[PATCH] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Keith Busch
kbusch at kernel.org
Thu Feb 5 07:17:51 PST 2026
On Wed, Jan 28, 2026 at 09:41:07AM +0900, YunJe Shin wrote:
> nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
> length or offset exceeds sg_cnt and then use bogus sg->length/offset
> values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
> entries, and sg->length/offset before building the bvec.
Thanks, applied now.
More information about the Linux-nvme
mailing list