From: Nick Bowler <nbowler@draconx.ca> To: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@infradead.org>, Keith Busch <kbusch@kernel.org> Subject: [PATCH v2 1/2] nvme: Fix compat NVME_IOCTL_SUBMIT_IO numbering Date: Sat, 28 Mar 2020 01:09:08 -0400 [thread overview] Message-ID: <20200328050909.30639-2-nbowler@draconx.ca> (raw) In-Reply-To: <20200328050909.30639-1-nbowler@draconx.ca> When __u64 has 64-bit alignment, the nvme_user_io structure has trailing padding. This causes problems in the compat case with 32-bit userspace that has less strict alignment because the size of the structure differs. Since the NVME_IOCTL_SUBMIT_IO macro encodes the structure size itself, the result is that this ioctl does not work at all in such a scenario: # nvme read /dev/nvme0n1 -z 512 submit-io: Inappropriate ioctl for device But by the same token, this makes it easy to handle both cases and since the structures differ only in unused trailing padding bytes we can simply not read those bytes. Signed-off-by: Nick Bowler <nbowler@draconx.ca> --- drivers/nvme/host/core.c | 19 +++++++++++++------ include/uapi/linux/nvme_ioctl.h | 25 +++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index a4d8c90ee7cc..9eccf56494de 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -1248,14 +1248,19 @@ static void nvme_enable_aen(struct nvme_ctrl *ctrl) queue_work(nvme_wq, &ctrl->async_event_work); } -static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio) +static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio, + size_t uio_size) { struct nvme_user_io io; struct nvme_command c; unsigned length, meta_len; void __user *metadata; - if (copy_from_user(&io, uio, sizeof(io))) + /* + * To handle the compat case the amount of data read may be reduced as + * the only difference is in unused padding at the end of the structure. + */ + if (copy_from_user(&io, uio, uio_size)) return -EFAULT; if (io.flags) return -EINVAL; @@ -1559,6 +1564,11 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, if (is_ctrl_ioctl(cmd)) return nvme_handle_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); + if (cmd == NVME_IOCTL_SUBMIT_IO || cmd == NVME_IOCTL_SUBMIT_IO_COMPAT) { + ret = nvme_submit_io(ns, argp, _IOC_SIZE(cmd)); + goto out; + } + switch (cmd) { case NVME_IOCTL_ID: force_successful_syscall_return(); @@ -1567,9 +1577,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, case NVME_IOCTL_IO_CMD: ret = nvme_user_cmd(ns->ctrl, ns, argp); break; - case NVME_IOCTL_SUBMIT_IO: - ret = nvme_submit_io(ns, argp); - break; case NVME_IOCTL_IO64_CMD: ret = nvme_user_cmd64(ns->ctrl, ns, argp); break; @@ -1579,7 +1586,7 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, else ret = -ENOTTY; } - +out: nvme_put_ns_from_disk(head, srcu_idx); return ret; } diff --git a/include/uapi/linux/nvme_ioctl.h b/include/uapi/linux/nvme_ioctl.h index d99b5a772698..60e20f23bec9 100644 --- a/include/uapi/linux/nvme_ioctl.h +++ b/include/uapi/linux/nvme_ioctl.h @@ -9,6 +9,31 @@ #include <linux/types.h> +#ifdef __KERNEL__ +/* + * The nvme_user_io structure has excess padding at the end when __u64 has + * 64-bit alignment. In the compat case with less strict alignment, there + * is no such padding. The nvme_user_io_compat structure has otherwise + * identical layout to nvme_user_io as there is no padding between members. + */ +struct nvme_user_io_compat { + __u8 opcode; + __u8 flags; + __u16 control; + __u16 nblocks; + __u16 rsvd; + __u64 metadata; + __u64 addr; + __u64 slba; + __u32 dsmgmt; + __u32 reftag; + __u16 apptag; + __u16 appmask; +} __attribute__((packed)); + +#define NVME_IOCTL_SUBMIT_IO_COMPAT _IOW('N', 0x42, struct nvme_user_io_compat) +#endif + struct nvme_user_io { __u8 opcode; __u8 flags; -- 2.24.1
WARNING: multiple messages have this Message-ID (diff)
