[PATCH 2/3] nvme-tcp: sanitize request list handling
Chris Leech
cleech at redhat.com
Tue Mar 11 11:53:41 PDT 2025
On Fri, Mar 07, 2025 at 02:28:01PM +0100, Hannes Reinecke wrote:
> Validate the request in nvme_tcp_handle_r2t() to ensure it's not
> part of any list, otherwise a malicious R2T PDU might inject a
> loop in request list processing.
>
> Signed-off-by: Hannes Reinecke <hare at kernel.org>
> ---
> drivers/nvme/host/tcp.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
...
> @@ -759,8 +762,12 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
>
> nvme_tcp_setup_h2c_data_pdu(req);
>
> + WARN_ON(queue->request == req);
> + WARN_ON(llist_on_list(&req->lentry));
> + WARN_ON(!list_empty(&req->entry));
> llist_add(&req->lentry, &queue->req_list);
Are we happy with a WARN here, or should this be handled as an error?
The idea of an duplicate R2Ts creating a loop in req_list is
frightening.
- Chris
More information about the Linux-nvme
mailing list