Date: Wed, 3 Jul 2013 23:58:09 +0000 (UTC) From: Jim Harris <jimharris@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r252665 - stable/9/sys/dev/nvme Message-ID: <201307032358.r63Nw9Z7069822@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jimharris Date: Wed Jul 3 23:58:09 2013 New Revision: 252665 URL: http://svnweb.freebsd.org/changeset/base/252665 Log: MFC r252272: Fail any passthrough command whose transfer size exceeds the controller's max transfer size. This guards against rogue commands coming in from userspace. Also add KASSERTS for the virtual address and unmapped bio cases, if the transfer size exceeds the controller's max transfer size. Sponsored by: Intel Modified: stable/9/sys/dev/nvme/nvme_ctrlr.c stable/9/sys/dev/nvme/nvme_qpair.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Modified: stable/9/sys/dev/nvme/nvme_ctrlr.c ============================================================================== --- stable/9/sys/dev/nvme/nvme_ctrlr.c Wed Jul 3 23:56:41 2013 (r252664) +++ stable/9/sys/dev/nvme/nvme_ctrlr.c Wed Jul 3 23:58:09 2013 (r252665) @@ -895,7 +895,13 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c struct buf *buf = NULL; int ret = 0; - if (pt->len > 0) + if (pt->len > 0) { + if (pt->len > ctrlr->max_xfer_size) { + nvme_printf(ctrlr, "pt->len (%d) " + "exceeds max_xfer_size (%d)\n", pt->len, + ctrlr->max_xfer_size); + return EIO; + } if (is_user_buffer) { /* * Ensure the user buffer is wired for the duration of @@ -920,7 +926,7 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c } else req = nvme_allocate_request_vaddr(pt->buf, pt->len, nvme_pt_done, pt); - else + } else req = nvme_allocate_request_null(nvme_pt_done, pt); req->cmd.opc = pt->cmd.opc; Modified: stable/9/sys/dev/nvme/nvme_qpair.c ============================================================================== --- stable/9/sys/dev/nvme/nvme_qpair.c Wed Jul 3 23:56:41 2013 (r252664) +++ stable/9/sys/dev/nvme/nvme_qpair.c Wed Jul 3 23:58:09 2013 (r252665) @@ -786,6 +786,9 @@ _nvme_qpair_submit_request(struct nvme_q switch (req->type) { case NVME_REQUEST_VADDR: + KASSERT(req->payload_size <= qpair->ctrlr->max_xfer_size, + ("payload_size (%d) exceeds max_xfer_size (%d)\n", + req->payload_size, qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load(tr->qpair->dma_tag, tr->payload_dma_map, req->u.payload, req->payload_size, nvme_payload_map, tr, 0); if (err != 0) @@ -805,6 +808,10 @@ _nvme_qpair_submit_request(struct nvme_q break; #ifdef NVME_UNMAPPED_BIO_SUPPORT case NVME_REQUEST_BIO: + KASSERT(req->u.bio->bio_bcount <= qpair->ctrlr->max_xfer_size, + ("bio->bio_bcount (%jd) exceeds max_xfer_size (%d)\n", + (intmax_t)req->u.bio->bio_bcount, + qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load_bio(tr->qpair->dma_tag, tr->payload_dma_map, req->u.bio, nvme_payload_map, tr, 0); if (err != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307032358.r63Nw9Z7069822>