From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>,
Sasha Levin <sashal@kernel.org>,
kbusch@kernel.org, axboe@fb.com, linux-nvme@lists.infradead.org
Subject: [PATCH AUTOSEL 5.15 43/68] nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t()
Date: Tue, 30 Nov 2021 09:46:39 -0500 [thread overview]
Message-ID: <20211130144707.944580-43-sashal@kernel.org> (raw)
In-Reply-To: <20211130144707.944580-1-sashal@kernel.org>
From: Varun Prakash <varun@chelsio.com>
[ Upstream commit 1d3ef9c3a39e04be31155c27ebf80342350c3abf ]
If maxh2cdata < r2t_length then driver will form multiple
H2CData PDUs, validate R2T PDU in nvme_tcp_handle_r2t() to
reuse nvme_tcp_setup_h2c_data_pdu().
Also set req->state to NVME_TCP_SEND_H2C_PDU in
nvme_tcp_setup_h2c_data_pdu().
Signed-off-by: Varun Prakash <varun@chelsio.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/tcp.c | 55 ++++++++++++++++++-----------------------
1 file changed, 24 insertions(+), 31 deletions(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 4ae562d30d2b9..da733749192c6 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -572,7 +572,7 @@ static int nvme_tcp_handle_comp(struct nvme_tcp_queue *queue,
return ret;
}
-static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req,
+static void nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req,
struct nvme_tcp_r2t_pdu *pdu)
{
struct nvme_tcp_data_pdu *data = req->pdu;
@@ -581,32 +581,11 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req,
u8 hdgst = nvme_tcp_hdgst_len(queue);
u8 ddgst = nvme_tcp_ddgst_len(queue);
+ req->state = NVME_TCP_SEND_H2C_PDU;
+ req->offset = 0;
req->pdu_len = le32_to_cpu(pdu->r2t_length);
req->pdu_sent = 0;
- if (unlikely(!req->pdu_len)) {
- dev_err(queue->ctrl->ctrl.device,
- "req %d r2t len is %u, probably a bug...\n",
- rq->tag, req->pdu_len);
- return -EPROTO;
- }
-
- if (unlikely(req->data_sent + req->pdu_len > req->data_len)) {
- dev_err(queue->ctrl->ctrl.device,
- "req %d r2t len %u exceeded data len %u (%zu sent)\n",
- rq->tag, req->pdu_len, req->data_len,
- req->data_sent);
- return -EPROTO;
- }
-
- if (unlikely(le32_to_cpu(pdu->r2t_offset) < req->data_sent)) {
- dev_err(queue->ctrl->ctrl.device,
- "req %d unexpected r2t offset %u (expected %zu)\n",
- rq->tag, le32_to_cpu(pdu->r2t_offset),
- req->data_sent);
- return -EPROTO;
- }
-
memset(data, 0, sizeof(*data));
data->hdr.type = nvme_tcp_h2c_data;
data->hdr.flags = NVME_TCP_F_DATA_LAST;
@@ -622,7 +601,6 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req,
data->command_id = nvme_cid(rq);
data->data_offset = pdu->r2t_offset;
data->data_length = cpu_to_le32(req->pdu_len);
- return 0;
}
static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
@@ -630,7 +608,7 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
{
struct nvme_tcp_request *req;
struct request *rq;
- int ret;
+ u32 r2t_length = le32_to_cpu(pdu->r2t_length);
rq = nvme_find_rq(nvme_tcp_tagset(queue), pdu->command_id);
if (!rq) {
@@ -641,13 +619,28 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
}
req = blk_mq_rq_to_pdu(rq);
- ret = nvme_tcp_setup_h2c_data_pdu(req, pdu);
- if (unlikely(ret))
- return ret;
+ if (unlikely(!r2t_length)) {
+ dev_err(queue->ctrl->ctrl.device,
+ "req %d r2t len is %u, probably a bug...\n",
+ rq->tag, r2t_length);
+ return -EPROTO;
+ }
- req->state = NVME_TCP_SEND_H2C_PDU;
- req->offset = 0;
+ if (unlikely(req->data_sent + r2t_length > req->data_len)) {
+ dev_err(queue->ctrl->ctrl.device,
+ "req %d r2t len %u exceeded data len %u (%zu sent)\n",
+ rq->tag, r2t_length, req->data_len, req->data_sent);
+ return -EPROTO;
+ }
+
+ if (unlikely(le32_to_cpu(pdu->r2t_offset) < req->data_sent)) {
+ dev_err(queue->ctrl->ctrl.device,
+ "req %d unexpected r2t offset %u (expected %zu)\n",
+ rq->tag, le32_to_cpu(pdu->r2t_offset), req->data_sent);
+ return -EPROTO;
+ }
+ nvme_tcp_setup_h2c_data_pdu(req, pdu);
nvme_tcp_queue_request(req, false, true);
return 0;
--
2.33.0
next prev parent reply other threads:[~2021-11-30 14:49 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 14:45 [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 02/68] ASoC: Intel: sof_sdw: Add support for SKU 0AF3 product Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 03/68] ASoC: Intel: soc-acpi: add SKU 0AF3 SoundWire configuration Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 04/68] ASoC: Intel: sof_sdw: Add support for SKU 0B00 and 0B01 products Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 05/68] ASoC: Intel: sof_sdw: Add support for SKU 0B11 product Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 06/68] ASoC: Intel: sof_sdw: Add support for SKU 0B13 product Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 07/68] ASoC: Intel: soc-acpi: add SKU 0B13 SoundWire configuration Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 08/68] ASoC: Intel: sof_sdw: Add support for SKU 0B29 product Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 09/68] ASoC: Intel: soc-acpi: add SKU 0B29 SoundWire configuration Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 10/68] ASoC: Intel: sof_sdw: Add support for SKU 0B12 product Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 11/68] ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 12/68] ASoC: rt5682: Re-detect the combo jack after resuming Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 13/68] ASoC: mediatek: mt8173: Fix debugfs registration for components Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 14/68] ASoC: qdsp6: q6adm: improve error reporting Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 15/68] ASoC: qdsp6: q6routing: validate port id before setting up route Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 16/68] xen/privcmd: make option visible in Kconfig Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 17/68] NFSv4.1: handle NFS4ERR_NOSPC by CREATE_SESSION Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 18/68] scsi: ufs: ufshpb: Fix warning in ufshpb_set_hpb_read_to_upiu() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 19/68] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 20/68] scsi: ufs: ufs-mediatek: Add put_device() after of_find_device_by_node() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 21/68] atlantic: fix double-free in aq_ring_tx_clean Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 22/68] stmmac_pci: Fix underflow size in stmmac_rx Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 23/68] HID: ft260: fix i2c probing for hwmon devices Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 24/68] HID: Ignore battery for Elan touchscreen on HP Envy X360 15-eu0xxx Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 25/68] HID: multitouch: Fix Iiyama ProLite T1931SAW (0eef:0001 again!) Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 26/68] parisc: Increase FRAME_WARN to 2048 bytes on parisc Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 27/68] parisc: Provide an extru_safe() macro to extract unsigned bits Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 28/68] parisc: Fix extraction of hash lock bits in syscall.S Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 29/68] parisc: Convert PTE lookup to use extru_safe() macro Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 30/68] selftests/tc-testing: match any qdisc type Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 31/68] selftests/tc-testings: Be compatible with newer tc output Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 32/68] block: avoid to touch unloaded module instance when opening bdev Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 33/68] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 34/68] locking/rwsem: Optimize down_read_trylock() under highly contended case Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 35/68] i2c: i801: Fix interrupt storm from SMB_ALERT signal Sasha Levin
2021-12-03 8:30 ` Jean Delvare
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 36/68] mmc: spi: Add device-tree SPI IDs Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 37/68] net: chelsio: cxgb4vf: Fix an error code in cxgb4vf_pci_probe() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 38/68] cifs: populate server_hostname for extra channels Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 39/68] smb2: clarify rc initialization in smb2_reconnect Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 40/68] nvmet-tcp: fix a race condition between release_queue and io_work Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 41/68] nvmet-tcp: add an helper to free the cmd buffers Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 42/68] nvmet-tcp: fix memory leak when performing a controller reset Sasha Levin
2021-11-30 14:46 ` Sasha Levin [this message]
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 44/68] nvme-tcp: fix memory leak when freeing a queue Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 45/68] nvme-pci: add NO APST quirk for Kioxia device Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 46/68] nvme-fabrics: ignore invalid fast_io_fail_tmo values Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 47/68] nvme: fix write zeroes pi Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 48/68] xen: add "not_essential" flag to struct xenbus_driver Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 49/68] xen: flag xen_drm_front to be not essential for system boot Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 50/68] xen: flag hvc_xen " Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 51/68] xen: flag pvcalls-front " Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 52/68] xen: flag xen_snd_front " Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 53/68] x86/boot: Mark prepare_command_line() __init Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 54/68] PM: hibernate: Fix snapshot partial write lengths Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 55/68] drm/amdgpu: Fix MMIO HDP flush on SRIOV Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 56/68] drm/amdgpu: Fix double free of dmabuf Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 57/68] drm/amd/display: Fixed DSC would not PG after removing DSC stream Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 58/68] drm/amdkfd: handle VMA remove race Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 59/68] drm/amdgpu: fix byteorder error in amdgpu discovery Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 60/68] drm/amd/display: update bios scratch when setting backlight Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 61/68] vhost-vdpa: clean irqs before reseting vdpa device Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 62/68] MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 63/68] nfc: virtual_ncidev: change default device permissions Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 64/68] net: qed: fix the array may be out of bound Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 65/68] net: mscc: ocelot: create a function that replaces an existing VCAP filter Sasha Levin
2021-12-04 14:46 ` Vladimir Oltean
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 66/68] net: ptp: add a definition for the UDP port for IEEE 1588 general messages Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 67/68] io_uring: Fix undefined-behaviour in io_issue_sqe Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 68/68] fs: ntfs: Limit NTFS_RW to page sizes smaller than 64k Sasha Levin
2021-11-30 15:16 ` [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211130144707.944580-43-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@fb.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=stable@vger.kernel.org \
--cc=varun@chelsio.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).