Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2220105,
    "url": "http://patchwork.ozlabs.org/api/patches/2220105/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/c375cdea3d4300f3e06c1a0bb57004665d4a7bd8.1775471884.git.cengiz.can@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<c375cdea3d4300f3e06c1a0bb57004665d4a7bd8.1775471884.git.cengiz.can@canonical.com>",
    "list_archive_url": null,
    "date": "2026-04-06T10:51:21",
    "name": "[SRU,J,1/1] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "5b23dc4e56ede515dff4309cd54c3507b998826b",
    "submitter": {
        "id": 84024,
        "url": "http://patchwork.ozlabs.org/api/people/84024/?format=api",
        "name": "Cengiz Can",
        "email": "cengiz.can@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/c375cdea3d4300f3e06c1a0bb57004665d4a7bd8.1775471884.git.cengiz.can@canonical.com/mbox/",
    "series": [
        {
            "id": 498840,
            "url": "http://patchwork.ozlabs.org/api/series/498840/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=498840",
            "date": "2026-04-06T10:51:20",
            "name": "CVE-2026-23112",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/498840/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2220105/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2220105/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=pt8SNIHn;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq5jt3jg1z1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 20:51:46 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w9hYR-000664-7P; Mon, 06 Apr 2026 10:51:39 +0000",
            "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)\n id 1w9hYP-00062H-If\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 10:51:37 +0000",
            "from mail-wr1-f70.google.com (mail-wr1-f70.google.com\n [209.85.221.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 00A8B3F285\n for <kernel-team@lists.ubuntu.com>; Mon,  6 Apr 2026 10:51:37 +0000 (UTC)",
            "by mail-wr1-f70.google.com with SMTP id\n ffacd0b85a97d-43d034589d0so3941351f8f.1\n for <kernel-team@lists.ubuntu.com>; Mon, 06 Apr 2026 03:51:36 -0700 (PDT)",
            "from localhost ([176.41.26.180]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488940e075esm340747195e9.9.2026.04.06.03.51.34\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 03:51:35 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775472697;\n bh=4uQRJawU1GOQVh+SCBkBbtaIrlrWfKYNDfnqwkw5Z00=;\n h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=pt8SNIHnWHs05gV2sy23mxWK4l+4LF/TsfRsMrloPeSdBw2FP4rhy4fhpJvB9405A\n EEg5MUVNlDJDP0SIvV5SsVajiKxhf3EGzLPOeaQOOieBWk60aflk+s8R7NTPLMsQLM\n cGSV6ob6dUExgLl27pkRrdHSfS34cspdeffgSvWBtt2uXzdVynYQ7YXIhklygOe6Tu\n L+p1YSGXUouwZVH6LCMqmuhnFC6FL3rsZ8w7zM56ptJNLMcgGfA0u8eFTg7CK2UCEi\n rYcLxA0BHemGxFhcM+37OY+BjE2YgdLHUCOvccmTkrXoynU6m0YI0HHhLTMoyqIX2/\n t12Omad+9zKwHgYM5hQGKqRhAjAJbUy8ppwE02+25HUhPP63RFbi6rQDaCSSS+jf2L\n NI+V+icEXALqF+yBcrIne85EcxDdlOEbjzB/Cy5mA7jVKgswMGZ+miEl/F7yFqhJ33\n xMEQTrYr3naRg9qhdodo0W7ETAwwzJEaFbua9bB8Yjgwhq42Hffz9PiV02V7SJ4unA\n 2KjdLErkgLPj4fNA1nQSmL+hiBXOc2/Dns8Ko2tST8o9bgtmWnrf/NT1WHqBu30wem\n G0ErcpRAWU2ow7305YbLrEoZzir41nM1af6ffYdqjEXUAAukGi41hO1Ia6eog1CHcu\n Dvvxem1+X5bOzjrg0yTvd0vs=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775472696; x=1776077496;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=4uQRJawU1GOQVh+SCBkBbtaIrlrWfKYNDfnqwkw5Z00=;\n b=rU50/V6FdhMtUm/1i8uGijVT4uyqwkUFfhxrRgdNnSdfgzK4AZWHrctqt/FDu47uqq\n o8s3QdL4IPL3ypslOYEWnMypbldllqarM7t4VVFccquDsS5D3u8FngSXD3vV0ajk5h2N\n a4bHYKA2I3HQpScDagMhCoxt43n9pTAPcUMqOl/K9WgeqvKwIhtHZFXbC73YRTBK7F6V\n eSzWq/ZqDX0ZCw2XKhSlVGm1qrgONOZq+F+/Rtuqonz2dhDd6LDcozs21HkRZ4luQ1YZ\n a+FrU4wSHSNEUKhfGaoP/+VyqMetUc8bPB/3TJbtZ3rpyAObZvX/jCL+IweGTTEP0yUv\n 8sgA==",
        "X-Gm-Message-State": "AOJu0Yw+IkrGxAZ7gs1FItuB6Be/C96Ylhfpaq79hOomoZP/LnD0L6pN\n KJc/kapCTGksizMK1yzcoyRRcOrPxZ4fg/+VgmLwYboBq2Fd3ImR0GAOiz6hP2mJOJB/AQ7nXDv\n sPRrpSs2j7zHPcy3ZKAZLAr3ibYhRNUhlgZDuoLnlGzyTweSG2H1G2Kp2D+x4dHR/wgX8crUqE4\n uHpnQdtgWxA145HA==",
