From: Ming Lei <ming.lei@redhat.com>
To: Keith Busch <kbusch@kernel.org>
Cc: Maurizio Lombardi <mlombard@redhat.com>,
linux-nvme@lists.infradead.org, axboe@fb.com,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
Ming Lei <minlei@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: nvme-host: disk corruptions when issuing IDENTIFY commands via ioctl()
Date: Wed, 9 Mar 2022 10:48:35 +0800 [thread overview]
Message-ID: <YigVg/URukuwwKWF@T590> (raw)
In-Reply-To: <20220309011429.GA3948855@dhcp-10-100-145-180.wdc.com>
On Tue, Mar 08, 2022 at 05:14:29PM -0800, Keith Busch wrote:
> On Wed, Mar 09, 2022 at 09:02:42AM +0800, Ming Lei wrote:
> > On Tue, Mar 08, 2022 at 04:39:04PM -0800, Keith Busch wrote:
> > > On Wed, Mar 09, 2022 at 08:18:47AM +0800, Ming Lei wrote:
> > > > Given NVMe spec states that data length of IDENTIFY command should be
> > > > 4096bytes, and PRP list can't be used.
> > > >
> > > > So looks nvme driver need to validate the command before submitting to
> > > > hardware, otherwise any buggy application can break FS or memory easily.
> > >
> > > No way. The driver does not police the user passthrough interface for
> > > these kinds of things.
> >
> > So you trust application to provide correct data always?
> >
> > From user viewpoint, this defect provides one easy hole to break FS or
> > memory, it is one serious issue, IMO. The FS/memory corruption can
> > be reproduced easily even in VM.
>
> It doesn't seem so serious considering it's been this way for 10 years,
> and we already knew about this. It's even been reported before:
>
> http://lists.infradead.org/pipermail/linux-nvme/2013-August/000365.html
BTW, this issue is actually one real report from one Red Hat Customer.
>
> > > It couldn't ever be complete or future proof if
> > > it did.
> >
> > But the spec states clearly the data length of IDENTIFY command is 4096
> > and PRP list can't be used, so why do you think it isn't complete or
> > future proof to validate data length of IDENTIFY in nvme driver?
>
> The current spec says that opcode uses 4k today. What about some time in
> the future?
spec change should only be applied on future hardware, which can not break
current in-market hardware.
nvme target has validated the Identify's transfer length already.
> And why are you focusing on Identify anyway?
Nvme spec states explicitly that the following 4 commands can't use PRP list:
- Identify command
- Namespace Attachment command
- Namespace Management command
- Set Features command
So it should be enough to just validate these commands.
Thanks,
Ming
next prev parent reply other threads:[~2022-03-09 2:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-08 16:45 nvme-host: disk corruptions when issuing IDENTIFY commands via ioctl() Maurizio Lombardi
2022-03-08 19:52 ` Keith Busch
2022-03-09 0:18 ` Ming Lei
2022-03-09 0:39 ` Keith Busch
2022-03-09 1:02 ` Ming Lei
2022-03-09 1:14 ` Keith Busch
2022-03-09 2:48 ` Ming Lei [this message]
2022-03-09 3:09 ` Keith Busch
2022-03-09 6:26 ` Christoph Hellwig
2022-03-09 16:23 ` Keith Busch
2022-03-10 16:04 ` Christoph Hellwig
2022-03-10 17:38 ` Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YigVg/URukuwwKWF@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@fb.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=minlei@redhat.com \
--cc=mlombard@redhat.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox