[PATCH V2 2/3] nvmet-tcp: fix a crash in nvmet_req_complete()
Sagi Grimberg
sagi at grimberg.me
Mon Dec 25 02:28:16 PST 2023
> in nvmet_tcp_handle_h2c_data_pdu(), if the host sends a data_offset
> different from rbytes_done, the driver ends up calling nvmet_req_complete()
> passing a status error.
> The problem is that at this point cmd->req is not yet initialized,
> the kernel will crash after dereferencing a NULL pointer.
>
> Fix the bug by replacing the call to nvmet_req_complete() with
> nvmet_tcp_fatal_error().
This is indeed a bug. However nvmet attempts to gracefully fail
a particular nvme command when there is a recoverable error (see
nvmet_tcp_handle_req_failure).
In the case where the length is arbitrarily long, then it really
doesn't make sense for nvmet to just accept it and throw it away,
but if this is an offset error, maybe it is...
I'm not hard set on this, but it would be beneficial to have
allow some graceful cmd failure here... Perhaps you can share
more about what was causing this error?
More information about the Linux-nvme
mailing list