[Linux-stable-mirror] Patch "nvme-pci: avoid hmb desc array idx out-of-bound when hmmaxd set." has been added to the 4.14-stable tree - Linux-stable-mirror

1 Feb 2018

This is a note to let you know that I've just added the patch titled
nvme-pci: avoid hmb desc array idx out-of-bound when hmmaxd set.
to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     nvme-pci-avoid-hmb-desc-array-idx-out-of-bound-when-hmmaxd-set.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From foo@baz Thu Feb  1 13:45:42 CET 2018
From: Minwoo Im minwoo.im.dev@gmail.com
Date: Fri, 17 Nov 2017 01:34:24 +0900
Subject: nvme-pci: avoid hmb desc array idx out-of-bound when hmmaxd set.
From: Minwoo Im minwoo.im.dev@gmail.com
[ Upstream commit 244a8fe40a09c218622eb9927b9090b0a9b73a1a ]
hmb descriptor idx out-of-bound occurs in case of below conditions.
preferred = 128MiB
chunk_size = 4MiB
hmmaxd = 1
Current code will not allow rmmod which will free hmb descriptors
to be done successfully in above case.
"descs[i]" will be set in for-loop without seeing any conditions
related to "max_entries" after a single "descs" was allocated by
(max_entries = 1) in this case.
Added a condition into for-loop to check index of descriptors.
Fixes: 044a9df1("nvme-pci: implement the HMB entry number and size limitations")
Signed-off-by: Minwoo Im minwoo.im.dev@gmail.com
Reviewed-by: Keith Busch keith.busch@intel.com
Signed-off-by: Christoph Hellwig hch@lst.de
Signed-off-by: Sasha Levin alexander.levin@verizon.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/nvme/host/pci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1645,7 +1645,7 @@ static int __nvme_alloc_host_mem(struct
    if (!bufs)
    	goto out_free_descs;
-	for (size = 0; size < preferred; size += len) {
+	for (size = 0; size < preferred && i < max_entries; size += len) {
    	dma_addr_t dma_addr;
len = min_t(u64, chunk_size, preferred - size);
Patches currently in stable-queue which might be from minwoo.im.dev@gmail.com are
queue-4.14/nvme-pci-avoid-hmb-desc-array-idx-out-of-bound-when-hmmaxd-set.patch
queue-4.14/nvme-pci-fix-null-pointer-dereference-in-nvme_free_host_mem.patch

    