[PATCH 0/3] nvme: protect against possible request reference after completion
Sagi Grimberg
sagi at grimberg.me
Mon May 17 10:59:52 PDT 2021
Nothing in nvme protects against referencing a request after it was completed.
For example, in case a buggy controller sends a completion twice for the same
request, the host can access and modify a request that was already completed.
At best, this will cause a panic, but on the worst case, this can cause a silent
data corruption if the request was already reused and executed by the time
we reference it.
The nvme command_id is an opaque that we simply placed the request tag thus far.
To protect against a access after completion, we introduce a generation counter
to the upper 4-bits of the command_id that will increment every invocation and
be validated upon the reception of a completion. This will limit the maximum
queue depth to be effectively 4095, but we hardly ever use such long queues
(in fabrics the maximum is already 1024).
Feedback is welcome.
Sagi Grimberg (3):
nvme-tcp: don't check blk_mq_tag_to_rq when receiving pdu data
nvme-pci: limit maximum queue depth to 4095
nvme: code command_id with a genctr for use-after-free validation
drivers/nvme/host/core.c | 3 ++-
drivers/nvme/host/nvme.h | 47 +++++++++++++++++++++++++++++++++++++-
drivers/nvme/host/pci.c | 7 +++---
drivers/nvme/host/rdma.c | 4 ++--
drivers/nvme/host/tcp.c | 32 +++++++++++---------------
drivers/nvme/target/loop.c | 4 ++--
6 files changed, 69 insertions(+), 28 deletions(-)
--
2.27.0
More information about the Linux-nvme
mailing list