Message-Id: <D8DDP6LIPOKB.2ACTHLE9FPI2A@bsdbackstore.eu>
Date: Tue, 11 Mar 2025 11:52:24 +0100
From: "Maurizio Lombardi" <mlombard@...backstore.eu>
To: "zhang.guanghui@...tc.cn" <zhang.guanghui@...tc.cn>, "sagi"
 <sagi@...mberg.me>, "mgurtovoy" <mgurtovoy@...dia.com>, "kbusch"
 <kbusch@...nel.org>, "sashal" <sashal@...nel.org>, "chunguang.xu"
 <chunguang.xu@...pee.com>
Cc: "linux-kernel" <linux-kernel@...r.kernel.org>, "linux-nvme"
 <linux-nvme@...ts.infradead.org>, "linux-block"
 <linux-block@...r.kernel.org>
Subject: Re: nvme-tcp: fix a possible UAF when failing to send request【请注意，邮件由sagigrim@...il.com代发】

On Fri Mar 7, 2025 at 11:10 AM CET, zhang.guanghui@...tc.cn wrote:
>
> Hi 
>
>         After testing this patch,   sending request failure occurred,   unfortunately, the issue still persists. 

Maybe I am completely wrong but I am still quite convinced that the problem here
is that, despite the nvme_tcp_try_send() failure, the target sends a response capsule
for the command, leading to a double-completion in the host.

Sagi, what about taking this patch: https://lore.kernel.org/linux-nvme/20250306160322.1370300-2-mlombard@redhat.com/T/#u
and do a step further by not completing the request, leaving the error
recovery handler the task of cleaning everything up?


diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 327f3f2f5399..72c1d7948386 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1328,8 +1328,8 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue)
 	} else if (ret < 0) {
 		dev_err(queue->ctrl->ctrl.device,
 			"failed to send request %d\n", ret);
-		nvme_tcp_fail_request(queue->request);
 		nvme_tcp_done_send_req(queue);
+		nvme_tcp_error_recovery(&queue->ctrl->ctrl);
 	}
 out:
 	memalloc_noreclaim_restore(noreclaim_flag);


Maurizio

Powered by blists - more mailing lists