diff mbox series

[1/2] hw/nvme/ctrl: Do not ignore DMA access errors

Message ID 20211216175510.884749-2-philmd@redhat.com (mailing list archive)
State New, archived
Headers show
Series hw/nvme: Fix CVE-2021-3929 (DMA re-entrancy exploitation) | expand

Commit Message

Philippe Mathieu-Daudé Dec. 16, 2021, 5:55 p.m. UTC 
dma_buf_read/dma_buf_write() return a MemTxResult type.
Do not discard it, propagate the DMA error to the caller.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 hw/nvme/ctrl.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Keith Busch Dec. 16, 2021, 6:01 p.m. UTC | #1 
On Thu, Dec 16, 2021 at 06:55:09PM +0100, Philippe Mathieu-Daudé wrote:
> dma_buf_read/dma_buf_write() return a MemTxResult type.
> Do not discard it, propagate the DMA error to the caller.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Looks good.

Reviewed-by: Keith Busch <kbusch@kernel.org>
diff mbox series

Patch

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index fa410a179a6..604ed0aea0d 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -1147,15 +1147,16 @@  static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len,
 
     if (sg->flags & NVME_SG_DMA) {
         const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+        MemTxResult res;
         uint64_t residual;
 
         if (dir == NVME_TX_DIRECTION_TO_DEVICE) {
-            dma_buf_write(ptr, len, &residual, &sg->qsg, attrs);
+            res = dma_buf_write(ptr, len, &residual, &sg->qsg, attrs);
         } else {
-            dma_buf_read(ptr, len, &residual, &sg->qsg, attrs);
+            res = dma_buf_read(ptr, len, &residual, &sg->qsg, attrs);
         }
 
-        if (unlikely(residual)) {
+        if (unlikely(residual) || res != MEMTX_OK) {
             trace_pci_nvme_err_invalid_dma();
             return NVME_INVALID_FIELD | NVME_DNR;
         }