        "X-Gm-Gg": "AeBDietEPaOxyZqAY/zcHhCwii8+eXZAkrhEbiiWSHydnzb6pV1UgpU+IlGjGn5euN7\n gKTtkmY0jOn3/mX3b2QzwJ6wMRdbjz3fZsgkObfv0Z0yM+3o/Gwwo0hZ89Q9iEv3QDMxBzQtP1G\n w5EYD6j6QpPNaVzCxMT3MtmvBU/lpupoVNN4OXTrT1pi17xiCEWjcTSmFJf6lH0XYT8DS1WjIdg\n wzigS60rheSJsJpmw8SMdnZ5gtk/jWqX57nmiWeOrrHVuQj1gH6TrLgkDmfDaPrPVsuTTaIr2KC\n HZNSkXI8CwC3y+L6GrkPI/vVpgf/W4G4ADIE6fHbyJpZN1hEArDeWpAf9+Bvq+cp/l/8FgyWa7O\n VlbmSXRKr+8+PqZ2lTpfk78E=",
        "X-Received": [
            "by 2002:a05:600c:154b:b0:488:af14:f1da with SMTP id\n 5b1f17b1804b1-488af14f30amr58868575e9.7.1775472696275;\n Mon, 06 Apr 2026 03:51:36 -0700 (PDT)",
            "by 2002:a05:600c:154b:b0:488:af14:f1da with SMTP id\n 5b1f17b1804b1-488af14f30amr58867805e9.7.1775472695773;\n Mon, 06 Apr 2026 03:51:35 -0700 (PDT)"
        ],
        "From": "Cengiz Can <cengiz.can@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU][J][PATCH 1/1] nvmet-tcp: add bounds checks in\n nvmet_tcp_build_pdu_iovec",
        "Date": "Mon,  6 Apr 2026 13:51:21 +0300",
        "Message-ID": "\n <c375cdea3d4300f3e06c1a0bb57004665d4a7bd8.1775471884.git.cengiz.can@canonical.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "In-Reply-To": "<cover.1775471884.git.cengiz.can@canonical.com>",
        "References": "<177546945105.885203.15305511673780617858@nexus9.public>\n <cover.1775471884.git.cengiz.can@canonical.com>",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: YunJe Shin <yjshin0438@gmail.com>\n\n[ Upstream commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c ]\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec.\n\nFixes: 872d26a391da (\"nvmet-tcp: add NVMe over TCP target driver\")\nSigned-off-by: YunJe Shin <ioerts@kookmin.ac.kr>\nReviewed-by: Sagi Grimberg <sagi@grimberg.me>\nReviewed-by: Joonkyo Jung <joonkyoj@yonsei.ac.kr>\nSigned-off-by: Keith Busch <kbusch@kernel.org>\nSigned-off-by: Sasha Levin <sashal@kernel.org>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n(backported from commit 42afe8ed8ad2de9c19457156244ef3e1eca94b5d linux-5.15.y)\n[cengizcan: adjusted for kvec/kmap style, moved bounds checks before iov_len assignment]\nCVE-2026-23112\nSigned-off-by: Cengiz Can <cengiz.can@canonical.com>\n---\n drivers/nvme/target/tcp.c | 22 +++++++++++++++++++++-\n 1 file changed, 21 insertions(+), 1 deletion(-)",
    "diff": "diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c\nindex 051798ef7431..f8d158e0aa34 100644\n--- a/drivers/nvme/target/tcp.c\n+++ b/drivers/nvme/target/tcp.c\n@@ -309,27 +309,47 @@ static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n \t\tkunmap(sg_page(&sg[i]));\n }\n \n+static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);\n+\n static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n {\n \tstruct kvec *iov = cmd->iov;\n \tstruct scatterlist *sg;\n \tu32 length, offset, sg_offset;\n+\tunsigned int sg_remaining;\n \n \tlength = cmd->pdu_len;\n \tcmd->nr_mapped = DIV_ROUND_UP(length, PAGE_SIZE);\n \toffset = cmd->rbytes_done;\n \tcmd->sg_idx = offset / PAGE_SIZE;\n \tsg_offset = offset % PAGE_SIZE;\n+\tif (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {\n+\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\treturn;\n+\t}\n \tsg = &cmd->req.sg[cmd->sg_idx];\n+\tsg_remaining = cmd->req.sg_cnt - cmd->sg_idx;\n \n \twhile (length) {\n-\t\tu32 iov_len = min_t(u32, length, sg->length - sg_offset);\n+\t\tu32 iov_len;\n+\n+\t\tif (!sg_remaining) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n+\t\tif (!sg->length || sg->length <= sg_offset) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n+\n+\t\tiov_len = min_t(u32, length, sg->length - sg_offset);\n \n \t\tiov->iov_base = kmap(sg_page(sg)) + sg->offset + sg_offset;\n \t\tiov->iov_len = iov_len;\n \n \t\tlength -= iov_len;\n \t\tsg = sg_next(sg);\n+\t\tsg_remaining--;\n \t\tiov++;\n \t\tsg_offset = 0;\n \t}\n",
    "prefixes": [
        "SRU",
        "J",
        "1/1"
    ]
}