On 10/13/2023 10:44 AM, Kanchan Joshi wrote:
User can specify a smaller meta buffer than what the device is wired to update/access. Kernel makes a copy of the meta buffer into which the device does DMA. As a result, the device overwrites the unrelated kernel memory, causing random kernel crashes.
Same issue is possible for extended-lba case also. When user specifies a short unaligned buffer, the kernel makes a copy and uses that for DMA.
Detect these situations and prevent corruption for unprivileged user passthrough. No change to status-quo for privileged/root user.
Fixes: 63263d60e0f9 ("nvme: Use metadata for passthrough commands")
Since change is only for unprivileged user, I should have changed this 'Fixes:' to point to this patch instead:
5b7717f44b1 (nvme: fine-granular CAP_SYS_ADMIN for nvme io commands)