From: Christoph Hellwig <hch@lst.de>
To: pjy@amazon.com
Cc: Keith Busch <kbusch@kernel.org>, Jens Axboe <axboe@fb.com>,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org
Subject: Re: BUG Report: kernel NULL pointer dereference in bio_integrity_advance()
Date: Tue, 27 Aug 2024 09:26:23 +0200 [thread overview]
Message-ID: <20240827072623.GA13080@lst.de> (raw)
In-Reply-To: <mb61pcylvnym8.fsf@amazon.com>
On Mon, Aug 26, 2024 at 02:32:31PM +0000, pjy@amazon.com wrote:
> This is because in the function:
>
> void bio_integrity_advance(struct bio *bio, unsigned int bytes_done)
> {
> struct bio_integrity_payload *bip = bio_integrity(bio);
> struct blk_integrity *bi = blk_get_integrity(bio->bi_bdev->bd_disk);
> unsigned bytes = bio_integrity_bytes(bi, bytes_done >> 9);
>
> bip->bip_iter.bi_sector += bio_integrity_intervals(bi, bytes_done >> 9);
> bvec_iter_advance(bip->bip_vec, &bip->bip_iter, bytes);
> }
>
> Here blk_get_integrity() returns NULL and bio_integrity_bytes() uses it
> without checking for NULL.
So the above is on a NVMe namespace that does not support metadata?
We currently don't check if a namespace supports metadata before
sending it, so something like the patch below should fix it:
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index f1d58e70933f54..b1d1422f812a63 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -4,6 +4,7 @@
* Copyright (c) 2017-2021 Christoph Hellwig.
*/
#include <linux/bio-integrity.h>
+#include <linux/blk-integrity.h>
#include <linux/ptrace.h> /* for force_successful_syscall_return */
#include <linux/nvme_ioctl.h>
#include <linux/io_uring/cmd.h>
@@ -121,6 +122,9 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
struct block_device *bdev = ns ? ns->disk->part0 : NULL;
struct bio *bio = NULL;
int ret;
+
+ if (meta_buffer && meta_len && !blk_get_integrity(bdev->bd_disk))
+ return -EINVAL;
if (ioucmd && (ioucmd->flags & IORING_URING_CMD_FIXED)) {
struct iov_iter iter;
prev parent reply other threads:[~2024-08-27 7:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-26 14:32 BUG Report: kernel NULL pointer dereference in bio_integrity_advance() pjy
2024-08-27 7:26 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240827072623.GA13080@lst.de \
--to=hch@lst.de \
--cc=axboe@fb.com \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=pjy@amazon.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.