From: axboe@fb.com (Jens Axboe)
Subject: [PATCH 01/11] nvme: fix kernel memory corruption with short INQUIRY buffers
Date: Wed, 13 May 2015 10:34:23 -0400 [thread overview]
Message-ID: <555360EF.70904@fb.com> (raw)
In-Reply-To: <1431100836-28112-2-git-send-email-hch@lst.de>
On 05/08/2015 12:00 PM, Christoph Hellwig wrote:
> If userspace asks for an INQUIRY buffer smaller than 36 bytes, the SCSI
> translation layer will happily write past the end of the INQUIRY buffer
> allocation.
>
> This is fairly easily reproducible by running the libiscsi test
> suite and then starting an xfstests run.
>
> Fixes: 4f1982 ("NVMe: Update SCSI Inquiry VPD 83h translation")
> Signed-off-by: Christoph Hellwig <hch at lst.de>
> ---
> drivers/block/nvme-scsi.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/nvme-scsi.c b/drivers/block/nvme-scsi.c
> index 6b736b0..aea2498 100644
> --- a/drivers/block/nvme-scsi.c
> +++ b/drivers/block/nvme-scsi.c
> @@ -2256,7 +2256,8 @@ static int nvme_trans_inquiry(struct nvme_ns *ns, struct sg_io_hdr *hdr,
> page_code = GET_INQ_PAGE_CODE(cmd);
> alloc_len = GET_INQ_ALLOC_LENGTH(cmd);
>
> - inq_response = kmalloc(alloc_len, GFP_KERNEL);
> + inq_response = kmalloc(max(alloc_len, STANDARD_INQUIRY_LENGTH),
> + GFP_KERNEL);
> if (inq_response == NULL) {
> res = -ENOMEM;
> goto out_mem;
Applied for 4.1.
--
Jens Axboe
next prev parent reply other threads:[~2015-05-13 14:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-08 16:00 nvme patchbomb, take 2 Christoph Hellwig
2015-05-08 16:00 ` [PATCH 01/11] nvme: fix kernel memory corruption with short INQUIRY buffers Christoph Hellwig
2015-05-13 14:34 ` Jens Axboe [this message]
2015-05-08 16:00 ` [PATCH 02/11] nvme: consolidate synchronous command submission helpers Christoph Hellwig
2015-05-08 16:00 ` [PATCH 03/11] nvme: store a struct device pointer in struct nvme_dev Christoph Hellwig
2015-05-08 16:00 ` [PATCH 04/11] nvme: remove the unused dma_addr_t arguments to nvme_{get, set}_features Christoph Hellwig
2015-05-08 19:03 ` Matthew Wilcox
2015-05-09 15:53 ` Christoph Hellwig
2015-05-11 13:54 ` Matthew Wilcox
2015-05-11 16:35 ` Keith Busch
2015-05-08 16:00 ` [PATCH 05/11] nvme: split nvme_trans_send_fw_cmd Christoph Hellwig
2015-05-08 16:00 ` [PATCH 06/11] nvme: fix scsi translation error handling Christoph Hellwig
2015-05-08 16:00 ` [PATCH 07/11] nvme: first round at deobsfucating the SCSI translation code Christoph Hellwig
2015-05-08 16:00 ` [PATCH 08/11] nvme: simplify and cleanup the READ/WRITE SCSI CDB parsing code Christoph Hellwig
2015-05-08 16:00 ` [PATCH 09/11] nvme: report the DPOFUA in MODE_SENSE Christoph Hellwig
2015-05-08 16:00 ` [PATCH 10/11] nvme: fail SCSI read/write command with unsupported protection bit Christoph Hellwig
2015-05-08 16:00 ` [PATCH 11/11] nvme: submit internal commands through the block layer Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555360EF.70904@fb.com \
--to=axboe@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.