[PATCH] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

yunje shin yjshin0438 at gmail.com
Thu Jan 29 19:43:57 PST 2026 

The Reviewed-by tags mentioned in the earlier thread were obtained
through private discussion, which Keith likely wasn't aware of. Could
the maintainers please re-review this patch?

On Fri, Jan 30, 2026 at 12:39 PM yunje shin <yjshin0438 at gmail.com> wrote:
>
> [  104.528480] BUG: unable to handle page fault for address: ffff888002b42660
> [  104.528773] #PF: supervisor write access in kernel mode
> [  104.528938] #PF: error_code(0x0003) - permissions violation
> [  104.529151] PGD 3a01067 P4D 3a01067 PUD 3a02067 PMD 4f24063 PTE
> 8000000002b42121
> [  104.529476] Oops: Oops: 0003 [#1] SMP NOPTI
> [  104.529817] CPU: 0 UID: 0 PID: 63 Comm: kworker/0:1H Not tainted
> 6.19.0-rc7 #1 PREEMPT(voluntary
> [  104.530090] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX,
> 1996), BIOS 1.16.3-debian-1.16.34
> [  104.530440] Workqueue: nvmet_tcp_wq nvmet_tcp_io_work
> [  104.530849] RIP: 0010:_copy_to_iter+0x27e/0x7a0
> [  104.531077] Code: 01 48 2b 05 a4 2a 2f 01 48 c1 f8 06 48 c1 e0 0c
> 48 03 05 a5 2a 2f 01 48 01 f0 7
> [  104.531620] RSP: 0018:ffffc9000021bba8 EFLAGS: 00000246
> [  104.531805] RAX: ffff888002b42660 RBX: 0000000000000008 RCX: 305c782f706d742f
> [  104.532019] RDX: 0000000000000008 RSI: ffff88800515c078 RDI: 00000000000009a0
> [  104.532243] RBP: ffff888005070218 R08: 0000000000000000 R09: ffff888004ed5300
> [  104.532428] R10: 0000000000001000 R11: ffff888003e032e0 R12: ffff88800515c078
> [  104.532615] R13: 0000000000000000 R14: 0000000000000008 R15: 0000000000004080
> [  104.532821] FS:  0000000000000000(0000) GS:ffff8880fa4a4000(0000)
> knlGS:0000000000000000
> [  104.533048] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  104.533222] CR2: ffff888002b42660 CR3: 0000000004fec000 CR4: 00000000000006f0
> [  104.533483] Call Trace:
> [  104.533957]  <TASK>
> [  104.534195]  ? __pfx_simple_copy_to_iter+0x10/0x10
> [  104.534381]  __skb_datagram_iter+0x1a7/0x2e0
> [  104.534541]  ? __pfx_simple_copy_to_iter+0x10/0x10
> [  104.534671]  skb_copy_datagram_iter+0x2f/0x90
> [  104.534811]  tcp_recvmsg_locked+0x784/0x9d0
> [  104.534936]  tcp_recvmsg+0x81/0x1e0
> [  104.535045]  inet_recvmsg+0x50/0x130
> [  104.535166]  ? security_socket_recvmsg+0x43/0x60
> [  104.535294]  sock_recvmsg+0xa1/0xc0
> [  104.535381]  nvmet_tcp_io_work+0xdb/0x720
> [  104.535476]  process_one_work+0x15b/0x380
> [  104.535570]  worker_thread+0x2a5/0x3c0
> [  104.535653]  ? __pfx_worker_thread+0x10/0x10
> [  104.535747]  kthread+0xf6/0x1f0
> [  104.535839]  ? __pfx_kthread+0x10/0x10
> [  104.535949]  ? __pfx_kthread+0x10/0x10
> [  104.536060]  ret_from_fork+0x131/0x190
> [  104.536182]  ? __pfx_kthread+0x10/0x10
> [  104.536296]  ret_from_fork_asm+0x1a/0x30
> [  104.536451]  </TASK>
> [  104.536545] Modules linked in:
> [  104.536764] CR2: ffff888002b42660
> [  104.537046] ---[ end trace 0000000000000000 ]---
> [  104.537291] RIP: 0010:_copy_to_iter+0x27e/0x7a0
> [  104.537412] Code: 01 48 2b 05 a4 2a 2f 01 48 c1 f8 06 48 c1 e0 0c
> 48 03 05 a5 2a 2f 01 48 01 f0 7
> [  104.537848] RSP: 0018:ffffc9000021bba8 EFLAGS: 00000246
> [  104.538005] RAX: ffff888002b42660 RBX: 0000000000000008 RCX: 305c782f706d742f
> [  104.538229] RDX: 0000000000000008 RSI: ffff88800515c078 RDI: 00000000000009a0
