[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 9c62f1: hw/block/nvme: fix potential overflow
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] 9c62f1: hw/block/nvme: fix potential overflow |
Date: |
Thu, 18 Mar 2021 13:01:19 -0700 |
Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 9c62f1efa854e66ebb0650d85918e4fecd3ec648
https://github.com/qemu/qemu/commit/9c62f1efa854e66ebb0650d85918e4fecd3ec648
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme.c
Log Message:
-----------
hw/block/nvme: fix potential overflow
page_size is a uint32_t, and zasl is a uint8_t, so the expression
`page_size << zasl` is done using 32-bit arithmetic and might overflow.
Since we then compare this against a 64 bit data_size value, Coverity
complains that we might overflow unintentionally. An MDTS/ZASL value in
excess of 4GiB is probably impractical, but it is not entirely
unrealistic, so add a cast such that we handle that case properly.
Fixes: 578d914b263c ("hw/block/nvme: align zoned.zasl with mdts")
Fixes: CID 1450756
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Commit: 3921756dee6dd7beb7b60167f368e8b981c77365
https://github.com/qemu/qemu/commit/3921756dee6dd7beb7b60167f368e8b981c77365
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-subsys.c
M hw/block/nvme-subsys.h
M hw/block/nvme.h
Log Message:
-----------
hw/block/nvme: assert namespaces array indices
Coverity complains about a possible memory corruption in the
nvme_ns_attach and _detach functions. While we should not (famous last
words) be able to reach this function without nsid having previously
been validated, this is still an open door for future misuse.
Make Coverity and maintainers happy by asserting that the index into the
array is valid. Also, while not detected by Coverity (yet), add an
assert in nvme_subsys_ns and nvme_subsys_register_ns as well since a
similar issue is exists there.
Fixes: 037953b5b299 ("hw/block/nvme: support namespace detach")
Fixes: CID 1450757
Fixes: CID 1450758
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Commit: 3754df04ec291b933c18285210793d02c9d9787a
https://github.com/qemu/qemu/commit/3754df04ec291b933c18285210793d02c9d9787a
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme.c
Log Message:
-----------
hw/block/nvme: fix zone management receive reporting too many zones
nvme_zone_mgmt_recv uses nvme_ns_nlbas() to get the number of LBAs in
the namespace and then calculates the number of zones to report by
incrementing slba with ZSZE until exceeding the number of LBAs as
returned by nvme_ns_nlbas().
This is bad because the namespace might be of such as size that some
LBAs are valid, but are not part of any zone, causing zone management
receive to report one additional (but non-existing) zone.
Fix this with a conventional loop on i < ns->num_zones instead.
Fixes: a479335bfaf3 ("hw/block/nvme: Support Zoned Namespace Command Set")
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Commit: bc3a65e99254cfe001bd16a569a5aa7d20f930e8
https://github.com/qemu/qemu/commit/bc3a65e99254cfe001bd16a569a5aa7d20f930e8
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-ns.c
M hw/block/nvme-ns.h
M hw/block/nvme.c
M hw/block/trace-events
Log Message:
-----------
hw/block/nvme: add metadata support
Add support for metadata in the form of extended logical blocks as well
as a separate buffer of data. The new `ms` nvme-ns device parameter
specifies the size of metadata per logical block in bytes. The `mset`
nvme-ns device parameter controls whether metadata is transfered as part
of an extended lba (set to '1') or in a separate buffer (set to '0',
the default).
Regardsless of the scheme chosen with `mset`, metadata is stored at the
end of the namespace backing block device. This requires the user
provided PRP/SGLs to be walked and "split" into data and metadata
scatter/gather lists if the extended logical block scheme is used, but
has the advantage of not breaking the deallocated blocks support.
Co-authored-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: 146f720c55637410062041f68dc908645cd18aaa
https://github.com/qemu/qemu/commit/146f720c55637410062041f68dc908645cd18aaa
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/meson.build
A hw/block/nvme-dif.c
A hw/block/nvme-dif.h
M hw/block/nvme-ns.c
M hw/block/nvme-ns.h
M hw/block/nvme.c
M hw/block/nvme.h
M hw/block/trace-events
M include/block/nvme.h
Log Message:
-----------
hw/block/nvme: end-to-end data protection
Add support for namespaces formatted with protection information. The
type of end-to-end data protection (i.e. Type 1, Type 2 or Type 3) is
selected with the `pi` nvme-ns device parameter. If the number of
metadata bytes is larger than 8, the `pil` nvme-ns device parameter may
be used to control the location of the 8-byte DIF tuple. The default
`pil` value of '0', causes the DIF tuple to be transferred as the last
8 bytes of the metadata. Set to 1 to store this in the first eight bytes
instead.
Co-authored-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: 3e1da158c47f3a6f5d48794f99fe01096531ec2e
https://github.com/qemu/qemu/commit/3e1da158c47f3a6f5d48794f99fe01096531ec2e
Author: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-dif.c
M hw/block/nvme-dif.h
M hw/block/nvme.c
M hw/block/nvme.h
M hw/block/trace-events
M include/block/nvme.h
Log Message:
-----------
hw/block/nvme: add verify command
See NVM Express 1.4, section 6.14 ("Verify Command").
