nvmet-tcp: fix a crash in nvmet_req_complete()

maurizio-lombardi · keithbusch · commit 0849a5441358 · 2024-01-02T12:56:19.000-08:00
in nvmet_tcp_handle_h2c_data_pdu(), if the host sends a data_offset different from rbytes_done, the driver ends up calling nvmet_req_complete() passing a status error. The problem is that at this point cmd->req is not yet initialized, the kernel will crash after dereferencing a NULL pointer. Fix the bug by replacing the call to nvmet_req_complete() with nvmet_tcp_fatal_error(). Fixes: 872d26a ("nvmet-tcp: add NVMe over TCP target driver") Reviewed-by: Keith Busch <kbsuch@kernel.org> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
@@ -998,8 +998,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
 			data->ttag, le32_to_cpu(data->data_offset),
 			cmd->rbytes_done);
 		/* FIXME: use path and transport errors */
-		nvmet_req_complete(&cmd->req,
-			NVME_SC_INVALID_FIELD | NVME_SC_DNR);
+		nvmet_tcp_fatal_error(queue);
 		return -EPROTO;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -998,8 +998,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)`
`998`	`998`	`data->ttag, le32_to_cpu(data->data_offset),`
`999`	`999`	`cmd->rbytes_done);`
`1000`	`1000`	`/* FIXME: use path and transport errors */`
`1001`		`- nvmet_req_complete(&cmd->req,`
`1002`		`- NVME_SC_INVALID_FIELD \| NVME_SC_DNR);`
	`1001`	`+ nvmet_tcp_fatal_error(queue);`
`1003`	`1002`	`return -EPROTO;`
`1004`	`1003`	`}`
`1005`	`1004`