Commit 085b29b4 authored Sep 30, 2024 by Maurizio Lombardi Committed by Cheng Yu Sep 30, 2024

nvmet-tcp: fix kernel crash if commands allocation fails

stable inclusion
from stable-v5.10.226
commit 50632b877ce55356f5d276b9add289b1e7ddc683
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYBC
CVE: CVE-2024-46737

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=50632b877ce55356f5d276b9add289b1e7ddc683



--------------------------------

[ Upstream commit 5572a55a6f830ee3f3a994b6b962a5c327d28cb3 ]

If the commands allocation fails in nvmet_tcp_alloc_cmds()
the kernel crashes in nvmet_tcp_release_queue_work() because of
a NULL pointer dereference.

  nvmet: failed to install queue 0 cntlid 1 ret 6
  Unable to handle kernel NULL pointer dereference at
         virtual address 0000000000000008

Fix the bug by setting queue->nr_cmds to zero in case
nvmet_tcp_alloc_cmd() fails.

Fixes: 872d26a3 ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Cheng Yu <serein.chengyu@huawei.com>

parent 58d44ef1

drivers/nvme/target/tcp.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1786,8 +1786,10 @@ static u16 nvmet_tcp_install_queue(struct nvmet_sq *sq)
		}

		queue->nr_cmds = sq->size * 2;
		if (nvmet_tcp_alloc_cmds(queue))
		if (nvmet_tcp_alloc_cmds(queue)) {
		queue->nr_cmds = 0;
		return NVME_SC_INTERNAL;
		}
		return 0;
		}