--- /dev/null
+From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 2 Oct 2023 13:54:28 +0300
+Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream.
+
+From Alon:
+"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
+a malicious user can cause a UAF and a double free, which may lead to
+RCE (may also lead to an LPE in case the attacker already has local
+privileges)."
+
+Hence, when a queue initialization fails after the ahash requests are
+allocated, it is guaranteed that the queue removal async work will be
+called, hence leave the deallocation to the queue removal.
+
+Also, be extra careful not to continue processing the socket, so set
+queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
+Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/tcp.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -323,6 +323,7 @@ static void nvmet_tcp_fatal_error(struct
+
+ static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
+ {
++ queue->rcv_state = NVMET_TCP_RECV_ERR;
+ if (status == -EPIPE || status == -ECONNRESET)
+ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+ else
+@@ -828,15 +829,11 @@ static int nvmet_tcp_handle_icreq(struct
+ iov.iov_len = sizeof(*icresp);
+ ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
+ if (ret < 0)
+- goto free_crypto;
++ return ret; /* queue removal will cleanup */
+
+ queue->state = NVMET_TCP_Q_LIVE;
+ nvmet_prepare_receive_pdu(queue);
+ return 0;
+-free_crypto:
+- if (queue->hdr_digest || queue->data_digest)
+- nvmet_tcp_free_crypto(queue);
+- return ret;
+ }
+
+ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
--- /dev/null
+From 0236d3437909ff888e5c79228e2d5a851651c4c6 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 18 May 2020 10:47:48 -0700
+Subject: nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 0236d3437909ff888e5c79228e2d5a851651c4c6 upstream.
+
+Have routines handle errors and just bail out of the poll loop.
+This simplifies the code and will help as we may enhance the poll
+loop logic and these are somewhat in the way.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/tcp.c | 43 ++++++++++++++++++++++++-------------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -321,6 +321,14 @@ static void nvmet_tcp_fatal_error(struct
+ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+ }
+
++static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
++{
++ if (status == -EPIPE || status == -ECONNRESET)
++ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
++ else
++ nvmet_tcp_fatal_error(queue);
++}
++
+ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd)
+ {
+ struct nvme_sgl_desc *sgl = &cmd->req.cmd->common.dptr.sgl;
+@@ -714,11 +722,15 @@ static int nvmet_tcp_try_send(struct nvm
+
+ for (i = 0; i < budget; i++) {
+ ret = nvmet_tcp_try_send_one(queue, i == budget - 1);
+- if (ret <= 0)
++ if (unlikely(ret < 0)) {
++ nvmet_tcp_socket_error(queue, ret);
++ goto done;
++ } else if (ret == 0) {
+ break;
++ }
+ (*sends)++;
+ }
+-
++done:
+ return ret;
+ }
+
+@@ -1167,11 +1179,15 @@ static int nvmet_tcp_try_recv(struct nvm
+
+ for (i = 0; i < budget; i++) {
+ ret = nvmet_tcp_try_recv_one(queue);
+- if (ret <= 0)
++ if (unlikely(ret < 0)) {
++ nvmet_tcp_socket_error(queue, ret);
++ goto done;
++ } else if (ret == 0) {
+ break;
++ }
+ (*recvs)++;
+ }
+-
++done:
+ return ret;
+ }
+
+@@ -1196,27 +1212,16 @@ static void nvmet_tcp_io_work(struct wor
+ pending = false;
+
+ ret = nvmet_tcp_try_recv(queue, NVMET_TCP_RECV_BUDGET, &ops);
+- if (ret > 0) {
++ if (ret > 0)
+ pending = true;
+- } else if (ret < 0) {
+- if (ret == -EPIPE || ret == -ECONNRESET)
+- kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+- else
+- nvmet_tcp_fatal_error(queue);
++ else if (ret < 0)
+ return;
+- }
+
+ ret = nvmet_tcp_try_send(queue, NVMET_TCP_SEND_BUDGET, &ops);
+- if (ret > 0) {
+- /* transmitted message/data */
++ if (ret > 0)
+ pending = true;
+- } else if (ret < 0) {
+- if (ret == -EPIPE || ret == -ECONNRESET)
+- kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+- else
+- nvmet_tcp_fatal_error(queue);
++ else if (ret < 0)
+ return;
+- }
+
+ } while (pending && ops < NVMET_TCP_IO_WORK_BUDGET);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
