From: keith.busch@intel.com (Keith Busch)
Subject: [PATCHv4-4.5 6/7] NVMe: Don't allow unsupported flags
Date: Wed, 24 Feb 2016 09:15:57 -0700 [thread overview]
Message-ID: <1456330558-819-7-git-send-email-keith.busch@intel.com> (raw)
In-Reply-To: <1456330558-819-1-git-send-email-keith.busch@intel.com>
The command flags can change the meaning of other fields in the command
that the driver is not prepared to handle. Specifically, the user could
passthrough an SGL flag, causing the controller to misinterpret the PRP
list the driver created, potentially corrupting memory or data.
Signed-off-by: Keith Busch <keith.busch at intel.com>
Reviewed-by: Jon Derrick <jonathan.derrick at intel.com>
---
>From previous version:
Return an error if the user requested an unsupported flag.
drivers/nvme/host/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index d08b7e4..9011685 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -374,6 +374,8 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio)
if (copy_from_user(&io, uio, sizeof(io)))
return -EFAULT;
+ if (io.flags)
+ return -EINVAL;
switch (io.opcode) {
case nvme_cmd_write:
@@ -425,6 +427,8 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
return -EACCES;
if (copy_from_user(&cmd, ucmd, sizeof(cmd)))
return -EFAULT;
+ if (cmd.flags)
+ return -EINVAL;
memset(&c, 0, sizeof(c));
c.common.opcode = cmd.opcode;
--
2.6.2.307.g37023ba
next prev parent reply other threads:[~2016-02-24 16:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-24 16:15 [PATCHv4-4.5 0/7] Rebased fixes Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 1/7] NVMe: Don't unmap controller registers on reset Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 2/7] NVMe: Use IDA for namespace disk naming Keith Busch
2016-02-24 19:33 ` Christoph Hellwig
2016-02-25 8:07 ` Johannes Thumshirn
2016-02-24 16:15 ` [PATCHv4-4.5 3/7] NVMe: Fix namespace removal deadlock Keith Busch
2016-02-24 19:34 ` Christoph Hellwig
2016-02-24 16:15 ` [PATCHv4-4.5 4/7] NVMe: Simplify device reset failure Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 5/7] NVMe: Move error handling to failed reset handler Keith Busch
2016-03-29 10:55 ` Christoph Hellwig
2016-02-24 16:15 ` Keith Busch [this message]
2016-02-24 19:35 ` [PATCHv4-4.5 6/7] NVMe: Don't allow unsupported flags Christoph Hellwig
2016-02-25 8:12 ` Johannes Thumshirn
2016-02-24 16:15 ` [PATCHv4-4.5 7/7] NVMe: Fix 0-length integrity payload Keith Busch
2016-02-25 8:13 ` Johannes Thumshirn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456330558-819-7-git-send-email-keith.busch@intel.com \
--to=keith.busch@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).