[Bug Report] NVMe-oF/TCP - NULL Pointer Dereference in `__nvmet_req_complete`
Chaitanya Kulkarni
chaitanyak at nvidia.com
Mon Nov 6 13:35:22 PST 2023
On 11/6/2023 5:41 AM, Alon Zahavi wrote:
> # Bug Overview
>
> ## The Bug
> A null-ptr-deref in `__nvmet_req_complete`.
>
> ## Bug Location
> `drivers/nvme/target/core.c` in the function `__nvmet_req_complete`.
>
> ## Bug Class
> Remote Denial of Service
>
> ## Disclaimer:
> This bug was found using Syzkaller with NVMe-oF/TCP added support.
>
> # Technical Details
>
> ## Kernel Report - NULL Pointer Dereference
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 2 PID: 31 Comm: kworker/2:0H Kdump: loaded Not tainted 6.5.0-rc1+ #5
> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
> Reference Platform, BIOS 6.00 11/12/2020
> Workqueue: nvmet_tcp_wq nvmet_tcp_io_work
> RIP: 0010:__nvmet_req_complete+0x33/0x350 drivers/nvme/target/core.c:740
> Code: 41 57 41 56 41 55 41 54 49 89 fc 53 89 f3 48 83 ec 08 66 89 75
> d6 e8 dc cd 1a ff 4d 8b 6c 24 10 bf 01 00 00 00 4d 8b 74 24 20 <45> 0f
> b6 7d 20 44 89 fe e8 60 c8 1a ff 41 80 ff 01 0f 87 ef 75 96
> RSP: 0018:ffffc90000527c00 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000004002 RCX: 0000000000000000
> RDX: ffff888100c74880 RSI: ffffffff82170d04 RDI: 0000000000000001
> RBP: ffffc90000527c30 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881292a13e8
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff888233f00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000020 CR3: 0000000003c6a005 CR4: 00000000007706e0
> PKRU: 55555554
> Call Trace:
> <TASK>
> nvmet_req_complete+0x2c/0x40 drivers/nvme/target/core.c:761
> nvmet_tcp_handle_h2c_data_pdu drivers/nvme/target/tcp.c:981
> nvmet_tcp_done_recv_pdu drivers/nvme/target/tcp.c:1020
> nvmet_tcp_try_recv_pdu+0x1132/0x1310 drivers/nvme/target/tcp.c:1182
> nvmet_tcp_try_recv_one drivers/nvme/target/tcp.c:1306
> nvmet_tcp_try_recv drivers/nvme/target/tcp.c:1338
> nvmet_tcp_io_work+0xe6/0xd90 drivers/nvme/target/tcp.c:1388
> process_one_work+0x3da/0x870 kernel/workqueue.c:2597
> worker_thread+0x67/0x640 kernel/workqueue.c:2748
> kthread+0x164/0x1b0 kernel/kthread.c:389
> ret_from_fork+0x29/0x50 arch/x86/entry/entry_64.S:308
> </TASK>
>
>
Thanks for reporting this, will send a fix soon, working on it with
priority.
-ck
More information about the Linux-nvme
mailing list