From: keith.busch@intel.com (Keith Busch)
Subject: [PATCHv4-4.5 7/7] NVMe: Fix 0-length integrity payload
Date: Wed, 24 Feb 2016 09:15:58 -0700 [thread overview]
Message-ID: <1456330558-819-8-git-send-email-keith.busch@intel.com> (raw)
In-Reply-To: <1456330558-819-1-git-send-email-keith.busch@intel.com>
A user could send a passthrough IO command with a metadata pointer to a
namespace without metadata. With metadata length of 0, kmalloc returns
ZERO_SIZE_PTR. Since that is not NULL, the driver would have set this as
the bio's integrity payload, which causes an access fault on completion.
This patch ignores the users metadata buffer if the namespace format
does not support separate metadata.
Reported-by: Stephen Bates <stephen.bates at microsemi.com>
Signed-off-by: Keith Busch <keith.busch at intel.com>
Reviewed-by: Sagi Grimberg <sagig at mellanox.com>
Reviewed-by: Christoph Hellwig <hch at lst.de>
---
drivers/nvme/host/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 9011685..5455ca0 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -184,7 +184,7 @@ int __nvme_submit_user_cmd(struct request_queue *q, struct nvme_command *cmd,
goto out_unmap;
}
- if (meta_buffer) {
+ if (meta_buffer && meta_len) {
struct bio_integrity_payload *bip;
meta = kmalloc(meta_len, GFP_KERNEL);
--
2.6.2.307.g37023ba
next prev parent reply other threads:[~2016-02-24 16:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-24 16:15 [PATCHv4-4.5 0/7] Rebased fixes Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 1/7] NVMe: Don't unmap controller registers on reset Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 2/7] NVMe: Use IDA for namespace disk naming Keith Busch
2016-02-24 19:33 ` Christoph Hellwig
2016-02-25 8:07 ` Johannes Thumshirn
2016-02-24 16:15 ` [PATCHv4-4.5 3/7] NVMe: Fix namespace removal deadlock Keith Busch
2016-02-24 19:34 ` Christoph Hellwig
2016-02-24 16:15 ` [PATCHv4-4.5 4/7] NVMe: Simplify device reset failure Keith Busch
2016-02-24 16:15 ` [PATCHv4-4.5 5/7] NVMe: Move error handling to failed reset handler Keith Busch
2016-03-29 10:55 ` Christoph Hellwig
2016-02-24 16:15 ` [PATCHv4-4.5 6/7] NVMe: Don't allow unsupported flags Keith Busch
2016-02-24 19:35 ` Christoph Hellwig
2016-02-25 8:12 ` Johannes Thumshirn
2016-02-24 16:15 ` Keith Busch [this message]
2016-02-25 8:13 ` [PATCHv4-4.5 7/7] NVMe: Fix 0-length integrity payload Johannes Thumshirn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456330558-819-8-git-send-email-keith.busch@intel.com \
--to=keith.busch@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).