[PATCH v3] nvmet-tcp: reject H2CData before ICReq
yunje shin
yjshin0438 at gmail.com
Tue Jan 27 16:45:39 PST 2026
Thanks for letting me know. I'll check it.
YunJe
On Wed, Jan 28, 2026 at 12:17 AM Maurizio Lombardi
<mlombard at bsdbackstore.eu> wrote:
>
> On Tue Jan 27, 2026 at 3:37 PM CET, Maurizio Lombardi wrote:
> >
> > Nevermind, now I get what you mean: you can hit the bug if you send
> > H2CData after ICReq but before the execution
> > of the connect command.
>
> I was able to reproduce the crash:
>
> [25362.399746] BUG: kernel NULL pointer dereference, address: 000000000000000c
> [25362.403368] #PF: supervisor read access in kernel mode
> [25362.405451] #PF: error_code(0x0000) - not-present page
>
> [...]
>
> [25362.430592] Call Trace:
> [25362.430945] <TASK>
> [25362.431250] ? show_trace_log_lvl+0x1b0/0x2f0
> [25362.431910] ? show_trace_log_lvl+0x1b0/0x2f0
> [25362.432507] ? nvmet_tcp_done_recv_pdu+0x299/0x2f0 [nvmet_tcp]
> [25362.433285] ? __die_body.cold+0x8/0x12
> [25362.433810] ? page_fault_oops+0x148/0x160
> [25362.434388] ? exc_page_fault+0x73/0x160
> [25362.434953] ? asm_exc_page_fault+0x26/0x30
> [25362.435573] ? nvmet_tcp_build_pdu_iovec+0x4c/0xc0 [nvmet_tcp]
> [25362.436357] nvmet_tcp_done_recv_pdu+0x299/0x2f0 [nvmet_tcp]
> [25362.437113] nvmet_tcp_try_recv_pdu+0x1ef/0x2d0 [nvmet_tcp]
> [25362.437856] ? sched_balance_update_blocked_averages+0xdd/0x1a0
> [25362.438672] nvmet_tcp_io_work+0x70/0x8c0 [nvmet_tcp]
>
> But it appears to have been already been fixed by commit 32b63acd78f577b332d976aa06b56e70d054cbba
> (nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec)
>
> dmesg output target-side:
>
> [ 54.436869] nvmet_tcp: queue 0: H2CData PDU received for invalid command state (ttag 43981)
>
>
> Maurizio
More information about the Linux-nvme
mailing list