> [  104.538416] RBP: ffff888005070218 R08: 0000000000000000 R09: ffff888004ed5300
> [  104.538617] R10: 0000000000001000 R11: ffff888003e032e0 R12: ffff88800515c078
> [  104.538825] R13: 0000000000000000 R14: 0000000000000008 R15: 0000000000004080
> [  104.538999] FS:  0000000000000000(0000) GS:ffff8880fa4a4000(0000)
> knlGS:0000000000000000
> [  104.539209] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  104.539340] CR2: ffff888002b42660 CR3: 0000000004fec000 CR4: 00000000000006f0
> [  104.539553] note: kworker/0:1H[63] exited with irqs disabled
> [  104.540201] kworker/0:1H (63) used greatest stack depth: 12976 bytes left
> ~ $ uname -a
> Linux (none) 6.19.0-rc7 #1 SMP PREEMPT_DYNAMIC Fri Jan 30 09:36:44 KST
> 2026 x86_64 GNU/Linux
>
> On Wed, Jan 28, 2026 at 9:41 AM YunJe Shin <yjshin0438 at gmail.com> wrote:
> >
> > nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
> > length or offset exceeds sg_cnt and then use bogus sg->length/offset
> > values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
> > entries, and sg->length/offset before building the bvec.
> >
> > Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
> > Signed-off-by: YunJe Shin <ioerts at kookmin.ac.kr>
> > Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
> > Reviewed-by: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
> > ---
> >  drivers/nvme/target/tcp.c | 17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> >
> > diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> > index 15416ff0eac4..1a62b405d8e6 100644
> > --- a/drivers/nvme/target/tcp.c
> > +++ b/drivers/nvme/target/tcp.c
> > @@ -349,11 +349,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)
> >         cmd->req.sg = NULL;
> >  }
> >
> > +static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);
> > +
> >  static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
> >  {
> >         struct bio_vec *iov = cmd->iov;
> >         struct scatterlist *sg;
> >         u32 length, offset, sg_offset;
> > +       unsigned int sg_remaining;
> >         int nr_pages;
> >
> >         length = cmd->pdu_len;
> > @@ -361,9 +364,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
> >         offset = cmd->rbytes_done;
> >         cmd->sg_idx = offset / PAGE_SIZE;
> >         sg_offset = offset % PAGE_SIZE;
> > +       if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {
> > +               nvmet_tcp_fatal_error(cmd->queue);
> > +               return;
> > +       }
> >         sg = &cmd->req.sg[cmd->sg_idx];
> > +       sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;
> >
> >         while (length) {
> > +               if (!sg_remaining) {
> > +                       nvmet_tcp_fatal_error(cmd->queue);
> > +                       return;
> > +               }
> > +               if (!sg->length || sg->length <= sg_offset) {
> > +                       nvmet_tcp_fatal_error(cmd->queue);
> > +                       return;
> > +               }
> >                 u32 iov_len = min_t(u32, length, sg->length - sg_offset);
> >
> >                 bvec_set_page(iov, sg_page(sg), iov_len,
> > @@ -371,6 +387,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
> >
> >                 length -= iov_len;
> >                 sg = sg_next(sg);
> > +               sg_remaining--;
> >                 iov++;
> >                 sg_offset = 0;
> >         }
> > --
> > 2.43.0
> >

More information about the Linux-nvme mailing list