qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 9c62f1: hw/block/nvme: fix potential overflow


From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 9c62f1: hw/block/nvme: fix potential overflow
Date: Thu, 18 Mar 2021 13:01:19 -0700

  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: 9c62f1efa854e66ebb0650d85918e4fecd3ec648
      
https://github.com/qemu/qemu/commit/9c62f1efa854e66ebb0650d85918e4fecd3ec648
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme.c

  Log Message:
  -----------
  hw/block/nvme: fix potential overflow

page_size is a uint32_t, and zasl is a uint8_t, so the expression
`page_size << zasl` is done using 32-bit arithmetic and might overflow.
Since we then compare this against a 64 bit data_size value, Coverity
complains that we might overflow unintentionally. An MDTS/ZASL value in
excess of 4GiB is probably impractical, but it is not entirely
unrealistic, so add a cast such that we handle that case properly.

Fixes: 578d914b263c ("hw/block/nvme: align zoned.zasl with mdts")
Fixes: CID 1450756
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: 3921756dee6dd7beb7b60167f368e8b981c77365
      
https://github.com/qemu/qemu/commit/3921756dee6dd7beb7b60167f368e8b981c77365
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-subsys.c
    M hw/block/nvme-subsys.h
    M hw/block/nvme.h

  Log Message:
  -----------
  hw/block/nvme: assert namespaces array indices

Coverity complains about a possible memory corruption in the
nvme_ns_attach and _detach functions. While we should not (famous last
words) be able to reach this function without nsid having previously
been validated, this is still an open door for future misuse.

Make Coverity and maintainers happy by asserting that the index into the
array is valid. Also, while not detected by Coverity (yet), add an
assert in nvme_subsys_ns and nvme_subsys_register_ns as well since a
similar issue is exists there.

Fixes: 037953b5b299 ("hw/block/nvme: support namespace detach")
Fixes: CID 1450757
Fixes: CID 1450758
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


  Commit: 3754df04ec291b933c18285210793d02c9d9787a
      
https://github.com/qemu/qemu/commit/3754df04ec291b933c18285210793d02c9d9787a
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme.c

  Log Message:
  -----------
  hw/block/nvme: fix zone management receive reporting too many zones

nvme_zone_mgmt_recv uses nvme_ns_nlbas() to get the number of LBAs in
the namespace and then calculates the number of zones to report by
incrementing slba with ZSZE until exceeding the number of LBAs as
returned by nvme_ns_nlbas().

This is bad because the namespace might be of such as size that some
LBAs are valid, but are not part of any zone, causing zone management
receive to report one additional (but non-existing) zone.

Fix this with a conventional loop on i < ns->num_zones instead.

Fixes: a479335bfaf3 ("hw/block/nvme: Support Zoned Namespace Command Set")
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: bc3a65e99254cfe001bd16a569a5aa7d20f930e8
      
https://github.com/qemu/qemu/commit/bc3a65e99254cfe001bd16a569a5aa7d20f930e8
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-ns.c
    M hw/block/nvme-ns.h
    M hw/block/nvme.c
    M hw/block/trace-events

  Log Message:
  -----------
  hw/block/nvme: add metadata support

Add support for metadata in the form of extended logical blocks as well
as a separate buffer of data. The new `ms` nvme-ns device parameter
specifies the size of metadata per logical block in bytes. The `mset`
nvme-ns device parameter controls whether metadata is transfered as part
of an extended lba (set to '1') or in a separate buffer (set to '0',
the default).

Regardsless of the scheme chosen with `mset`, metadata is stored at the
end of the namespace backing block device. This requires the user
provided PRP/SGLs to be walked and "split" into data and metadata
scatter/gather lists if the extended logical block scheme is used, but
has the advantage of not breaking the deallocated blocks support.

Co-authored-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: 146f720c55637410062041f68dc908645cd18aaa
      
https://github.com/qemu/qemu/commit/146f720c55637410062041f68dc908645cd18aaa
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/meson.build
    A hw/block/nvme-dif.c
    A hw/block/nvme-dif.h
    M hw/block/nvme-ns.c
    M hw/block/nvme-ns.h
    M hw/block/nvme.c
    M hw/block/nvme.h
    M hw/block/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  hw/block/nvme: end-to-end data protection

Add support for namespaces formatted with protection information. The
type of end-to-end data protection (i.e. Type 1, Type 2 or Type 3) is
selected with the `pi` nvme-ns device parameter. If the number of
metadata bytes is larger than 8, the `pil` nvme-ns device parameter may
be used to control the location of the 8-byte DIF tuple. The default
`pil` value of '0', causes the DIF tuple to be transferred as the last
8 bytes of the metadata. Set to 1 to store this in the first eight bytes
instead.

Co-authored-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: 3e1da158c47f3a6f5d48794f99fe01096531ec2e
      
https://github.com/qemu/qemu/commit/3e1da158c47f3a6f5d48794f99fe01096531ec2e
  Author: Gollu Appalanaidu <anaidu.gollu@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-dif.c
    M hw/block/nvme-dif.h
    M hw/block/nvme.c
    M hw/block/nvme.h
    M hw/block/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  hw/block/nvme: add verify command

See NVM Express 1.4, section 6.14 ("Verify Command").

Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
[k.jensen: rebased, refactored for e2e]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: f7dcd31885cbe801cac95536a279bbc7e55af4f6
      
https://github.com/qemu/qemu/commit/f7dcd31885cbe801cac95536a279bbc7e55af4f6
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme.c
    M hw/block/nvme.h

  Log Message:
  -----------
  hw/block/nvme: add non-mdts command size limit for verify

Verify is not subject to MDTS, so a single Verify command may result in
excessive amounts of allocated memory. Impose a limit on the data size
by adding support for TP 4040 ("Non-MDTS Command Size Limits").

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: 6a674bc295527c9acb1404b85be8d225b5bbac9d
      
https://github.com/qemu/qemu/commit/6a674bc295527c9acb1404b85be8d225b5bbac9d
  Author: Minwoo Im <minwoo.im@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-ns.c

  Log Message:
  -----------
  hw/block/nvme: support multiple lba formats

This patch introduces multiple LBA formats supported with the typical
logical block sizes of 512 bytes and 4096 bytes as well as metadata
sizes of 0, 8, 16 and 64 bytes. The format will be chosed based on the
lbads and ms parameters of the nvme-ns device.

Signed-off-by: Minwoo Im <minwoo.im@samsung.com>
[k.jensen: resurrected and rebased]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: 397fbb5b32558dd2b5cd35cb4d25126879384079
      
https://github.com/qemu/qemu/commit/397fbb5b32558dd2b5cd35cb4d25126879384079
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-ns.c
    M hw/block/nvme-ns.h

  Log Message:
  -----------
  hw/block/nvme: prefer runtime helpers instead of device parameters

In preparation for Format NVM support, use runtime helpers instead of
the constant device parameters when getting lba size information etc.

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>


  Commit: 516990f4df4f7bf9f86d38af71ead7175df15c19
      
https://github.com/qemu/qemu/commit/516990f4df4f7bf9f86d38af71ead7175df15c19
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-ns.c

  Log Message:
  -----------
  hw/block/nvme: pull lba format initialization

Pull lba format initialization code into separate function in
preparation for Format NVM support.

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>


  Commit: dc04d25e2f3f7e26f7f97b860992076b5f04afdb
      
https://github.com/qemu/qemu/commit/dc04d25e2f3f7e26f7f97b860992076b5f04afdb
  Author: Minwoo Im <minwoo.im@samsung.com>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/nvme-ns.c
    M hw/block/nvme-ns.h
    M hw/block/nvme.c
    M hw/block/nvme.h
    M hw/block/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  hw/block/nvme: add support for the format nvm command

Format NVM admin command can make a namespace or namespaces to be
with different LBA size and metadata size with protection information
types.

This patch introduces Format NVM command with LBA format, Metadata, and
Protection Information for the device. The secure erase operation things
and support for formatting zoned namespaces are yet to be added.

The parameter checks inside of this patch has been referred from
Keith's old branch.

Signed-off-by: Minwoo Im <minwoo.im@samsung.com>
[anaidu.gollu: rebased on e2e]
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
[k.jensen: rebased for reworked aio tracking]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>


  Commit: 8a40754bca14df63c6d2ffe473b68a270dc50679
      
https://github.com/qemu/qemu/commit/8a40754bca14df63c6d2ffe473b68a270dc50679
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-03-18 (Thu, 18 Mar 2021)

  Changed paths:
    M hw/block/meson.build
    A hw/block/nvme-dif.c
    A hw/block/nvme-dif.h
    M hw/block/nvme-ns.c
    M hw/block/nvme-ns.h
    M hw/block/nvme-subsys.c
    M hw/block/nvme-subsys.h
    M hw/block/nvme.c
    M hw/block/nvme.h
    M hw/block/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/nvme/tags/nvme-next-pull-request' into 
staging

emulated nvme updates and fixes

* fixes for Coverity CID 1450756, 1450757 and 1450758 (me)
* fix for a bug in zone management receive (me)
* metadata and end-to-end data protection support (me & Gollu Appalanaidu)
* verify support (Gollu Appalanaidu)
* multiple lba formats and format nvm support (Minwoo Im)

and a couple of misc refactorings from me.

v2:
  - remove an unintended submodule update. Argh.

# gpg: Signature made Thu 18 Mar 2021 11:53:48 GMT
# gpg:                using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg:                 aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468  4272 63D5 6FC5 E55D A838
#      Subkey fingerprint: 5228 33AA 75E2 DCE6 A247  66C0 4DE1 AF31 6D4F 0DE9

* remotes/nvme/tags/nvme-next-pull-request:
  hw/block/nvme: add support for the format nvm command
  hw/block/nvme: pull lba format initialization
  hw/block/nvme: prefer runtime helpers instead of device parameters
  hw/block/nvme: support multiple lba formats
  hw/block/nvme: add non-mdts command size limit for verify
  hw/block/nvme: add verify command
  hw/block/nvme: end-to-end data protection
  hw/block/nvme: add metadata support
  hw/block/nvme: fix zone management receive reporting too many zones
  hw/block/nvme: assert namespaces array indices
  hw/block/nvme: fix potential overflow

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/1b507e55f819...8a40754bca14



reply via email to

[Prev in Thread] Current Thread [Next in Thread]