original file line number	Diff line number	Diff line change
`@@ -2088,6 +2088,7 @@ static void nvmet_rdma_remove_one(struct ib_device ib_device, void client_data`
`2088`	`2088`	`mutex_unlock(&nvmet_rdma_queue_mutex);`
`2089`	`2089`
`2090`	`2090`	`flush_workqueue(nvmet_wq);`
	`2091`	`+ flush_workqueue(nvmet_aen_wq);`
`2091`	`2092`	`}`
`2092`	`2093`
`2093`	`2094`	`static struct ib_client nvmet_rdma_ib_client = {`