* [PATCH] nvme-tcp: don't access released socket during error recovery
@ 2023-02-26 12:42 Akinobu Mita
2023-02-27 8:28 ` Hannes Reinecke
2023-02-27 14:06 ` Christoph Hellwig
0 siblings, 2 replies; 4+ messages in thread
From: Akinobu Mita @ 2023-02-26 12:42 UTC (permalink / raw)
To: linux-nvme
Cc: Akinobu Mita, Martin Belanger, Sagi Grimberg, Chaitanya Kulkarni,
Christoph Hellwig, Keith Busch, Jens Axboe, Hannes Reinecke
While the error recovery work is temporarily failing reconnect attempts,
running the 'nvme list' command causes a kernel NULL pointer dereference
by calling getsockname() with a released socket.
During error recovery work, the nvme tcp socket is released and a new one
created, so it is not safe to access the socket without proper check.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Fixes: 02c57a82c008 ("nvme-tcp: print actual source IP address through sysfs "address" attr")
Cc: Martin Belanger <martin.belanger@dell.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Cc: Chaitanya Kulkarni <kch@nvidia.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Jens Axboe <axboe@fb.com>
Cc: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/host/tcp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 1955c0ec209e..7723a4989524 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2492,6 +2492,10 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
len = nvmf_get_address(ctrl, buf, size);
+ mutex_lock(&queue->queue_lock);
+
+ if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
+ goto done;
ret = kernel_getsockname(queue->sock, (struct sockaddr *)&src_addr);
if (ret > 0) {
if (len > 0)
@@ -2499,6 +2503,8 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
len += scnprintf(buf + len, size - len, "%ssrc_addr=%pISc\n",
(len) ? "," : "", &src_addr);
}
+done:
+ mutex_unlock(&queue->queue_lock);
return len;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] nvme-tcp: don't access released socket during error recovery
2023-02-26 12:42 [PATCH] nvme-tcp: don't access released socket during error recovery Akinobu Mita
@ 2023-02-27 8:28 ` Hannes Reinecke
2023-02-27 11:50 ` Belanger, Martin
2023-02-27 14:06 ` Christoph Hellwig
1 sibling, 1 reply; 4+ messages in thread
From: Hannes Reinecke @ 2023-02-27 8:28 UTC (permalink / raw)
To: Akinobu Mita, linux-nvme
Cc: Martin Belanger, Sagi Grimberg, Chaitanya Kulkarni,
Christoph Hellwig, Keith Busch, Jens Axboe
On 2/26/23 13:42, Akinobu Mita wrote:
> While the error recovery work is temporarily failing reconnect attempts,
> running the 'nvme list' command causes a kernel NULL pointer dereference
> by calling getsockname() with a released socket.
>
> During error recovery work, the nvme tcp socket is released and a new one
> created, so it is not safe to access the socket without proper check.
>
> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
> Fixes: 02c57a82c008 ("nvme-tcp: print actual source IP address through sysfs "address" attr")
> Cc: Martin Belanger <martin.belanger@dell.com>
> Cc: Sagi Grimberg <sagi@grimberg.me>
> Cc: Chaitanya Kulkarni <kch@nvidia.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Keith Busch <kbusch@kernel.org>
> Cc: Jens Axboe <axboe@fb.com>
> Cc: Hannes Reinecke <hare@suse.de>
> ---
> drivers/nvme/host/tcp.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
> index 1955c0ec209e..7723a4989524 100644
> --- a/drivers/nvme/host/tcp.c
> +++ b/drivers/nvme/host/tcp.c
> @@ -2492,6 +2492,10 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
>
> len = nvmf_get_address(ctrl, buf, size);
>
> + mutex_lock(&queue->queue_lock);
> +
> + if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
> + goto done;
> ret = kernel_getsockname(queue->sock, (struct sockaddr *)&src_addr);
> if (ret > 0) {
> if (len > 0)
> @@ -2499,6 +2503,8 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
> len += scnprintf(buf + len, size - len, "%ssrc_addr=%pISc\n",
> (len) ? "," : "", &src_addr);
> }
> +done:
> + mutex_unlock(&queue->queue_lock);
>
> return len;
> }
Reviewed-by: Hannes Reinecke <hare@suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [PATCH] nvme-tcp: don't access released socket during error recovery
2023-02-27 8:28 ` Hannes Reinecke
@ 2023-02-27 11:50 ` Belanger, Martin
0 siblings, 0 replies; 4+ messages in thread
From: Belanger, Martin @ 2023-02-27 11:50 UTC (permalink / raw)
To: Hannes Reinecke, Akinobu Mita, linux-nvme@lists.infradead.org
Cc: Sagi Grimberg, Chaitanya Kulkarni, Christoph Hellwig, Keith Busch,
Jens Axboe
> On 2/26/23 13:42, Akinobu Mita wrote:
> > While the error recovery work is temporarily failing reconnect
> > attempts, running the 'nvme list' command causes a kernel NULL pointer
> > dereference by calling getsockname() with a released socket.
> >
> > During error recovery work, the nvme tcp socket is released and a new
> > one created, so it is not safe to access the socket without proper check.
> >
> > Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
> > Fixes: 02c57a82c008 ("nvme-tcp: print actual source IP address through
> > sysfs "address" attr")
> > Cc: Martin Belanger <martin.belanger@dell.com>
> > Cc: Sagi Grimberg <sagi@grimberg.me>
> > Cc: Chaitanya Kulkarni <kch@nvidia.com>
> > Cc: Christoph Hellwig <hch@lst.de>
> > Cc: Keith Busch <kbusch@kernel.org>
> > Cc: Jens Axboe <axboe@fb.com>
> > Cc: Hannes Reinecke <hare@suse.de>
> > ---
> > drivers/nvme/host/tcp.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index
> > 1955c0ec209e..7723a4989524 100644
> > --- a/drivers/nvme/host/tcp.c
> > +++ b/drivers/nvme/host/tcp.c
> > @@ -2492,6 +2492,10 @@ static int nvme_tcp_get_address(struct
> > nvme_ctrl *ctrl, char *buf, int size)
> >
> > len = nvmf_get_address(ctrl, buf, size);
> >
> > + mutex_lock(&queue->queue_lock);
> > +
> > + if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
> > + goto done;
> > ret = kernel_getsockname(queue->sock, (struct sockaddr
> *)&src_addr);
> > if (ret > 0) {
> > if (len > 0)
> > @@ -2499,6 +2503,8 @@ static int nvme_tcp_get_address(struct
> nvme_ctrl *ctrl, char *buf, int size)
> > len += scnprintf(buf + len, size - len, "%ssrc_addr=%pISc\n",
> > (len) ? "," : "", &src_addr);
> > }
> > +done:
> > + mutex_unlock(&queue->queue_lock);
> >
> > return len;
> > }
> Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin Belanger <martin.belanger@dell.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] nvme-tcp: don't access released socket during error recovery
2023-02-26 12:42 [PATCH] nvme-tcp: don't access released socket during error recovery Akinobu Mita
2023-02-27 8:28 ` Hannes Reinecke
@ 2023-02-27 14:06 ` Christoph Hellwig
1 sibling, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2023-02-27 14:06 UTC (permalink / raw)
To: Akinobu Mita
Cc: linux-nvme, Martin Belanger, Sagi Grimberg, Chaitanya Kulkarni,
Christoph Hellwig, Keith Busch, Jens Axboe, Hannes Reinecke
Thanks,
applied to nvme-6.3.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-27 14:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-26 12:42 [PATCH] nvme-tcp: don't access released socket during error recovery Akinobu Mita
2023-02-27 8:28 ` Hannes Reinecke
2023-02-27 11:50 ` Belanger, Martin
2023-02-27 14:06 ` Christoph Hellwig
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox