[PATCH] nvmet-tcp: Fix potential UAF when ddgst mismatch
Keith Busch
kbusch at kernel.org
Mon May 11 07:59:56 PDT 2026
On Sun, May 10, 2026 at 11:30:29PM +0300, Sagi Grimberg wrote:
> Shivam Kumar found via vulnerability testing:
> When data digest is enabled on an NVMe/TCP connection and a digest
> mismatch occurs on a non-final H2C_DATA PDU during an R2T-based
> data transfer, the digest error handler in nvmet_tcp_try_recv_ddgst()
> calls nvmet_req_uninit() - which performs percpu_ref_put() on the
> submission queue - but does NOT mark the command as completed. It
> does not set cqe->status, does not modify rbytes_done, and does not
> clear any flag. When the subsequent fatal error triggers queue
> teardown, nvmet_tcp_uninit_data_in_cmds() iterates all commands,
> checks nvmet_tcp_need_data_in() for each one, and finds that the
> already-uninited command still appears to need data (because
> rbytes_done < transfer_len and cqe->status == 0). It therefore calls
> nvmet_req_uninit() a second time on the same command - a double
> percpu_ref_put against a single percpu_ref_get.
Thanks, applied to nvme-7.1.
More information about the Linux-nvme
mailing list