From: Kanchan Joshi <joshi.k@samsung.com>
To: hch@lst.de, kbusch@kernel.org, axboe@kernel.dk, sagi@grimberg.me
Cc: linux-nvme@lists.infradead.org, vincentfu@gmail.com,
ankit.kumar@samsung.com, joshiiitr@gmail.com,
gost.dev@samsung.com, Kanchan Joshi <joshi.k@samsung.com>
Subject: [PATCH 0/2] Fix memory-corruption for passthrough metadata
Date: Fri, 11 Aug 2023 21:29:04 +0530 [thread overview]
Message-ID: <20230811155906.15883-1-joshi.k@samsung.com> (raw)
In-Reply-To: CGME20230811160449epcas5p3beee9d2c65c71e95d8e92f25fb1f98c4@epcas5p3.samsung.com
Malformed user-space application can specify smaller meta-buffer and
larger data-buffer.
For DIX namespace, nvme-driver allocates a meta-buffer (of same small size that
user specified) and that is passed to the device for DMA.
Device can do DMA writes (of larger length) into unrelated kernel
memory, leading to random crashes [1].
Patch 1: avoids the above for uring passthrough
Patch 2: avoid the same for sync passthrough
[1]
[ 6815.014478] general protection fault, probably for non-canonical address 0x70e3cdbe9133b7a6: 0000 [#1] PREEMPT SMP PTI
[ 6815.014505] CPU: 1 PID: 434 Comm: systemd-timesyn Tainted: G OE 6.4.0-rc3+ #5
[ 6815.014516] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 6815.014522] RIP: 0010:__kmem_cache_alloc_node+0x100/0x440
[ 6815.014551] Code: 48 85 c0 0f 84 fb 02 00 00 41 83 ff ff 74 10 48 8b 00 48 c1 e8 36 41 39 c7 0f 85 e5 02 00 00 41 8b 45 28 49 8b 7d 00 4c 01 e0 <48> 8b 18 48 89 c1 49 33 9d b8 00 00 00 4c 89 e0 48 0f c9 48 31 cb
[ 6815.014559] RSP: 0018:ffffb510c0577d18 EFLAGS: 00010216
[ 6815.014569] RAX: 70e3cdbe9133b7a6 RBX: ffff8a9ec1042300 RCX: 0000000000000010
[ 6815.014575] RDX: 00000000048b0001 RSI: 0000000000000dc0 RDI: 0000000000037060
[ 6815.014581] RBP: ffffb510c0577d58 R08: ffffffffb9ffa280 R09: 0000000000000000
[ 6815.014586] R10: ffff8a9ecbcab1f0 R11: 0000000000000000 R12: 70e3cdbe9133b79e
[ 6815.014591] R13: ffff8a9ec1042300 R14: 0000000000000dc0 R15: 00000000ffffffff
[ 6815.014597] FS: 00007fce590d6940(0000) GS:ffff8a9f3dd00000(0000) knlGS:0000000000000000
[ 6815.014604] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6815.014609] CR2: 00005579abbb6498 CR3: 000000000d9b0000 CR4: 00000000000006e0
[ 6815.014622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6815.014627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6815.014632] Call Trace:
[ 6815.014650] <TASK>
[ 6815.014655] ? apparmor_sk_alloc_security+0x40/0x80
[ 6815.014673] kmalloc_trace+0x2a/0xa0
[ 6815.014684] apparmor_sk_alloc_security+0x40/0x80
[ 6815.014694] security_sk_alloc+0x3f/0x60
[ 6815.014703] sk_prot_alloc+0x75/0x110
[ 6815.014712] sk_alloc+0x31/0x200
[ 6815.014721] inet_create+0xd8/0x3a0
[ 6815.014734] __sock_create+0x11b/0x220
[ 6815.014749] __sys_socket_create.part.0+0x49/0x70
[ 6815.014756] ? __secure_computing+0x94/0xf0
[ 6815.014768] __sys_socket+0x3c/0xc0
[ 6815.014776] __x64_sys_socket+0x1a/0x30
[ 6815.014783] do_syscall_64+0x3b/0x90
[ 6815.014794] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 6815.014804] RIP: 0033:0x7fce59aa795b
Kanchan Joshi (2):
nvme: fix memory corruption for passthrough metadata
nvme: avoid memory corruption for sync passthrough
drivers/nvme/host/ioctl.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--
2.25.1
next parent reply other threads:[~2023-08-11 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20230811160449epcas5p3beee9d2c65c71e95d8e92f25fb1f98c4@epcas5p3.samsung.com>
2023-08-11 15:59 ` Kanchan Joshi [this message]
[not found] ` <CGME20230811160454epcas5p2635d208557749a2431b99c27b30a727f@epcas5p2.samsung.com>
2023-08-11 15:59 ` [PATCH 1/2] nvme: fix memory corruption for passthrough metadata Kanchan Joshi
2023-08-11 16:57 ` Keith Busch
2023-08-14 6:41 ` Kanchan Joshi
[not found] ` <CGME20230811160458epcas5p36baa80f06fda8b9b05546fe6e044b0cc@epcas5p3.samsung.com>
2023-08-11 15:59 ` [PATCH 2/2] nvme: avoid memory corruption for sync passthrough Kanchan Joshi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230811155906.15883-1-joshi.k@samsung.com \
--to=joshi.k@samsung.com \
--cc=ankit.kumar@samsung.com \
--cc=axboe@kernel.dk \
--cc=gost.dev@samsung.com \
--cc=hch@lst.de \
--cc=joshiiitr@gmail.com \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=vincentfu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).