From: Nick Bowler <nbowler@draconx.ca> To: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Christoph Hellwig <hch@infradead.org>, Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me> Subject: [PATCH v2 1/2] nvme: Fix compat NVME_IOCTL_SUBMIT_IO numbering Date: Sat, 28 Mar 2020 01:09:08 -0400 [thread overview] Message-ID: <20200328050909.30639-2-nbowler@draconx.ca> (raw) In-Reply-To: <20200328050909.30639-1-nbowler@draconx.ca> When __u64 has 64-bit alignment, the nvme_user_io structure has trailing padding. This causes problems in the compat case with 32-bit userspace that has less strict alignment because the size of the structure differs. Since the NVME_IOCTL_SUBMIT_IO macro encodes the structure size itself, the result is that this ioctl does not work at all in such a scenario: # nvme read /dev/nvme0n1 -z 512 submit-io: Inappropriate ioctl for device But by the same token, this makes it easy to handle both cases and since the structures differ only in unused trailing padding bytes we can simply not read those bytes. Signed-off-by: Nick Bowler <nbowler@draconx.ca> --- drivers/nvme/host/core.c | 19 +++++++++++++------ include/uapi/linux/nvme_ioctl.h | 25 +++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index a4d8c90ee7cc..9eccf56494de 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -1248,14 +1248,19 @@ static void nvme_enable_aen(struct nvme_ctrl *ctrl) queue_work(nvme_wq, &ctrl->async_event_work); } -static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio) +static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio, + size_t uio_size) { struct nvme_user_io io; struct nvme_command c; unsigned length, meta_len; void __user *metadata; - if (copy_from_user(&io, uio, sizeof(io))) + /* + * To handle the compat case the amount of data read may be reduced as + * the only difference is in unused padding at the end of the structure. + */ + if (copy_from_user(&io, uio, uio_size)) return -EFAULT; if (io.flags) return -EINVAL; @@ -1559,6 +1564,11 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, if (is_ctrl_ioctl(cmd)) return nvme_handle_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); + if (cmd == NVME_IOCTL_SUBMIT_IO || cmd == NVME_IOCTL_SUBMIT_IO_COMPAT) { + ret = nvme_submit_io(ns, argp, _IOC_SIZE(cmd)); + goto out; + } + switch (cmd) { case NVME_IOCTL_ID: force_successful_syscall_return(); @@ -1567,9 +1577,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, case NVME_IOCTL_IO_CMD: ret = nvme_user_cmd(ns->ctrl, ns, argp); break; - case NVME_IOCTL_SUBMIT_IO: - ret = nvme_submit_io(ns, argp); - break; case NVME_IOCTL_IO64_CMD: ret = nvme_user_cmd64(ns->ctrl, ns, argp); break; @@ -1579,7 +1586,7 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, else ret = -ENOTTY; } - +out: nvme_put_ns_from_disk(head, srcu_idx); return ret; } diff --git a/include/uapi/linux/nvme_ioctl.h b/include/uapi/linux/nvme_ioctl.h index d99b5a772698..60e20f23bec9 100644 --- a/include/uapi/linux/nvme_ioctl.h +++ b/include/uapi/linux/nvme_ioctl.h @@ -9,6 +9,31 @@ #include <linux/types.h> +#ifdef __KERNEL__ +/* + * The nvme_user_io structure has excess padding at the end when __u64 has + * 64-bit alignment. In the compat case with less strict alignment, there + * is no such padding. The nvme_user_io_compat structure has otherwise + * identical layout to nvme_user_io as there is no padding between members. + */ +struct nvme_user_io_compat { + __u8 opcode; + __u8 flags; + __u16 control; + __u16 nblocks; + __u16 rsvd; + __u64 metadata; + __u64 addr; + __u64 slba; + __u32 dsmgmt; + __u32 reftag; + __u16 apptag; + __u16 appmask; +} __attribute__((packed)); + +#define NVME_IOCTL_SUBMIT_IO_COMPAT _IOW('N', 0x42, struct nvme_user_io_compat) +#endif + struct nvme_user_io { __u8 opcode; __u8 flags; -- 2.24.1 _______________________________________________ linux-nvme mailing list linux-nvme@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-nvme
next prev parent reply other threads:[~2020-03-28 5:17 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-03-28 5:09 [PATCH v2 0/2] nvme: compat ioctl fixes Nick Bowler 2020-03-28 5:09 ` Nick Bowler 2020-03-28 5:09 ` Nick Bowler [this message] 2020-03-28 5:09 ` [PATCH v2 1/2] nvme: Fix compat NVME_IOCTL_SUBMIT_IO numbering Nick Bowler 2020-03-28 8:26 ` Christoph Hellwig 2020-03-28 8:26 ` Christoph Hellwig 2020-03-28 13:56 ` Nick Bowler 2020-03-28 13:56 ` Nick Bowler 2020-03-28 5:09 ` [PATCH v2 2/2] nvme: Fix compat address handling in several ioctls Nick Bowler 2020-03-28 5:09 ` Nick Bowler 2020-03-28 8:26 ` Christoph Hellwig 2020-03-28 8:26 ` Christoph Hellwig 2020-03-31 14:17 ` Christoph Hellwig 2020-03-31 14:17 ` Christoph Hellwig
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200328050909.30639-2-nbowler@draconx.ca \ --to=nbowler@draconx.ca \ --cc=hch@infradead.org \ --cc=kbusch@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nvme@lists.infradead.org \ --cc=sagi@grimberg.me \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.