Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2019-03-20 11:30:41 +0100
committerHannes Reinecke <hare@suse.de>2019-03-20 11:30:41 +0100
commit278fbe15c609daa9c708d53983178fe08cdb1f7b (patch)
tree9034635eb45b93a60557f5353b12c33371700a8e
parent54fa6df5a1f4afab8d7d38d174dc1a8e14d8c304 (diff)
nvme-pci: fix out of bounds access in nvme_cqe_pending
(bsc#1127595).
-rw-r--r--patches.fixes/nvme-pci-fix-out-of-bounds-access-in-nvme_cqe_pendin.patch44
-rw-r--r--series.conf1
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.fixes/nvme-pci-fix-out-of-bounds-access-in-nvme_cqe_pendin.patch b/patches.fixes/nvme-pci-fix-out-of-bounds-access-in-nvme_cqe_pendin.patch
new file mode 100644
index 0000000000..690cf0c8b5
--- /dev/null
+++ b/patches.fixes/nvme-pci-fix-out-of-bounds-access-in-nvme_cqe_pendin.patch
@@ -0,0 +1,44 @@
+From: Hongbo Yao <yaohongbo@huawei.com>
+Date: Mon, 7 Jan 2019 10:22:07 +0800
+Subject: [PATCH] nvme-pci: fix out of bounds access in nvme_cqe_pending
+Git-commit: dcca1662727220d18fa351097ddff33f95f516c5
+References: bsc#1127595
+Patch-Mainline: v5.0-rc2
+
+There is an out of bounds array access in nvme_cqe_peding().
+
+When enable irq_thread for nvme interrupt, there is racing between the
+nvmeq->cq_head updating and reading.
+
+nvmeq->cq_head is updated in nvme_update_cq_head(), if nvmeq->cq_head
+equals nvmeq->q_depth and before its value set to zero, nvme_cqe_pending()
+uses its value as an array index, the index will be out of bounds.
+
+Signed-off-by: Hongbo Yao <yaohongbo@huawei.com>
+[hch: slight coding style update]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index d9fb622512c8..222c78ec7e27 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -973,9 +973,11 @@ static inline bool nvme_read_cqe(struct nvme_queue *nvmeq,
+ if (nvme_cqe_valid(nvmeq, nvmeq->cq_head, nvmeq->cq_phase)) {
+ *cqe = nvmeq->cqes[nvmeq->cq_head];
+
+- if (++nvmeq->cq_head == nvmeq->q_depth) {
++ if (nvmeq->cq_head == nvmeq->q_depth - 1) {
+ nvmeq->cq_head = 0;
+ nvmeq->cq_phase = !nvmeq->cq_phase;
++ } else {
++ nvmeq->cq_head++;
+ }
+ return true;
+ }
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 742df71af7..091f670bef 100644
--- a/series.conf
+++ b/series.conf
@@ -20455,6 +20455,7 @@
patches.drm/0001-drm-fb-helper-Ignore-the-value-of-fb_var_screeninfo..patch
patches.fixes/kvm-sev-fail-kvm_sev_init-if-already-initialized.patch
patches.fixes/loop-drop-caches-if-offset-or-block_size-are-changed.patch
+ patches.fixes/nvme-pci-fix-out-of-bounds-access-in-nvme_cqe_pendin.patch
patches.fixes/nvme-multipath-zero-out-ANA-log-buffer.patch
patches.drivers/ata-ahci-mvebu-remove-stale-comment.patch
patches.fixes/0001-usb-cdc-acm-send-ZLP-for-Telit-3G-Intel-based-modems.patch