nvme-tcp uaf when tls setup fails
Daniel Wagner
dwagner at suse.de
Mon Oct 14 06:55:47 PDT 2024
On Mon, Oct 14, 2024 at 03:18:27PM GMT, Hannes Reinecke wrote:
> On 10/14/24 15:14, Daniel Wagner wrote:
> > > The logs say that the connect to queue 3 fails, but it seems this
> > > command never got send out (ftrace):
> > >
> > > kworker/4:0H-759 [004] ..... 8771.165686: nvme_setup_cmd: nvme1: qid=0, cmdid=0, nsid=1, flags=0x0, meta=0x0, cmd=(nvme_fabrics_type_connect recfmt=0, qid=1, sqsize=127, cattr=0, kato=0)
> > > <idle>-0 [004] ..s1. 8771.172062: nvme_complete_rq: nvme1: qid=0, cmdid=0, res=0x1, retries=0, flags=0x0, status=0x0
> > > kworker/5:0H-796 [005] ..... 8771.172422: nvme_setup_cmd: nvme1: qid=0, cmdid=0, nsid=1, flags=0x0, meta=0x0, cmd=(nvme_fabrics_type_connect recfmt=0, qid=2, sqsize=127, cattr=0, kato=0)
> > > <idle>-0 [005] ..s1. 8771.178292: nvme_complete_rq: nvme1: qid=0, cmdid=0, res=0x1, retries=0, flags=0x0, status=0x0
> > >
> > > And it is very reliable to reproduce it.
> >
> > It is also reproducible without TLS.
>
> Does this help?
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index 04f0ac57855e..12f8a97150af 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -2163,8 +2163,8 @@ static int nvme_tcp_configure_admin_queue(struct
> nvme_ctrl *ctrl, bool new)
> blk_sync_queue(ctrl->admin_q);
> out_stop_queue:
> nvme_tcp_stop_queue(ctrl, 0);
> - nvme_cancel_admin_tagset(ctrl);
> out_cleanup_tagset:
> + nvme_cancel_admin_tagset(ctrl);
> if (new)
> nvme_remove_admin_tag_set(ctrl);
> out_free_queue:
No, nvme_tcp_configure_io_queue fails and not
nvme_tcp_configure_admin_queue. I wonder if the queue flag
NVME_TCP_Q_ALLOCATED is preventing a proper cleanup. The flag will set
only if the complete allocation went thru.
More information about the Linux-nvme
mailing list