From: Keith Busch <kbusch@kernel.org>
To: Shivam Kumar <kumar.shivam43666@gmail.com>
Cc: linux-nvme@lists.infradead.org, axboe@kernel.dk,
sagi@grimberg.me, kch@nvidia.com, hch@lst.de,
gregkh@linuxfoundation.org
Subject: Re: [PATCH v3] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Date: Fri, 9 Jan 2026 07:54:54 -0700 [thread overview]
Message-ID: <aWEWvtMsh-aSViGy@kbusch-mbp> (raw)
In-Reply-To: <20251213185748.1060422-1-kumar.shivam43666@gmail.com>
On Sat, Dec 13, 2025 at 01:57:48PM -0500, Shivam Kumar wrote:
> Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
> added ttag bounds checking and data_offset
> validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
> whether the command's data structures (cmd->req.sg and cmd->iov) have
> been properly initialized before processing H2C_DATA PDUs.
>
> The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
> without NULL checks. This can be triggered by sending H2C_DATA PDU
> immediately after the ICREQ/ICRESP handshake, before
> sending a CONNECT command or NVMe write command.
>
> Attack vectors that trigger NULL pointer dereferences:
> 1. H2C_DATA PDU sent before CONNECT -> both pointers NULL
> 2. H2C_DATA PDU for READ command -> cmd->req.sg allocated, cmd->iov NULL
> 3. H2C_DATA PDU for uninitialized command slot -> both pointers NULL
>
> The fix validates both cmd->req.sg and cmd->iov before calling
> nvmet_tcp_build_pdu_iovec(). Both checks are required because:
> - Uninitialized commands: both NULL
> - READ commands: cmd->req.sg allocated, cmd->iov NULL
> - WRITE commands: both allocated
Thanks, applied.
prev parent reply other threads:[~2026-01-09 14:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <BL3PR01MB684908447A2F3F7D2AFC57DAC8A3A@BL3PR01MB6849.prod.exchangelabs.com>
2025-12-12 19:31 ` [PATCH] NVMe/TCP: Fixed the out of order H2C PDU Crash Shivam
2025-12-12 20:11 ` Jens Axboe
2025-12-12 21:08 ` [PATCH v2] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Shivam
2025-12-12 21:15 ` Jens Axboe
2025-12-13 13:13 ` Sagi Grimberg
2025-12-13 13:22 ` Greg KH
2025-12-13 18:57 ` [PATCH v3] " Shivam Kumar
2026-01-09 14:54 ` Keith Busch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWEWvtMsh-aSViGy@kbusch-mbp \
--to=kbusch@kernel.org \
--cc=axboe@kernel.dk \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=kch@nvidia.com \
--cc=kumar.shivam43666@gmail.com \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.