nvme-tcp uaf when tls setup fails
Hannes Reinecke
hare at suse.de
Mon Oct 14 06:18:27 PDT 2024
On 10/14/24 15:14, Daniel Wagner wrote:
>> The logs say that the connect to queue 3 fails, but it seems this
>> command never got send out (ftrace):
>>
>> kworker/4:0H-759 [004] ..... 8771.165686: nvme_setup_cmd: nvme1: qid=0, cmdid=0, nsid=1, flags=0x0, meta=0x0, cmd=(nvme_fabrics_type_connect recfmt=0, qid=1, sqsize=127, cattr=0, kato=0)
>> <idle>-0 [004] ..s1. 8771.172062: nvme_complete_rq: nvme1: qid=0, cmdid=0, res=0x1, retries=0, flags=0x0, status=0x0
>> kworker/5:0H-796 [005] ..... 8771.172422: nvme_setup_cmd: nvme1: qid=0, cmdid=0, nsid=1, flags=0x0, meta=0x0, cmd=(nvme_fabrics_type_connect recfmt=0, qid=2, sqsize=127, cattr=0, kato=0)
>> <idle>-0 [005] ..s1. 8771.178292: nvme_complete_rq: nvme1: qid=0, cmdid=0, res=0x1, retries=0, flags=0x0, status=0x0
>>
>> And it is very reliable to reproduce it.
>
> It is also reproducible without TLS.
Does this help?
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 04f0ac57855e..12f8a97150af 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2163,8 +2163,8 @@ static int nvme_tcp_configure_admin_queue(struct
nvme_ctrl *ctrl, bool new)
blk_sync_queue(ctrl->admin_q);
out_stop_queue:
nvme_tcp_stop_queue(ctrl, 0);
- nvme_cancel_admin_tagset(ctrl);
out_cleanup_tagset:
+ nvme_cancel_admin_tagset(ctrl);
if (new)
nvme_remove_admin_tag_set(ctrl);
out_free_queue:
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list