aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorChuck Tuffli <chuck@FreeBSD.org>2019-04-05 16:54:20 +0000
committerChuck Tuffli <chuck@FreeBSD.org>2019-04-05 16:54:20 +0000
commita1daa3ae5ed2c00613ed3972d566b4f892b7dd2d (patch)
tree11f1f1e2e27ae4466c264a8d38dbcff8e970cc51 /lib
parentfe1b713e2cba0d02c0562c5cffe029d7461b3888 (diff)
downloadsrc-a1daa3ae5ed2c00613ed3972d566b4f892b7dd2d.tar.gz
src-a1daa3ae5ed2c00613ed3972d566b4f892b7dd2d.zip
bhyve: Fix NVMe data structure copy to guest
bhyve's NVMe emulation was transferring Identify data back to the guest incorrectly causing memory corruptions. These corruptions resulted in core dumps and other system level errors in the guest. In their simplest form, NVMe Physical Region Page (PRP) values in commands indicate which physical pages to use for data transfer. The first PRP value is not required to be page aligned but does not cross a page boundary. The second PRP value must be page aligned, does not cross a page boundary, and need not be contiguous with PRP1. The code was copying Identify data past the end of PRP1. This happens to work if PRP1 and PRP2 are physically contiguous but will corrupt guest memory in unpredictable ways if they are not. Fix is to copy the Identify data back to the guest piecewise (i.e. for each PRP entry). Also fix a similarly wrong problem when copying back Log page data. Reviewed by: imp (mentor), araujo, jhb, rgrimes, bhyve Approved by: imp (mentor), bhyve (jhb) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D19695
Notes
Notes: svn path=/head/; revision=345957
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions