From: Hannes Reinecke hare@kernel.org
[ Upstream commit 0bf04c874fcb1ae46a863034296e4b33d8fbd66c ]
Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing.
Signed-off-by: Hannes Reinecke hare@kernel.org Reviewed-by: Sagi Grimberg sagi@grimberg.me Signed-off-by: Christoph Hellwig hch@lst.de Signed-off-by: Sasha Levin sashal@kernel.org ---
Based on my analysis of the commit message and code changes, I provide the following assessment:
**YES**, this commit should be backported to stable kernel trees.
## Extensive Explanation:
### 1. **Security Vulnerability Fix** This commit fixes a serious security vulnerability where a malicious NVMe-TCP target can inject loops in request list processing. The code changes show clear validation being added to prevent this attack:
```c if (llist_on_list(&req->lentry) || !list_empty(&req->entry)) { dev_err(queue->ctrl->ctrl.device, "req %d unexpected r2t while processing request\n", rq->tag); return -EPROTO; } ```
### 2. **Attack Vector and Impact** The vulnerability allows a compromised storage target to send R2T (Ready to Transfer) PDUs for requests that are already being processed. Without this validation: - The same request could be added to lists multiple times - This creates circular references or list corruption - Can lead to infinite loops, system hangs, or memory corruption - Potential for arbitrary code execution through use-after-free conditions
### 3. **Minimal and Contained Fix** The fix is: - Small in scope (only touches request list handling) - Well-contained to the nvme-tcp subsystem - Adds simple validation checks without architectural changes - Initializes list nodes properly to maintain clean state
### 4. **Clear Bug Fix Pattern** Looking at the similar commits provided: - Commit #3 (marked YES for backport) also fixed a validation issue in nvme-tcp - This follows the same pattern of adding necessary validation to prevent malicious behavior - It's fixing a clear bug rather than adding features or optimizations
### 5. **High Security Impact** This vulnerability affects: - Any system using NVMe-TCP with untrusted storage targets - Cloud environments and multi-tenant storage systems - Data centers with NVMe-over-Fabrics deployments
The security impact is significant enough to warrant backporting to protect stable kernel users.
### 6. **No Complex Dependencies** The changes are self-contained and don't depend on major architectural changes or new features. The fix: - Uses existing list handling APIs (`llist_on_list`, `list_empty`) - Adds proper initialization with standard macros - Returns existing error codes (`-EPROTO`)
### 7. **Follows Stable Kernel Rules** This commit clearly follows stable kernel criteria: - Fixes a real bug that affects users (security vulnerability) - Small change with minimal risk - No new features or architectural changes - Important for system security and stability
The commit prevents a serious security issue where malicious storage devices could compromise system stability or potentially gain unauthorized access through memory corruption. This makes it a critical candidate for stable kernel backporting.
drivers/nvme/host/tcp.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 599f7406b5945..cc4a80b021d58 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -452,7 +452,8 @@ nvme_tcp_fetch_request(struct nvme_tcp_queue *queue) return NULL; }
- list_del(&req->entry); + list_del_init(&req->entry); + init_llist_node(&req->lentry); return req; }
@@ -560,6 +561,8 @@ static int nvme_tcp_init_request(struct blk_mq_tag_set *set, req->queue = queue; nvme_req(rq)->ctrl = &ctrl->ctrl; nvme_req(rq)->cmd = &pdu->cmd; + init_llist_node(&req->lentry); + INIT_LIST_HEAD(&req->entry);
return 0; } @@ -764,6 +767,14 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, return -EPROTO; }
+ if (llist_on_list(&req->lentry) || + !list_empty(&req->entry)) { + dev_err(queue->ctrl->ctrl.device, + "req %d unexpected r2t while processing request\n", + rq->tag); + return -EPROTO; + } + req->pdu_len = 0; req->h2cdata_left = r2t_length; req->h2cdata_offset = r2t_offset; @@ -2641,6 +2652,8 @@ static void nvme_tcp_submit_async_event(struct nvme_ctrl *arg) ctrl->async_req.offset = 0; ctrl->async_req.curr_bio = NULL; ctrl->async_req.data_len = 0; + init_llist_node(&ctrl->async_req.lentry); + INIT_LIST_HEAD(&ctrl->async_req.entry);
nvme_tcp_queue_request(&ctrl->async_req, true, true); }