summaryrefslogtreecommitdiffstats
path: root/drivers/nvme/target
diff options
context:
space:
mode:
authorSagi Grimberg <sagi@grimberg.me>2021-12-08 14:35:06 +0100
committerChristoph Hellwig <hch@lst.de>2021-12-08 16:36:58 +0100
commit30e32f300be6d0160fd1b3fc6d0f62917acd9be2 (patch)
tree9a1482fcff0fe270246b69859ac3ad601c38e16d /drivers/nvme/target
parentnvme: fix use after free when disconnecting a reconnecting ctrl (diff)
downloadlinux-30e32f300be6d0160fd1b3fc6d0f62917acd9be2.tar.xz
linux-30e32f300be6d0160fd1b3fc6d0f62917acd9be2.zip
nvmet-tcp: fix possible list corruption for unexpected command failure
nvmet_tcp_handle_req_failure needs to understand weather to prepare for incoming data or the next pdu. However if we misidentify this, we will wait for 0-length data, and queue the response although nvmet_req_init already did that. The particular command was namespace management command with no data, which was incorrectly categorized as a command with incapsule data. Also, add a code comment of what we are trying to do here. Signed-off-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'drivers/nvme/target')
-rw-r--r--drivers/nvme/target/tcp.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index cb6a473c3eaf..7c1c43ce466b 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -922,7 +922,14 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
size_t data_len = le32_to_cpu(req->cmd->common.dptr.sgl.length);
int ret;
- if (!nvme_is_write(cmd->req.cmd) ||
+ /*
+ * This command has not been processed yet, hence we are trying to
+ * figure out if there is still pending data left to receive. If
+ * we don't, we can simply prepare for the next pdu and bail out,
+ * otherwise we will need to prepare a buffer and receive the
+ * stale data before continuing forward.
+ */
+ if (!nvme_is_write(cmd->req.cmd) || !data_len ||
data_len > cmd->req.port->inline_data_size) {
nvmet_prepare_receive_pdu(queue);
return;