From: Chris Leech <cleech@redhat.com>
Date: Tue, 21 Mar 2023 16:30:25 +0000 (-0700)
Subject: nvme-tcp: fence TCP socket on receive error
X-Git-Tag: v6.4-rc1~136^2~11^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aeacfcefa218f4ed11da478e9b7915a37d1afaff;p=thirdparty%2Fkernel%2Flinux.git

nvme-tcp: fence TCP socket on receive error

Ensure that no further socket reads occur after a receive processing
error, either from io_work being re-scheduled or nvme_tcp_poll.

Failing to do so can result in unrecognised PDU payloads or TCP stream
garbage being processed as a C2H data PDU, and potentially start copying
the payload to an invalid destination after looking up a request using a
bogus command id.

Signed-off-by: Chris Leech <cleech@redhat.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---

diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 7723a49895244..273c1f2760a40 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -876,6 +876,9 @@ static int nvme_tcp_recv_skb(read_descriptor_t *desc, struct sk_buff *skb,
 	size_t consumed = len;
 	int result;
 
+	if (unlikely(!queue->rd_enabled))
+		return -EFAULT;
+
 	while (len) {
 		switch (nvme_tcp_recv_state(queue)) {
 		case NVME_TCP_RECV_PDU: