{"id":2220104,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2220104/?format=json","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.0/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<e06d31ceaa4bace11b1ba4d6e3c251eb7763f69c.1775469458.git.cengiz.can@canonical.com>","date":"2026-04-06T10:51:19","name":"[SRU,N,1/1] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f03735a22378b9cc6d92b86f36a71f5d46d4af68","submitter":{"id":84024,"url":"http://patchwork.ozlabs.org/api/1.0/people/84024/?format=json","name":"Cengiz Can","email":"cengiz.can@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/e06d31ceaa4bace11b1ba4d6e3c251eb7763f69c.1775469458.git.cengiz.can@canonical.com/mbox/","series":[{"id":498841,"url":"http://patchwork.ozlabs.org/api/1.0/series/498841/?format=json","date":"2026-04-06T10:51:19","name":"[SRU,N,1/1] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec","version":1,"mbox":"http://patchwork.ozlabs.org/series/498841/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220104/checks/","tags":{},"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=XZPOH3kv;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq5jp1fYfz20wn\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 20:51:42 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w9hYM-0005yu-Rv; Mon, 06 Apr 2026 10:51:34 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)\n id 1w9hYK-0005xB-Rv\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 10:51:32 +0000","from mail-wm1-f70.google.com (mail-wm1-f70.google.com\n [209.85.128.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id AD4793F285\n for <kernel-team@lists.ubuntu.com>; Mon,  6 Apr 2026 10:51:32 +0000 (UTC)","by mail-wm1-f70.google.com with SMTP id\n 5b1f17b1804b1-488a9ed3c1eso8163655e9.1\n for <kernel-team@lists.ubuntu.com>; Mon, 06 Apr 2026 03:51:32 -0700 (PDT)","from localhost ([176.41.26.180]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488b739e00bsm33970455e9.10.2026.04.06.03.51.30\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 03:51:31 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775472692;\n bh=KEKUhl06ySs742J3xcajOCxWilMS/rd6sDakVw2ZxcY=;\n h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=XZPOH3kvZfgn08vHKgokDBf4nGxONwluBeQRI8Z/w3+nOPGBFaRN9Kt9oXMnP+HTa\n JBDRU7d6/wRhyDvS4VscbKfOltYqsQsYfJ9yTJCyA3jEHDVeuKN799Li2cUUZdIjT2\n vbzhadbabV75REmrmfrovfvdeiXp7KuFdEtFbkNfT6QJKMozini3Kofkjkm5dYR++k\n hVMNcpXi202X0qDFSFNO5jl2T5ishmioXHycRpxKiQ/x4RYI0QdQ0Vh70wSdPntinH\n /+U5WKjPB1GosesgGz5VYARdL/wdAKm+7ipsPWMgnIiTlNRhcnY7X7SYPZAZ1q3L38\n a0pcYBoM4OYVzEJ4knZNSrdyl+SXZo0l0c4tnfqP4YP+1guWZhCuJ0Dmy1hdIRbUV1\n b7i+jvRR4FrEce+CsyQ3KjZQN0K1EUgKd4H2d3OG1Ec1JiyP3VjC5SkwIHRpoYKGeC\n zNazPUxX8ZpH3d1q5XJ0MaxOZhEqpnlEFWwcV0tfxMcnd/Oc87xJcaJgRJg/B8NscD\n Qz7aeXxGBfsJbCl71nM2TA0yn//dRCEHWCMJonDFcGr0amSPfW+6NGGne8lutPJZfq\n 0Fyl/RDbLNrosXUZ4hyzB1MrQAL03Ni9jqLm3Q71gIO13ZbuvKT05KZGW/GuGe/q6P\n Y3NStMN8TwCHrQn/8667fphQ=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775472692; x=1776077492;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=KEKUhl06ySs742J3xcajOCxWilMS/rd6sDakVw2ZxcY=;\n b=Beq2kj3TUltMlEM9IiDzpiR4I6kJ/fVXhDk4Q0garigcAd3uis+kaK1e2WW0Wtfk+K\n TWW6dFJzK1XkxLWgiJ8cB0rVmGOMC8ZMIsVocvJMLYREUn6v3/Hld4ENLk4q90la2z18\n eBG+L710hXeKGLMleOA246L+/akUJAmqSD+HyrfdrQ71z2GoZ/qBnNAjvzrT4sX7fsGy\n zaxJqRvTbWzFQi3l6uwozC2EHQse+UHlDPk/lmVmwUndNwgP/ZVAOt+yXfVBVft7SS23\n 3JAlMmGyBY8uV1BaS/5phH2xTeTLp7CFMbAWOhcnW9LkifyR1pIuZqqt60jaiqS6rlrU\n cBKQ==","X-Gm-Message-State":"AOJu0YzRB+0I7dVsiGAo+G6PK3k7vC2Oe6AodvF1UxrgAE20DsIeQ11C\n /aHNYP7Cg6QVTAzGK/DyBR/0K9CjnsTPM77NEkvGw7bDoR8XSwpE19kJo2rwVEl0E4YJTteNHi1\n RJC4vEau77grqo2h5g37GAe53dIOtZdj65qOG7/3wJfCcoLjxgK+BJvyruos9plCZ4KxDWhYCSm\n 6cm9nx3OnZcMSQ+w==","X-Gm-Gg":"AeBDievj/rIr1RGpi9YcZmnzEm+dnQBOBIuXlaNWQP03N3Ax1C3SfVwH0gTzzX+DKAT\n XtUZ/TQyud+s2Xqpr18IDVKK66QmmyOgbY9xCP4sxUQBjxXmNDe7KA8T9xzC+cb3XiFZPOEkCr3\n kHU4t3S2cMtR6Ud1WLOxfVb3r1h76XcbMFc985O1tNXXrnxknqKTUgJgiVUz7VXzo965eLEnDZ6\n oLFRFoYTpkChnApUAsyQ0qRdTKno92laIbnipAoRUE19RsVWOXvqrX1/XakQ/5+v4SRlpZNgofs\n ZEqdjh082F/AiOOZ9iuZhymmt9Ymh9DmEipcGB+i5G6TwAEPw0H70k7Igf6Re4UIa+OkTFQgRqD\n katC32gA5t7lw1pVq2Z+oTk8=","X-Received":["by 2002:a05:600d:12:b0:488:8bdd:cfc7 with SMTP id\n 5b1f17b1804b1-488995d140bmr134618325e9.0.1775472691957;\n Mon, 06 Apr 2026 03:51:31 -0700 (PDT)","by 2002:a05:600d:12:b0:488:8bdd:cfc7 with SMTP id\n 5b1f17b1804b1-488995d140bmr134618105e9.0.1775472691578;\n Mon, 06 Apr 2026 03:51:31 -0700 (PDT)"],"From":"Cengiz Can <cengiz.can@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][N][PATCH 1/1] nvmet-tcp: add bounds checks in\n nvmet_tcp_build_pdu_iovec","Date":"Mon,  6 Apr 2026 13:51:19 +0300","Message-ID":"\n <e06d31ceaa4bace11b1ba4d6e3c251eb7763f69c.1775469458.git.cengiz.can@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<cover.1775469458.git.cengiz.can@canonical.com>","References":"<177546945105.885203.15305511673780617858@nexus9.public>\n <cover.1775469458.git.cengiz.can@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: YunJe Shin <yjshin0438@gmail.com>\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec.\n\nFixes: 872d26a391da (\"nvmet-tcp: add NVMe over TCP target driver\")\nSigned-off-by: YunJe Shin <ioerts@kookmin.ac.kr>\nReviewed-by: Sagi Grimberg <sagi@grimberg.me>\nReviewed-by: Joonkyo Jung <joonkyoj@yonsei.ac.kr>\nSigned-off-by: Keith Busch <kbusch@kernel.org>\n(cherry picked from commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c)\nCVE-2026-23112\nSigned-off-by: Cengiz Can <cengiz.can@canonical.com>\n---\n drivers/nvme/target/tcp.c | 17 +++++++++++++++++\n 1 file changed, 17 insertions(+)","diff":"diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c\nindex 9a5c6c114ba3..2bf592d3f041 100644\n--- a/drivers/nvme/target/tcp.c\n+++ b/drivers/nvme/target/tcp.c\n@@ -357,11 +357,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)\n \tcmd->req.sg = NULL;\n }\n \n+static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);\n+\n static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n {\n \tstruct bio_vec *iov = cmd->iov;\n \tstruct scatterlist *sg;\n \tu32 length, offset, sg_offset;\n+\tunsigned int sg_remaining;\n \tint nr_pages;\n \n \tlength = cmd->pdu_len;\n@@ -369,9 +372,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n \toffset = cmd->rbytes_done;\n \tcmd->sg_idx = offset / PAGE_SIZE;\n \tsg_offset = offset % PAGE_SIZE;\n+\tif (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {\n+\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\treturn;\n+\t}\n \tsg = &cmd->req.sg[cmd->sg_idx];\n+\tsg_remaining = cmd->req.sg_cnt - cmd->sg_idx;\n \n \twhile (length) {\n+\t\tif (!sg_remaining) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n+\t\tif (!sg->length || sg->length <= sg_offset) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n \t\tu32 iov_len = min_t(u32, length, sg->length - sg_offset);\n \n \t\tbvec_set_page(iov, sg_page(sg), iov_len,\n@@ -379,6 +395,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n \n \t\tlength -= iov_len;\n \t\tsg = sg_next(sg);\n+\t\tsg_remaining--;\n \t\tiov++;\n \t\tsg_offset = 0;\n \t}\n","prefixes":["SRU","N","1/1"]}