mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-07-16 17:57:38 -04:00
nvme: reject invalid pr_read_keys() num_keys values
The pr_read_keys() interface has a u32 num_keys parameter. The NVMe Reservation Report command has a u32 maximum length. Reject num_keys values that are too large to fit. This will become important when pr_read_keys() is exposed to untrusted userspace via an <linux/pr.h> ioctl. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
committed by
Jens Axboe
parent
ab4fb1d8f6
commit
38ec8469f3
@@ -228,7 +228,8 @@ static int nvme_pr_resv_report(struct block_device *bdev, void *data,
|
||||
static int nvme_pr_read_keys(struct block_device *bdev,
|
||||
struct pr_keys *keys_info)
|
||||
{
|
||||
u32 rse_len, num_keys = keys_info->num_keys;
|
||||
size_t rse_len;
|
||||
u32 num_keys = keys_info->num_keys;
|
||||
struct nvme_reservation_status_ext *rse;
|
||||
int ret, i;
|
||||
bool eds;
|
||||
@@ -238,6 +239,9 @@ static int nvme_pr_read_keys(struct block_device *bdev,
|
||||
* enough to get enough keys to fill the return keys buffer.
|
||||
*/
|
||||
rse_len = struct_size(rse, regctl_eds, num_keys);
|
||||
if (rse_len > U32_MAX)
|
||||
return -EINVAL;
|
||||
|
||||
rse = kzalloc(rse_len, GFP_KERNEL);
|
||||
if (!rse)
|
||||
return -ENOMEM;
|
||||
|
||||
Reference in New Issue
Block a user