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
[k.jensen: rebased, refactored for e2e]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: f7dcd31885cbe801cac95536a279bbc7e55af4f6
https://github.com/qemu/qemu/commit/f7dcd31885cbe801cac95536a279bbc7e55af4f6
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme.c
M hw/block/nvme.h
Log Message:
-----------
hw/block/nvme: add non-mdts command size limit for verify
Verify is not subject to MDTS, so a single Verify command may result in
excessive amounts of allocated memory. Impose a limit on the data size
by adding support for TP 4040 ("Non-MDTS Command Size Limits").
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: 6a674bc295527c9acb1404b85be8d225b5bbac9d
https://github.com/qemu/qemu/commit/6a674bc295527c9acb1404b85be8d225b5bbac9d
Author: Minwoo Im <minwoo.im@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-ns.c
Log Message:
-----------
hw/block/nvme: support multiple lba formats
This patch introduces multiple LBA formats supported with the typical
logical block sizes of 512 bytes and 4096 bytes as well as metadata
sizes of 0, 8, 16 and 64 bytes. The format will be chosed based on the
lbads and ms parameters of the nvme-ns device.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com>
[k.jensen: resurrected and rebased]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: 397fbb5b32558dd2b5cd35cb4d25126879384079
https://github.com/qemu/qemu/commit/397fbb5b32558dd2b5cd35cb4d25126879384079
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-ns.c
M hw/block/nvme-ns.h
Log Message:
-----------
hw/block/nvme: prefer runtime helpers instead of device parameters
In preparation for Format NVM support, use runtime helpers instead of
the constant device parameters when getting lba size information etc.
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
Commit: 516990f4df4f7bf9f86d38af71ead7175df15c19
https://github.com/qemu/qemu/commit/516990f4df4f7bf9f86d38af71ead7175df15c19
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-ns.c
Log Message:
-----------
hw/block/nvme: pull lba format initialization
Pull lba format initialization code into separate function in
preparation for Format NVM support.
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
Commit: dc04d25e2f3f7e26f7f97b860992076b5f04afdb
https://github.com/qemu/qemu/commit/dc04d25e2f3f7e26f7f97b860992076b5f04afdb
Author: Minwoo Im <minwoo.im@samsung.com>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/nvme-ns.c
M hw/block/nvme-ns.h
M hw/block/nvme.c
M hw/block/nvme.h
M hw/block/trace-events
M include/block/nvme.h
Log Message:
-----------
hw/block/nvme: add support for the format nvm command
Format NVM admin command can make a namespace or namespaces to be
with different LBA size and metadata size with protection information
types.
This patch introduces Format NVM command with LBA format, Metadata, and
Protection Information for the device. The secure erase operation things
and support for formatting zoned namespaces are yet to be added.
The parameter checks inside of this patch has been referred from
Keith's old branch.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com>
[anaidu.gollu: rebased on e2e]
Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
[k.jensen: rebased for reworked aio tracking]
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Commit: 8a40754bca14df63c6d2ffe473b68a270dc50679
https://github.com/qemu/qemu/commit/8a40754bca14df63c6d2ffe473b68a270dc50679
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2021-03-18 (Thu, 18 Mar 2021)
Changed paths:
M hw/block/meson.build
A hw/block/nvme-dif.c
A hw/block/nvme-dif.h
M hw/block/nvme-ns.c
M hw/block/nvme-ns.h
M hw/block/nvme-subsys.c
M hw/block/nvme-subsys.h
M hw/block/nvme.c
M hw/block/nvme.h
M hw/block/trace-events
M include/block/nvme.h
Log Message:
-----------
Merge remote-tracking branch 'remotes/nvme/tags/nvme-next-pull-request' into
staging
emulated nvme updates and fixes
* fixes for Coverity CID 1450756, 1450757 and 1450758 (me)
* fix for a bug in zone management receive (me)
* metadata and end-to-end data protection support (me & Gollu Appalanaidu)
* verify support (Gollu Appalanaidu)
* multiple lba formats and format nvm support (Minwoo Im)
and a couple of misc refactorings from me.
v2:
- remove an unintended submodule update. Argh.
# gpg: Signature made Thu 18 Mar 2021 11:53:48 GMT
# gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg: aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838
# Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9
* remotes/nvme/tags/nvme-next-pull-request:
hw/block/nvme: add support for the format nvm command
hw/block/nvme: pull lba format initialization
hw/block/nvme: prefer runtime helpers instead of device parameters
hw/block/nvme: support multiple lba formats
hw/block/nvme: add non-mdts command size limit for verify
hw/block/nvme: add verify command
hw/block/nvme: end-to-end data protection
hw/block/nvme: add metadata support
hw/block/nvme: fix zone management receive reporting too many zones
hw/block/nvme: assert namespaces array indices
hw/block/nvme: fix potential overflow
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/1b507e55f819...8a40754bca14
- [Qemu-commits] [qemu/qemu] 9c62f1: hw/block/nvme: fix potential overflow,
Peter Maydell <=