[PATCH] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
yunje shin
yjshin0438 at gmail.com
Thu Jan 29 19:39:32 PST 2026
[ 104.528480] BUG: unable to handle page fault for address: ffff888002b42660
[ 104.528773] #PF: supervisor write access in kernel mode
[ 104.528938] #PF: error_code(0x0003) - permissions violation
[ 104.529151] PGD 3a01067 P4D 3a01067 PUD 3a02067 PMD 4f24063 PTE
8000000002b42121
[ 104.529476] Oops: Oops: 0003 [#1] SMP NOPTI
[ 104.529817] CPU: 0 UID: 0 PID: 63 Comm: kworker/0:1H Not tainted
6.19.0-rc7 #1 PREEMPT(voluntary
[ 104.530090] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX,
1996), BIOS 1.16.3-debian-1.16.34
[ 104.530440] Workqueue: nvmet_tcp_wq nvmet_tcp_io_work
[ 104.530849] RIP: 0010:_copy_to_iter+0x27e/0x7a0
[ 104.531077] Code: 01 48 2b 05 a4 2a 2f 01 48 c1 f8 06 48 c1 e0 0c
48 03 05 a5 2a 2f 01 48 01 f0 7
[ 104.531620] RSP: 0018:ffffc9000021bba8 EFLAGS: 00000246
[ 104.531805] RAX: ffff888002b42660 RBX: 0000000000000008 RCX: 305c782f706d742f
[ 104.532019] RDX: 0000000000000008 RSI: ffff88800515c078 RDI: 00000000000009a0
[ 104.532243] RBP: ffff888005070218 R08: 0000000000000000 R09: ffff888004ed5300
[ 104.532428] R10: 0000000000001000 R11: ffff888003e032e0 R12: ffff88800515c078
[ 104.532615] R13: 0000000000000000 R14: 0000000000000008 R15: 0000000000004080
[ 104.532821] FS: 0000000000000000(0000) GS:ffff8880fa4a4000(0000)
knlGS:0000000000000000
[ 104.533048] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 104.533222] CR2: ffff888002b42660 CR3: 0000000004fec000 CR4: 00000000000006f0
[ 104.533483] Call Trace:
[ 104.533957] <TASK>
[ 104.534195] ? __pfx_simple_copy_to_iter+0x10/0x10
[ 104.534381] __skb_datagram_iter+0x1a7/0x2e0
[ 104.534541] ? __pfx_simple_copy_to_iter+0x10/0x10
[ 104.534671] skb_copy_datagram_iter+0x2f/0x90
[ 104.534811] tcp_recvmsg_locked+0x784/0x9d0
[ 104.534936] tcp_recvmsg+0x81/0x1e0
[ 104.535045] inet_recvmsg+0x50/0x130
[ 104.535166] ? security_socket_recvmsg+0x43/0x60
[ 104.535294] sock_recvmsg+0xa1/0xc0
[ 104.535381] nvmet_tcp_io_work+0xdb/0x720
[ 104.535476] process_one_work+0x15b/0x380
[ 104.535570] worker_thread+0x2a5/0x3c0
[ 104.535653] ? __pfx_worker_thread+0x10/0x10
[ 104.535747] kthread+0xf6/0x1f0
[ 104.535839] ? __pfx_kthread+0x10/0x10
[ 104.535949] ? __pfx_kthread+0x10/0x10
[ 104.536060] ret_from_fork+0x131/0x190
[ 104.536182] ? __pfx_kthread+0x10/0x10
[ 104.536296] ret_from_fork_asm+0x1a/0x30
[ 104.536451] </TASK>
[ 104.536545] Modules linked in:
[ 104.536764] CR2: ffff888002b42660
[ 104.537046] ---[ end trace 0000000000000000 ]---
[ 104.537291] RIP: 0010:_copy_to_iter+0x27e/0x7a0
[ 104.537412] Code: 01 48 2b 05 a4 2a 2f 01 48 c1 f8 06 48 c1 e0 0c
48 03 05 a5 2a 2f 01 48 01 f0 7
[ 104.537848] RSP: 0018:ffffc9000021bba8 EFLAGS: 00000246
[ 104.538005] RAX: ffff888002b42660 RBX: 0000000000000008 RCX: 305c782f706d742f
[ 104.538229] RDX: 0000000000000008 RSI: ffff88800515c078 RDI: 00000000000009a0
[ 104.538416] RBP: ffff888005070218 R08: 0000000000000000 R09: ffff888004ed5300
[ 104.538617] R10: 0000000000001000 R11: ffff888003e032e0 R12: ffff88800515c078
[ 104.538825] R13: 0000000000000000 R14: 0000000000000008 R15: 0000000000004080
[ 104.538999] FS: 0000000000000000(0000) GS:ffff8880fa4a4000(0000)
knlGS:0000000000000000
[ 104.539209] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 104.539340] CR2: ffff888002b42660 CR3: 0000000004fec000 CR4: 00000000000006f0
[ 104.539553] note: kworker/0:1H[63] exited with irqs disabled
[ 104.540201] kworker/0:1H (63) used greatest stack depth: 12976 bytes left
~ $ uname -a
Linux (none) 6.19.0-rc7 #1 SMP PREEMPT_DYNAMIC Fri Jan 30 09:36:44 KST
2026 x86_64 GNU/Linux
On Wed, Jan 28, 2026 at 9:41 AM YunJe Shin <yjshin0438 at gmail.com> wrote:
>
> nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
> length or offset exceeds sg_cnt and then use bogus sg->length/offset
> values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
> entries, and sg->length/offset before building the bvec.
>
> Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
> Signed-off-by: YunJe Shin <ioerts at kookmin.ac.kr>
> Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
> Reviewed-by: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
> ---
> drivers/nvme/target/tcp.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> index 15416ff0eac4..1a62b405d8e6 100644
> --- a/drivers/nvme/target/tcp.c
> +++ b/drivers/nvme/target/tcp.c
> @@ -349,11 +349,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)
> cmd->req.sg = NULL;
> }
>
> +static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);
> +
> static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
> {
> struct bio_vec *iov = cmd->iov;
> struct scatterlist *sg;
> u32 length, offset, sg_offset;
> + unsigned int sg_remaining;
> int nr_pages;
>
> length = cmd->pdu_len;
> @@ -361,9 +364,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
> offset = cmd->rbytes_done;
> cmd->sg_idx = offset / PAGE_SIZE;
> sg_offset = offset % PAGE_SIZE;
> + if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {
> + nvmet_tcp_fatal_error(cmd->queue);
> + return;
> + }
> sg = &cmd->req.sg[cmd->sg_idx];
> + sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;
>
> while (length) {
> + if (!sg_remaining) {
> + nvmet_tcp_fatal_error(cmd->queue);
> + return;
> + }
> + if (!sg->length || sg->length <= sg_offset) {
> + nvmet_tcp_fatal_error(cmd->queue);
> + return;
> + }
> u32 iov_len = min_t(u32, length, sg->length - sg_offset);
>
> bvec_set_page(iov, sg_page(sg), iov_len,
> @@ -371,6 +387,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
>
> length -= iov_len;
> sg = sg_next(sg);
> + sg_remaining--;
> iov++;
> sg_offset = 0;
> }
> --
> 2.43.0
>
More information about the Linux-nvme
mailing list