[PATCH 1/2] nvme: fix memory corruption for passthrough metadata
Kanchan Joshi
joshi.k at samsung.com
Sun Aug 13 23:41:30 PDT 2023
On Fri, Aug 11, 2023 at 10:57:36AM -0600, Keith Busch wrote:
>On Fri, Aug 11, 2023 at 09:29:05PM +0530, Kanchan Joshi wrote:
>> +static bool nvme_validate_passthru_meta(struct nvme_ctrl *ctrl,
>> + struct nvme_ns *ns,
>> + struct nvme_command *c,
>> + __u64 meta, __u32 meta_len)
>> +{
>> + /*
>> + * User may specify smaller meta-buffer with a larger data-buffer.
>> + * Driver allocated meta buffer will also be small.
>> + * Device can do larger dma into that, overwriting unrelated kernel
>> + * memory.
>> + */
>> + if (ns && (meta_len || meta)) {
>> + u16 nlb = lower_16_bits(le32_to_cpu(c->common.cdw12));
>> +
>> + if (meta_len != (nlb + 1) * ns->ms) {
>> + dev_err(ctrl->device,
>> + "%s: metadata length does not match!\n", current->comm);
>> + return false;
>> + }
>
>Don't you need to check the command PRINFO PRACT bit to know if metadata
>length is striped/generated on the controller side?
Good point. Will add that check in v2.
More information about the Linux-nvme
mailing list