From owner-svn-src-head@FreeBSD.ORG Wed Jun 26 23:32:45 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E76B285B; Wed, 26 Jun 2013 23:32:45 +0000 (UTC) (envelope-from jimharris@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id BEB1B16AC; Wed, 26 Jun 2013 23:32:45 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r5QNWjHO006764; Wed, 26 Jun 2013 23:32:45 GMT (envelope-from jimharris@svn.freebsd.org) Received: (from jimharris@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r5QNWjnt006762; Wed, 26 Jun 2013 23:32:45 GMT (envelope-from jimharris@svn.freebsd.org) Message-Id: <201306262332.r5QNWjnt006762@svn.freebsd.org> From: Jim Harris Date: Wed, 26 Jun 2013 23:32:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r252272 - head/sys/dev/nvme X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jun 2013 23:32:46 -0000 Author: jimharris Date: Wed Jun 26 23:32:45 2013 New Revision: 252272 URL: http://svnweb.freebsd.org/changeset/base/252272 Log: Fail any passthrough command whose transfer size exceeds the controller's max transfer size. This guards against rogue commands coming in from userspace. Also add KASSERTS for the virtual address and unmapped bio cases, if the transfer size exceeds the controller's max transfer size. Sponsored by: Intel MFC after: 3 days Modified: head/sys/dev/nvme/nvme_ctrlr.c head/sys/dev/nvme/nvme_qpair.c Modified: head/sys/dev/nvme/nvme_ctrlr.c ============================================================================== --- head/sys/dev/nvme/nvme_ctrlr.c Wed Jun 26 23:27:17 2013 (r252271) +++ head/sys/dev/nvme/nvme_ctrlr.c Wed Jun 26 23:32:45 2013 (r252272) @@ -895,7 +895,13 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c struct buf *buf = NULL; int ret = 0; - if (pt->len > 0) + if (pt->len > 0) { + if (pt->len > ctrlr->max_xfer_size) { + nvme_printf(ctrlr, "pt->len (%d) " + "exceeds max_xfer_size (%d)\n", pt->len, + ctrlr->max_xfer_size); + return EIO; + } if (is_user_buffer) { /* * Ensure the user buffer is wired for the duration of @@ -920,7 +926,7 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c } else req = nvme_allocate_request_vaddr(pt->buf, pt->len, nvme_pt_done, pt); - else + } else req = nvme_allocate_request_null(nvme_pt_done, pt); req->cmd.opc = pt->cmd.opc; Modified: head/sys/dev/nvme/nvme_qpair.c ============================================================================== --- head/sys/dev/nvme/nvme_qpair.c Wed Jun 26 23:27:17 2013 (r252271) +++ head/sys/dev/nvme/nvme_qpair.c Wed Jun 26 23:32:45 2013 (r252272) @@ -786,6 +786,9 @@ _nvme_qpair_submit_request(struct nvme_q switch (req->type) { case NVME_REQUEST_VADDR: + KASSERT(req->payload_size <= qpair->ctrlr->max_xfer_size, + ("payload_size (%d) exceeds max_xfer_size (%d)\n", + req->payload_size, qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load(tr->qpair->dma_tag, tr->payload_dma_map, req->u.payload, req->payload_size, nvme_payload_map, tr, 0); if (err != 0) @@ -805,6 +808,10 @@ _nvme_qpair_submit_request(struct nvme_q break; #ifdef NVME_UNMAPPED_BIO_SUPPORT case NVME_REQUEST_BIO: + KASSERT(req->u.bio->bio_bcount <= qpair->ctrlr->max_xfer_size, + ("bio->bio_bcount (%jd) exceeds max_xfer_size (%d)\n", + (intmax_t)req->u.bio->bio_bcount, + qpair->ctrlr->max_xfer_size)); err = bus_dmamap_load_bio(tr->qpair->dma_tag, tr->payload_dma_map, req->u.bio, nvme_payload_map, tr, 0); if (err != 0)