git.ipfire.org Git - thirdparty/linux.git/commit

author	Shivam Kumar <kumar.shivam43666@gmail.com>
	Sat, 13 Dec 2025 18:57:48 +0000 (13:57 -0500)
committer	Keith Busch <kbusch@kernel.org>
	Fri, 9 Jan 2026 14:47:03 +0000 (06:47 -0800)
commit	32b63acd78f577b332d976aa06b56e70d054cbba
tree	dee8a18b37957757ed2ab486810a27e60f595d9b	tree \| snapshot
parent	340f4fc5508c2905a1f30de229e2a4b299d55735	commit \| diff

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.

The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.

Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL

The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated

Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>