Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4136564pxb; Mon, 8 Feb 2021 08:46:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJz6NM25hZyD9f/DdyPJQ7e4qahFypWx9jlkyI44uTn4XkOVP96XpRz7+0ZfAAhJBF/CdgxK X-Received: by 2002:a17:906:607:: with SMTP id s7mr17572968ejb.301.1612802794979; Mon, 08 Feb 2021 08:46:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612802794; cv=none; d=google.com; s=arc-20160816; b=IwnIZrihNgrfItMfRRJvF/6UHsC7EoQoUXdX10SPo8GJLtK8kTKGcy9TxTD4T5CWEy Bwdc2lmaN4yQu3tJSwT939I2km49xlCCtPpXBTzWffL3CqdGLePTddB4Zk4LPVk1RvVE K3bqMDpkAOY9yrN7b5+o39/Oq7YTNvylAfuCAax16iX7zPaZfpLY2c2im5SO0IyG1GHU fnRct+rkJR+jhZjayokQkL4LECQuvZ9R4n8csDqOz13x8iZipji/lF2S2ah4Vd/d4nlJ pq15DXDKJoDHPuEz/vkQ6RaNGzgLNpb7EtPggYM6FYWFKPT4ZsEH+iC8t27s7bilMn+p y+fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=toDwI9M0fmw+IeRuXXBSrBkb/I6gAlOLVmDt/hlvIlA=; b=o53gFds/0I/4lpd2OZe7nAEZGSc5z96zZKsjUKCFZlRIONKA1lP7NeMbn3i4dNbEfR Svr2ZtZnqe/knVoBZ3NFpWjVZOjd7JuvjbQGMxs4i/Oj/ZQ8NkBFnum8KN9zb15NNA8W rcQtnv2qnm/qWLg6xpYtEPClInc55DY1QxWNLlMOiX7rP4/eaNjLpuzeLcHpwojndxfV Xdt4Ej2aiLy6x7cOINGyF9s0nIGhkaxb1/jMuAcLuCtCL3yToFhUayKcKCeORFLhljbo wgpiihUi4SZV7/eJDMtMgDbMbeU7kohA/OEIhGiamfzdwY31efrfyNKJ08E2E/sS7QeY 6vnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="w/peW5Dk"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j26si9329384eds.297.2021.02.08.08.46.10; Mon, 08 Feb 2021 08:46:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="w/peW5Dk"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233858AbhBHQpa (ORCPT + 99 others); Mon, 8 Feb 2021 11:45:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:58782 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233083AbhBHPP6 (ORCPT ); Mon, 8 Feb 2021 10:15:58 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 163BF64E99; Mon, 8 Feb 2021 15:11:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612797088; bh=wqWN5xytufg7GZYq8FXdxm66L7+eWAmdstwff4gsBvI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w/peW5Dkthti0syQsMEyFsQA1JjuH6I5CvFp36+aIiV46cXEbxfSw87y21upMtYx8 8YUVa6Ed0rA3ECxj7JSBYI133U9UyaOCNQuKTonilr7RJBrg3EcpWdDbcE+FYkixxL WI0lJuD3nUfY/ACKKOQdJt5hd7BCYeTPv50+IbIU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Narayan Ayalasomayajula , Sagi Grimberg , Christoph Hellwig , Sasha Levin Subject: [PATCH 5.4 21/65] nvmet-tcp: fix out-of-bounds access when receiving multiple h2cdata PDUs Date: Mon, 8 Feb 2021 16:00:53 +0100 Message-Id: <20210208145811.053812315@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210208145810.230485165@linuxfoundation.org> References: <20210208145810.230485165@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sagi Grimberg [ Upstream commit cb8563f5c735a042ea2dd7df1ad55ae06d63ffeb ] When the host sends multiple h2cdata PDUs, we keep track on the receive progress and calculate the scatterlist index and offsets. The issue is that sg_offset should only be kept for the first iov entry we map in the iovec as this is the difference between our cursor and the sg entry offset itself. In addition, the sg index was calculated wrong because we should not round up when dividing the command byte offset with PAG_SIZE. Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Reported-by: Narayan Ayalasomayajula Tested-by: Narayan Ayalasomayajula Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- drivers/nvme/target/tcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index e31823f19a0fa..9242224156f5b 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -292,7 +292,7 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) length = cmd->pdu_len; cmd->nr_mapped = DIV_ROUND_UP(length, PAGE_SIZE); offset = cmd->rbytes_done; - cmd->sg_idx = DIV_ROUND_UP(offset, PAGE_SIZE); + cmd->sg_idx = offset / PAGE_SIZE; sg_offset = offset % PAGE_SIZE; sg = &cmd->req.sg[cmd->sg_idx]; @@ -305,6 +305,7 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) length -= iov_len; sg = sg_next(sg); iov++; + sg_offset = 0; } iov_iter_kvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, -- 2.27.0