From owner-svn-src-stable@FreeBSD.ORG Wed Jul 3 23:58:09 2013 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DD2ABBB3; Wed, 3 Jul 2013 23:58:09 +0000 (UTC) (envelope-from jimharris@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id B4E8C1F7D; Wed, 3 Jul 2013 23:58:09 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r63Nw9Mk069824; Wed, 3 Jul 2013 23:58:09 GMT (envelope-from jimharris@svn.freebsd.org) Received: (from jimharris@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r63Nw9Z7069822; Wed, 3 Jul 2013 23:58:09 GMT (envelope-from jimharris@svn.freebsd.org) Message-Id: <201307032358.r63Nw9Z7069822@svn.freebsd.org> From: Jim Harris Date: Wed, 3 Jul 2013 23:58:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r252665 - stable/9/sys/dev/nvme X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 23:58:10 -0000 Author: jimharris Date: Wed Jul 3 23:58:09 2013 New Revision: 252665 URL: http://svnweb.freebsd.org/changeset/base/252665 Log: MFC r252272: Fail any passthrough command whose transfer size exceeds the controller's max transfer size. This guards against rogue commands coming in from userspace. Also add KASSERTS for the virtual address and unmapped bio cases, if the transfer size exceeds the controller's max transfer size. Sponsored by: Intel Modified: stable/9/sys/dev/nvme/nvme_ctrlr.c stable/9/sys/dev/nvme/nvme_qpair.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Modified: stable/9/sys/dev/nvme/nvme_ctrlr.c ============================================================================== --- stable/9/sys/dev/nvme/nvme_ctrlr.c Wed Jul 3 23:56:41 2013 (r252664) +++ stable/9/sys/dev/nvme/nvme_ctrlr.c Wed Jul 3 23:58:09 2013 (r252665) @@ -895,7 +895,13 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c struct buf *buf = NULL; int ret = 0; - if (pt->len > 0) + if (pt->len > 0) { + if (pt->len > ctrlr->max_xfer_size) { + nvme_printf(ctrlr, "pt->len (%d) " + "exceeds max_xfer_size (%d)\n", pt->len, + ctrlr->max_xfer_size); + return EIO; + } if (is_user_buffer) { /* * Ensure the user buffer is wired for the duration of @@ -920,7 +926,7 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c } else req = nvme_allocate_request_vaddr(pt->buf, pt->len, nvme_pt_done, pt); - else + } else req = nvme_allocate_request_null(nvme_pt_done, pt); req->cmd.opc = pt->cmd.opc; Modified: stable/9/sys/dev/nvme/nvme_qpair.c ============================================================================== --- stable/9/sys/dev/nvme/nvme_qpair.c Wed Jul 3 23:56:41 2013 (r252664) +++ stable/9/sys/dev/nvme/nvme_qpair.c Wed Jul 3 23:58:09 2013 (r252665) @@ -786,6 +786,9 @@ _nvme_qpair_submit_request(struct nvme_q switch (req->type) { case NVME_REQUEST_VADDR: + KASSERT(req->payload_size <= qpair->ctrlr->max_xfer_size, + ("payload_size (%d) exceeds max_xfer_size (%d)\n", + req->payload_size, qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load(tr->qpair->dma_tag, tr->payload_dma_map, req->u.payload, req->payload_size, nvme_payload_map, tr, 0); if (err != 0) @@ -805,6 +808,10 @@ _nvme_qpair_submit_request(struct nvme_q break; #ifdef NVME_UNMAPPED_BIO_SUPPORT case NVME_REQUEST_BIO: + KASSERT(req->u.bio->bio_bcount <= qpair->ctrlr->max_xfer_size, + ("bio->bio_bcount (%jd) exceeds max_xfer_size (%d)\n", + (intmax_t)req->u.bio->bio_bcount, + qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load_bio(tr->qpair->dma_tag, tr->payload_dma_map, req->u.bio, nvme_payload_map, tr, 0); if (err != 0)