nvme: avoid possible double fetch in handling CQE

stable inclusion from stable-5.10.9 commit 74310d40e0a41483dc7125347a9ccc249655fd85 bugzilla: 47457 -------------------------------- [ Upstream commit 62df8016 ] While handling the completion queue, keep a local copy of the command id from the DMA-accessible completion entry. This silences a time-of-check to time-of-use (TOCTOU) warning from KF/x[1], with respect to a Thunderclap[2] vulnerability analysis. The double-read impact appears benign. There may be a theoretical window for @command_id to be used as an adversary-controlled array-index-value for mounting a speculative execution attack, but that mitigation is saved for a potential follow-on. A man-in-the-middle attack on the data payload is out of scope for this analysis and is hopefully mitigated by filesystem integrity mechanisms. [1] https://github.com/intel/kernel-fuzzer-for-xen-project [2] http://thunderclap.io/thunderclap-paper-ndss2019.pdfSigned-off-by: N Lalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com> Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

nvme: avoid possible double fetch in handling CQE
stable inclusion from stable-5.10.9 commit 74310d40e0a41483dc7125347a9ccc249655fd85 bugzilla: 47457 -------------------------------- [ Upstream commit 62df8016 ] While handling the completion queue, keep a local copy of the command id from the DMA-accessible completion entry. This silences a time-of-check to time-of-use (TOCTOU) warning from KF/x[1], with respect to a Thunderclap[2] vulnerability analysis. The double-read impact appears benign. There may be a theoretical window for @command_id to be used as an adversary-controlled array-index-value for mounting a speculative execution attack, but that mitigation is saved for a potential follow-on. A man-in-the-middle attack on the data payload is out of scope for this analysis and is hopefully mitigated by filesystem integrity mechanisms. [1] https://github.com/intel/kernel-fuzzer-for-xen-project [2] http://thunderclap.io/thunderclap-paper-ndss2019.pdfSigned-off-by: N Lalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com> Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
0aaccf1e · Lalithambika Krishnakumar · Zheng Zengkai · c2ff532d · 0aaccf1e
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

drivers/nvme/host/pci.c drivers/nvme/host/pci.c +4 -3

未找到文件。
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -967,6 +967,7 @@ static inline struct blk_mq_tags *nvme_queue_tagset(struct nvme_queue *nvmeq)
 static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx)
 {
 	struct nvme_completion *cqe = &nvmeq->cqes[idx];
+	__u16 command_id = READ_ONCE(cqe->command_id);
 	struct request *req;

 	/*
@@ -975,17 +976,17 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx)
 	 * aborts.  We don't even bother to allocate a struct request
 	 * for them but rather special case them here.
 	 */
-	if (unlikely(nvme_is_aen_req(nvmeq->qid, cqe->command_id))) {
+	if (unlikely(nvme_is_aen_req(nvmeq->qid, command_id))) {
 		nvme_complete_async_event(&nvmeq->dev->ctrl,
 				cqe->status, &cqe->result);
 		return;
 	}

-	req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), cqe->command_id);
+	req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), command_id);
 	if (unlikely(!req)) {
 		dev_warn(nvmeq->dev->ctrl.device,
 			"invalid id %d completed on queue %d\n",
-			cqe->command_id, le16_to_cpu(cqe->sq_id));
+			command_id, le16_to_cpu(cqe->sq_id));
 		return;
 	}