nvmet-rdma: handle inline data with a nonzero offset

author Bryam Vargas <hexlabsecurity@proton.me>

Thu, 4 Jun 2026 19:36:54 +0000 (19:36 +0000)

committer Keith Busch <kbusch@kernel.org>

Tue, 9 Jun 2026 21:53:00 +0000 (14:53 -0700)
author Bryam Vargas <hexlabsecurity@proton.me>
Thu, 4 Jun 2026 19:36:54 +0000 (19:36 +0000)
committer Keith Busch <kbusch@kernel.org>
Tue, 9 Jun 2026 21:53:00 +0000 (14:53 -0700)
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c

index ac26f4f774c4de62e163ded12bded70edbab68f7..ea1185b8267ef2857ede8181b913bfd9adbe986b 100644 (file)
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -666,7 +666,8 @@ static void nvmet_rdma_release_rsp(struct nvmet_rdma_rsp *rsp)
         if (rsp->n_rdma)
                 nvmet_rdma_rw_ctx_destroy(rsp);
  
-       if (rsp->req.sg != rsp->cmd->inline_sg)
+       if (rsp->req.sg < rsp->cmd->inline_sg ||
+           rsp->req.sg >= rsp->cmd->inline_sg + queue->dev->inline_page_count)
                 nvmet_req_free_sgls(&rsp->req);
  
         if (unlikely(!list_empty_careful(&queue->rsp_wr_wait_list)))
@@ -821,24 +822,25 @@ static void nvmet_rdma_write_data_done(struct ib_cq *cq, struct ib_wc *wc)
  static void nvmet_rdma_use_inline_sg(struct nvmet_rdma_rsp *rsp, u32 len,
                 u64 off)
  {
-       int sg_count = num_pages(len);
+       u64 page_off = off % PAGE_SIZE;
+       u64 page_idx = off / PAGE_SIZE;
+       int sg_count = num_pages(page_off + len);
         struct scatterlist *sg;
         int i;
  
-       sg = rsp->cmd->inline_sg;
+       sg = &rsp->cmd->inline_sg[page_idx];
         for (i = 0; i < sg_count; i++, sg++) {
                 if (i < sg_count - 1)
                         sg_unmark_end(sg);
                 else
                         sg_mark_end(sg);
-               sg->offset = off;
-               sg->length = min_t(int, len, PAGE_SIZE - off);
+               sg->offset = page_off;
+               sg->length = min_t(u64, len, PAGE_SIZE - page_off);
                 len -= sg->length;
-               if (!i)
-                       off = 0;
+               page_off = 0;
         }
  
-       rsp->req.sg = rsp->cmd->inline_sg;
+       rsp->req.sg = &rsp->cmd->inline_sg[page_idx];
         rsp->req.sg_cnt = sg_count;
  }
author	Bryam Vargas <hexlabsecurity@proton.me>
	Thu, 4 Jun 2026 19:36:54 +0000 (19:36 +0000)
committer	Keith Busch <kbusch@kernel.org>
	Tue, 9 Jun 2026 21:53:00 +0000 (14:53 -0700)