Commit 63088ec7 authored Feb 24, 2016 by Keith Busch Committed by Jens Axboe Mar 03, 2016

NVMe: Don't allow unsupported flags



The command flags can change the meaning of other fields in the command
that the driver is not prepared to handle. Specifically, the user could
passthrough an SGL flag, causing the controller to misinterpret the PRP
list the driver created, potentially corrupting memory or data.

Signed-off-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Jon Derrick <jonathan.derrick@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jens Axboe <axboe@fb.com>

parent 69d9a99c

drivers/nvme/host/core.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -374,6 +374,8 @@ static int nvme_submit_io(struct nvme_ns ns, struct nvme_user_io __user uio)

		if (copy_from_user(&io, uio, sizeof(io)))
		return -EFAULT;
		if (io.flags)
		return -EINVAL;

		switch (io.opcode) {
		case nvme_cmd_write:
		@@ -425,6 +427,8 @@ static int nvme_user_cmd(struct nvme_ctrl ctrl, struct nvme_ns ns,
		return -EACCES;
		if (copy_from_user(&cmd, ucmd, sizeof(cmd)))
		return -EFAULT;
		if (cmd.flags)
		return -EINVAL;

		memset(&c, 0, sizeof(c));
		c.common.opcode = cmd.opcode;