tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nvmet-tcp: check INIT_FAILED before nvmet_req_uninit in digest error path

In nvmet_tcp_try_recv_ddgst(), when a data digest mismatch is detected,
nvmet_req_uninit() is called unconditionally. However, if the command
arrived via the nvmet_tcp_handle_req_failure() path, nvmet_req_init()
had returned false and percpu_ref_tryget_live() was never executed. The
unconditional percpu_ref_put() inside nvmet_req_uninit() then causes a
refcount underflow, leading to a WARNING in
percpu_ref_switch_to_atomic_rcu, a use-after-free diagnostic, and
eventually a permanent workqueue deadlock.

Check cmd->flags & NVMET_TCP_F_INIT_FAILED before calling
nvmet_req_uninit(), matching the existing pattern in
nvmet_tcp_execute_request().

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

authored by

Shivam Kumar and committed by
Keith Busch 4606467a e9b004ff

+2 -1
+2 -1
drivers/nvme/target/tcp.c
··· 1310 1310 queue->idx, cmd->req.cmd->common.command_id, 1311 1311 queue->pdu.cmd.hdr.type, le32_to_cpu(cmd->recv_ddgst), 1312 1312 le32_to_cpu(cmd->exp_ddgst)); 1313 - nvmet_req_uninit(&cmd->req); 1313 + if (!(cmd->flags & NVMET_TCP_F_INIT_FAILED)) 1314 + nvmet_req_uninit(&cmd->req); 1314 1315 nvmet_tcp_free_cmd_buffers(cmd); 1315 1316 nvmet_tcp_fatal_error(queue); 1316 1317 ret = -EPROTO;