[PATCH v3] nvmet-tcp: reject H2CData before ICReq
YunJe Shin
yjshin0438 at gmail.com
Sun Jan 25 22:41:52 PST 2026
If H2CData arrives before ICReq/CONNECT, queue->connect is used but its
iov is not initialized yet, which can lead to a NULL dereference when
building the PDU iovec. Reject such requests early with -EPROTO.
Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: YunJe Shin <ioerts at kookmin.ac.kr>
Reviewed-by: Christoph Hellwig <hch at lst.de>
Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
---
drivers/nvme/target/tcp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 15416ff0eac4..e272d38f285b 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -961,6 +961,9 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
cmd = &queue->cmds[data->ttag];
} else {
cmd = &queue->connect;
+ /* H2CData before ICReq/CONNECT: connect has no iov. */
+ if (!cmd->iov)
+ goto err_proto;
}
if (le32_to_cpu(data->data_offset) != cmd->rbytes_done) {
--
2.43.0
More information about the Linux-nvme
mailing list