nvme-tcp: fence TCP socket on receive error

Ensure that no further socket reads occur after a receive processing error, either from io_work being re-scheduled or nvme_tcp_poll. Failing to do so can result in unrecognised PDU payloads or TCP stream garbage being processed as a C2H data PDU, and potentially start copying the payload to an invalid destination after looking up a request using a bogus command id. Signed-off-by: Chris Leech <cleech@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: John Meneghini <jmeneghi@redhat.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
author: Chris Leech <cleech@redhat.com> 2023-03-21 19:30:25 +0300
committer: Christoph Hellwig <hch@lst.de> 2023-04-13 09:55:05 +0300
commit: aeacfcefa218f4ed11da478e9b7915a37d1afaff (patch)
tree: b1a61cbfa402e121052872e729e305ca9bd6d5ac /drivers/nvme
parent: c5a9abfad9fb010c39defeee0c939bfa9430a5a3 (diff)
download: linux-aeacfcefa218f4ed11da478e9b7915a37d1afaff.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 7723a4989524..273c1f2760a4 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -876,6 +876,9 @@ static int nvme_tcp_recv_skb(read_descriptor_t *desc, struct sk_buff *skb,
 	size_t consumed = len;
 	int result;
 
+	if (unlikely(!queue->rd_enabled))
+		return -EFAULT;
+
 	while (len) {
 		switch (nvme_tcp_recv_state(queue)) {
 		case NVME_TCP_RECV_PDU:
author	Chris Leech <cleech@redhat.com>	2023-03-21 19:30:25 +0300
committer	Christoph Hellwig <hch@lst.de>	2023-04-13 09:55:05 +0300
commit	aeacfcefa218f4ed11da478e9b7915a37d1afaff (patch)
tree	b1a61cbfa402e121052872e729e305ca9bd6d5ac /drivers/nvme
parent	c5a9abfad9fb010c39defeee0c939bfa9430a5a3 (diff)
download	linux-aeacfcefa218f4ed11da478e9b7915a37d1afaff.tar.xz