NVMe: Fix 0-length integrity payload

A user could send a passthrough IO command with a metadata pointer to a namespace without metadata. With metadata length of 0, kmalloc returns ZERO_SIZE_PTR. Since that is not NULL, the driver would have set this as the bio's integrity payload, which causes an access fault on completion. This patch ignores the users metadata buffer if the namespace format does not support separate metadata. Reported-by: N Stephen Bates <stephen.bates@microsemi.com> Signed-off-by: N Keith Busch <keith.busch@intel.com> Reviewed-by: N Sagi Grimberg <sagig@mellanox.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: N Jens Axboe <axboe@fb.com>

NVMe: Fix 0-length integrity payload
A user could send a passthrough IO command with a metadata pointer to a namespace without metadata. With metadata length of 0, kmalloc returns ZERO_SIZE_PTR. Since that is not NULL, the driver would have set this as the bio's integrity payload, which causes an access fault on completion. This patch ignores the users metadata buffer if the namespace format does not support separate metadata. Reported-by: N Stephen Bates <stephen.bates@microsemi.com> Signed-off-by: N Keith Busch <keith.busch@intel.com> Reviewed-by: N Sagi Grimberg <sagig@mellanox.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: N Jens Axboe <axboe@fb.com>
e9fc63d6 · Keith Busch · Jens Axboe · 63088ec7 · e9fc63d6
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/nvme/host/core.c drivers/nvme/host/core.c +1 -1

未找到文件。
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -184,7 +184,7 @@ int __nvme_submit_user_cmd(struct request_queue *q, struct nvme_command *cmd,
 			goto out_unmap;
 		}

-		if (meta_buffer) {
+		if (meta_buffer && meta_len) {
 			struct bio_integrity_payload *bip;

 			meta = kmalloc(meta_len, GFP_KERNEL);