[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen staging-4.18] hw/nvme: fix null pointer access in ruh update



commit bb5f9036d5f6914215c75e19048444b2ce06b190
Author:     Klaus Jensen <k.jensen@xxxxxxxxxxx>
AuthorDate: Tue Aug 8 17:16:14 2023 +0200
Commit:     Michael Tokarev <mjt@xxxxxxxxxx>
CommitDate: Sun Sep 10 19:39:41 2023 +0300

    hw/nvme: fix null pointer access in ruh update
    
    The Reclaim Unit Update operation in I/O Management Receive does not
    verify the presence of a configured endurance group prior to accessing
    it.
    
    Fix this.
    
    Cc: qemu-stable@xxxxxxxxxx
    Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
    Reviewed-by: Jesper Wendel Devantier <j.devantier@xxxxxxxxxxx>
    Signed-off-by: Klaus Jensen <k.jensen@xxxxxxxxxxx>
    (cherry picked from commit 3439ba9c5da943d96f7a3c86e0a7eb2ff48de41c)
    Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
---
 hw/nvme/ctrl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index ac505727e5..c71d57d17a 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4333,7 +4333,13 @@ static uint16_t nvme_io_mgmt_send_ruh_update(NvmeCtrl 
*n, NvmeRequest *req)
     uint32_t npid = (cdw10 >> 1) + 1;
     unsigned int i = 0;
     g_autofree uint16_t *pids = NULL;
-    uint32_t maxnpid = n->subsys->endgrp.fdp.nrg * n->subsys->endgrp.fdp.nruh;
+    uint32_t maxnpid;
+
+    if (!ns->endgrp || !ns->endgrp->fdp.enabled) {
+        return NVME_FDP_DISABLED | NVME_DNR;
+    }
+
+    maxnpid = n->subsys->endgrp.fdp.nrg * n->subsys->endgrp.fdp.nruh;
 
     if (unlikely(npid >= MIN(NVME_FDP_MAXPIDS, maxnpid))) {
         return NVME_INVALID_FIELD | NVME_DNR;
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#staging-4.18



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.