Patch "nvme-tcp: fix signedness bug in nvme_tcp_init_connection()" has been added to the 6.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Mar 2025 15:43:41 -0400

This is a note to let you know that I've just added the patch titled

    nvme-tcp: fix signedness bug in nvme_tcp_init_connection()

to the 6.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvme-tcp-fix-signedness-bug-in-nvme_tcp_init_connect.patch
and it can be found in the queue-6.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b17d52d57b2895fd1feddd56ef46b19490b91551
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Wed Mar 5 18:52:59 2025 +0300

    nvme-tcp: fix signedness bug in nvme_tcp_init_connection()
    
    [ Upstream commit 528361c49962708a60f51a1afafeb00987cebedf ]
    
    The kernel_recvmsg() function returns an int which could be either
    negative error codes or the number of bytes received.  The problem is
    that the condition:
    
            if (ret < sizeof(*icresp)) {
    
    is type promoted to type unsigned long and negative values are treated
    as high positive values which is success, when they should be treated as
    failure.  Handle invalid positive returns separately from negative
    error codes to avoid this problem.
    
    Fixes: 578539e09690 ("nvme-tcp: fix connect failure on receiving partial ICResp PDU")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Caleb Sander Mateos <csander@xxxxxxxxxxxxxxx>
    Reviewed-by: Sagi Grimberg <sagi@xxxxxxxxxxx>
    Reviewed-by: Chaitanya Kulkarni <kch@xxxxxxxxxx>
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index ade7f1af33d80..5c50f1a5af957 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1521,11 +1521,11 @@ static int nvme_tcp_init_connection(struct nvme_tcp_queue *queue)
 	msg.msg_flags = MSG_WAITALL;
 	ret = kernel_recvmsg(queue->sock, &msg, &iov, 1,
 			iov.iov_len, msg.msg_flags);
-	if (ret < sizeof(*icresp)) {
+	if (ret >= 0 && ret < sizeof(*icresp))
+		ret = -ECONNRESET;
+	if (ret < 0) {
 		pr_warn("queue %d: failed to receive icresp, error %d\n",
 			nvme_tcp_queue_id(queue), ret);
-		if (ret >= 0)
-			ret = -ECONNRESET;
 		goto free_icresp;
 	}
 	ret = -ENOTCONN;







