[PATCH 1/2] nvme-tcp: sanitize request list handling
Sagi Grimberg
sagi at grimberg.me
Mon Apr 28 04:24:07 PDT 2025
On 28/04/2025 9:50, Hannes Reinecke wrote:
> Validate the request in nvme_tcp_handle_r2t() to ensure it's not
> part of any list, otherwise a malicious R2T PDU might inject a
> loop in request list processing.
>
> Signed-off-by: Hannes Reinecke <hare at kernel.org>
> ---
> drivers/nvme/host/tcp.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index a9d455c39652..10ccd7cf5b8c 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -452,7 +452,8 @@ nvme_tcp_fetch_request(struct nvme_tcp_queue *queue)
> return NULL;
> }
>
> - list_del(&req->entry);
> + list_del_init(&req->entry);
> + init_llist_node(&req->lentry);
> return req;
> }
>
> @@ -560,6 +561,8 @@ static int nvme_tcp_init_request(struct blk_mq_tag_set *set,
> req->queue = queue;
> nvme_req(rq)->ctrl = &ctrl->ctrl;
> nvme_req(rq)->cmd = &pdu->cmd;
> + init_llist_node(&req->lentry);
> + INIT_LIST_HEAD(&req->entry);
>
> return 0;
> }
> @@ -764,6 +767,15 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
> return -EPROTO;
> }
>
> + if (queue->request == req ||
This is wrong, please remove this condition. queue->request can still
reference the
request when handling r2t.
More information about the Linux-nvme
mailing list