nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length - linux/linux-stable.git

diff options

author	Maurizio Lombardi <mlombard@redhat.com>	2023-12-22 16:17:48 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-01-25 14:34:31 -0800
commit	ee5e7632e981673f42a50ade25e71e612e543d9d (patch)
tree	a1f5b826239e66ef375e51bd04420a4d93e12d52 /lib/test_overflow.c
parent	887ab0a444f0ab9738d55b3dd6293d9a84cb5ac8 (diff)

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

[ Upstream commit efa56305908ba20de2104f1b8508c6a7401833be ] If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq(). Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

Diffstat (limited to 'lib/test_overflow.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: