Patch "nvmet-tcp: fix kernel crash if commands allocation fails" has been added to the 6.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    nvmet-tcp: fix kernel crash if commands allocation fails

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvmet-tcp-fix-kernel-crash-if-commands-allocation-fa.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 312d026a5242b69ed108886f5e319839d0a09015
Author: Maurizio Lombardi <mlombard@xxxxxxxxxx>
Date:   Wed Aug 21 16:28:26 2024 +0200

    nvmet-tcp: fix kernel crash if commands allocation fails
    
    [ Upstream commit 5572a55a6f830ee3f3a994b6b962a5c327d28cb3 ]
    
    If the commands allocation fails in nvmet_tcp_alloc_cmds()
    the kernel crashes in nvmet_tcp_release_queue_work() because of
    a NULL pointer dereference.
    
      nvmet: failed to install queue 0 cntlid 1 ret 6
      Unable to handle kernel NULL pointer dereference at
             virtual address 0000000000000008
    
    Fix the bug by setting queue->nr_cmds to zero in case
    nvmet_tcp_alloc_cmd() fails.
    
    Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
    Signed-off-by: Maurizio Lombardi <mlombard@xxxxxxxxxx>
    Reviewed-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 380f22ee3ebb..ebf25819a7da 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -2146,8 +2146,10 @@ static u16 nvmet_tcp_install_queue(struct nvmet_sq *sq)
 	}
 
 	queue->nr_cmds = sq->size * 2;
-	if (nvmet_tcp_alloc_cmds(queue))
+	if (nvmet_tcp_alloc_cmds(queue)) {
+		queue->nr_cmds = 0;
 		return NVME_SC_INTERNAL;
+	}
 	return 0;
 }
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux