From: Ming Lei <ming.lei@redhat.com>
To: Keith Busch <kbusch@kernel.org>
Cc: Maurizio Lombardi <mlombard@redhat.com>,
linux-nvme@lists.infradead.org, axboe@fb.com,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
Ming Lei <minlei@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: nvme-host: disk corruptions when issuing IDENTIFY commands via ioctl()
Date: Wed, 9 Mar 2022 10:48:35 +0800 [thread overview]
Message-ID: <YigVg/URukuwwKWF@T590> (raw)
In-Reply-To: <20220309011429.GA3948855@dhcp-10-100-145-180.wdc.com>
On Tue, Mar 08, 2022 at 05:14:29PM -0800, Keith Busch wrote:
> On Wed, Mar 09, 2022 at 09:02:42AM +0800, Ming Lei wrote:
> > On Tue, Mar 08, 2022 at 04:39:04PM -0800, Keith Busch wrote:
> > > On Wed, Mar 09, 2022 at 08:18:47AM +0800, Ming Lei wrote:
> > > > Given NVMe spec states that data length of IDENTIFY command should be
> > > > 4096bytes, and PRP list can't be used.
> > > >
> > > > So looks nvme driver need to validate the command before submitting to
> > > > hardware, otherwise any buggy application can break FS or memory easily.
> > >
> > > No way. The driver does not police the user passthrough interface for
> > > these kinds of things.
> >
> > So you trust application to provide correct data always?
> >
> > From user viewpoint, this defect provides one easy hole to break FS or
> > memory, it is one serious issue, IMO. The FS/memory corruption can
> > be reproduced easily even in VM.
>
> It doesn't seem so serious considering it's been this way for 10 years,
> and we already knew about this. It's even been reported before:
>
> http://lists.infradead.org/pipermail/linux-nvme/2013-August/000365.html
BTW, this issue is actually one real report from one Red Hat Customer.
>
> > > It couldn't ever be complete or future proof if
> > > it did.
> >
> > But the spec states clearly the data length of IDENTIFY command is 4096
> > and PRP list can't be used, so why do you think it isn't complete or
> > future proof to validate data length of IDENTIFY in nvme driver?
>
> The current spec says that opcode uses 4k today. What about some time in
> the future?
spec change should only be applied on future hardware, which can not break
current in-market hardware.
nvme target has validated the Identify's transfer length already.
> And why are you focusing on Identify anyway?
Nvme spec states explicitly that the following 4 commands can't use PRP list:
- Identify command
- Namespace Attachment command
- Namespace Management command
- Set Features command
So it should be enough to just validate these commands.
Thanks,
Ming
next prev parent reply other threads:[~2022-03-09 2:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-08 16:45 nvme-host: disk corruptions when issuing IDENTIFY commands via ioctl() Maurizio Lombardi
2022-03-08 19:52 ` Keith Busch
2022-03-09 0:18 ` Ming Lei
2022-03-09 0:39 ` Keith Busch
2022-03-09 1:02 ` Ming Lei
2022-03-09 1:14 ` Keith Busch
2022-03-09 2:48 ` Ming Lei [this message]
2022-03-09 3:09 ` Keith Busch
2022-03-09 6:26 ` Christoph Hellwig
2022-03-09 16:23 ` Keith Busch
2022-03-10 16:04 ` Christoph Hellwig
2022-03-10 17:38 ` Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YigVg/URukuwwKWF@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@fb.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=minlei@redhat.com \
--cc=mlombard@redhat.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.