[PATCH v2 0/4] nvme: protect against possible request reference after completion
Sagi Grimberg
sagi at grimberg.me
Wed May 19 10:43:36 PDT 2021
Nothing in nvme protects against referencing a request after it was completed.
For example, in case a buggy controller sends a completion twice for the same
request, the host can access and modify a request that was already completed.
At best, this will cause a panic, but on the worst case, this can cause a silent
data corruption if the request was already reused and executed by the time
we reference it.
The nvme command_id is an opaque that we simply placed the request tag thus far.
To protect against a access after completion, we introduce a generation counter
to the upper 4-bits of the command_id that will increment every invocation and
be validated upon the reception of a completion. This will limit the maximum
queue depth to be effectively 4095, but we hardly ever use such long queues
(in fabrics the maximum is already 1024).
Changes from v1:
- lift param_set_uint_minmax and reuse it
- simplify initialization in patch 3/4
Sagi Grimberg (4):
params: lift param_set_uint_minmax to common code
nvme-pci: limit maximum queue depth to 4095
nvme-tcp: don't check blk_mq_tag_to_rq when receiving pdu data
nvme: code command_id with a genctr for use-after-free validation
drivers/nvme/host/core.c | 3 ++-
drivers/nvme/host/nvme.h | 47 ++++++++++++++++++++++++++++++++++++-
drivers/nvme/host/pci.c | 17 ++++++--------
drivers/nvme/host/rdma.c | 4 ++--
drivers/nvme/host/tcp.c | 38 ++++++++++++------------------
drivers/nvme/target/loop.c | 4 ++--
include/linux/moduleparam.h | 3 +++
kernel/params.c | 19 +++++++++++++++
net/sunrpc/xprtsock.c | 18 --------------
9 files changed, 96 insertions(+), 57 deletions(-)
--
2.27.0
More information about the Linux-nvme
mailing list