NVMe: Don't allow unsupported flags

The command flags can change the meaning of other fields in the command that the driver is not prepared to handle. Specifically, the user could passthrough an SGL flag, causing the controller to misinterpret the PRP list the driver created, potentially corrupting memory or data. Signed-off-by: N Keith Busch <keith.busch@intel.com> Reviewed-by: N Jon Derrick <jonathan.derrick@intel.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: N Jens Axboe <axboe@fb.com>

NVMe: Don't allow unsupported flags
The command flags can change the meaning of other fields in the command that the driver is not prepared to handle. Specifically, the user could passthrough an SGL flag, causing the controller to misinterpret the PRP list the driver created, potentially corrupting memory or data. Signed-off-by: N Keith Busch <keith.busch@intel.com> Reviewed-by: N Jon Derrick <jonathan.derrick@intel.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: N Jens Axboe <axboe@fb.com>
63088ec7 · Keith Busch · Jens Axboe · 69d9a99c · 63088ec7
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

drivers/nvme/host/core.c drivers/nvme/host/core.c +4 -0

未找到文件。
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -374,6 +374,8 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio)

 	if (copy_from_user(&io, uio, sizeof(io)))
 		return -EFAULT;
+	if (io.flags)
+		return -EINVAL;

 	switch (io.opcode) {
 	case nvme_cmd_write:
@@ -425,6 +427,8 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
 		return -EACCES;
 	if (copy_from_user(&cmd, ucmd, sizeof(cmd)))
 		return -EFAULT;
+	if (cmd.flags)
+		return -EINVAL;

 	memset(&c, 0, sizeof(c));
 	c.common.opcode = cmd.opcode;