From nobody Sun Feb  8 18:29:31 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=kernel.org
ARC-Seal: i=1; a=rsa-sha256; t=1601503573; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RLMi3i2InPZ7Aui74MxoF9+sCsoFkLsVjn5SYR1eznSYM5g39eo2JAwyQrvgvGUQfmZRBm8Id9+4Ef2ewwNASRLJEn4+XFcK1GhhQboSTSLua2xQOCcRBDZpXeAfNodrUy9OJcKQLKCoeK6i45ki4r7ZfVdVSoRiAIn2RqCx4iA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1601503573;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=GT/q6XHC/MaqHMrPFsDJThXAk+yZVfk1uixlTs38azM=;
	b=T0ugOB8OeenkIzctkFGlA+9FulkY2o5VbvrxBbxq2PxJycsZ1hkFYjxVZfGMWy2P2wQuT13B/FIMSCm629+UW+Gu1wdXN98EzuTNi2LLfIyFRxroP0GP3WomhS86JfZe2iyytGS9ZKVtz9LmJ1lt+ti2hvWLE3sMASZm4Gso28U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<kbusch@kernel.org> (p=none dis=none)
 header.from=<kbusch@kernel.org>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1601503573795343.16748881174203;
 Wed, 30 Sep 2020 15:06:13 -0700 (PDT)
Received: from localhost ([::1]:44592 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1kNkEm-00075I-Iz
	for importer@patchew.org; Wed, 30 Sep 2020 18:06:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56118)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kbusch@kernel.org>)
 id 1kNkD4-0005O9-R8; Wed, 30 Sep 2020 18:04:26 -0400
Received: from mail.kernel.org ([198.145.29.99]:50460)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kbusch@kernel.org>)
 id 1kNkD2-0007vK-BC; Wed, 30 Sep 2020 18:04:26 -0400
Received: from dhcp-10-100-145-180.wdl.wdc.com (unknown [199.255.45.60])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.kernel.org (Postfix) with ESMTPSA id 434B62076A;
 Wed, 30 Sep 2020 22:04:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1601503462;
 bh=/62M2pSDHHfBPXS/NRYPqbkA4RFhwX8RNBnWCfBW6hQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=y2Umwbbghn7Ac1NdbwAAWxobd+Lr70EUXIYDDmXbMumMeM9I2VwrD4SZaO1yyMqco
 It4Rj71HwPO0rASd2XO9Gqnt4z+YwWYC5oB7AKSZoY5EaniNrXOZ5rnpUnusvS117O
 qaOi77NJCiKAtwdXjbit5zy3M5ramQqUFiy4wIGk=
From: Keith Busch <kbusch@kernel.org>
To: qemu-block@nongnu.org, qemu-devel@nongnu.org,
 Klaus Jensen <k.jensen@samsung.com>
Subject: [PATCH 2/9] hw/block/nvme: fix log page offset check
Date: Wed, 30 Sep 2020 15:04:07 -0700
Message-Id: <20200930220414.562527-3-kbusch@kernel.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200930220414.562527-1-kbusch@kernel.org>
References: <20200930220414.562527-1-kbusch@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=198.145.29.99; envelope-from=kbusch@kernel.org;
 helo=mail.kernel.org
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/30 18:04:21
X-ACL-Warn: Detected OS   = Linux 3.11 and newer
X-Spam_score_int: -75
X-Spam_score: -7.6
X-Spam_bar: -------
X-Spam_report: (-7.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.469,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>,
 Niklas Cassel <Niklas.Cassel@wdc.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>,
 Keith Busch <kbusch@kernel.org>, Kevin Wolf <kwolf@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
Content-Type: text/plain; charset="utf-8"

Return error if the requested offset starts after the size of the log
being returned. Also, move the check for earlier in the function so
we're not doing unnecessary calculations.

Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
 hw/block/nvme.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index db52ea0db9..8d2b5be567 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1179,6 +1179,10 @@ static uint16_t nvme_smart_info(NvmeCtrl *n, uint8_t=
 rae, uint32_t buf_len,
         return NVME_INVALID_FIELD | NVME_DNR;
     }
=20
+    if (off >=3D sizeof(smart)) {
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
     for (int i =3D 1; i <=3D n->num_namespaces; i++) {
         NvmeNamespace *ns =3D nvme_ns(n, i);
         if (!ns) {
@@ -1193,10 +1197,6 @@ static uint16_t nvme_smart_info(NvmeCtrl *n, uint8_t=
 rae, uint32_t buf_len,
         write_commands +=3D s->nr_ops[BLOCK_ACCT_WRITE];
     }
=20
-    if (off > sizeof(smart)) {
-        return NVME_INVALID_FIELD | NVME_DNR;
-    }
-
     trans_len =3D MIN(sizeof(smart) - off, buf_len);
=20
     memset(&smart, 0x0, sizeof(smart));
@@ -1234,12 +1234,11 @@ static uint16_t nvme_fw_log_info(NvmeCtrl *n, uint3=
2_t buf_len, uint64_t off,
         .afi =3D 0x1,
     };
=20
-    strpadcpy((char *)&fw_log.frs1, sizeof(fw_log.frs1), "1.0", ' ');
-
-    if (off > sizeof(fw_log)) {
+    if (off >=3D sizeof(fw_log)) {
         return NVME_INVALID_FIELD | NVME_DNR;
     }
=20
+    strpadcpy((char *)&fw_log.frs1, sizeof(fw_log.frs1), "1.0", ' ');
     trans_len =3D MIN(sizeof(fw_log) - off, buf_len);
=20
     return nvme_dma(n, (uint8_t *) &fw_log + off, trans_len,
@@ -1252,16 +1251,15 @@ static uint16_t nvme_error_info(NvmeCtrl *n, uint8_=
t rae, uint32_t buf_len,
     uint32_t trans_len;
     NvmeErrorLog errlog;
=20
-    if (!rae) {
-        nvme_clear_events(n, NVME_AER_TYPE_ERROR);
+    if (off >=3D sizeof(errlog)) {
+        return NVME_INVALID_FIELD | NVME_DNR;
     }
=20
-    if (off > sizeof(errlog)) {
-        return NVME_INVALID_FIELD | NVME_DNR;
+    if (!rae) {
+        nvme_clear_events(n, NVME_AER_TYPE_ERROR);
     }
=20
     memset(&errlog, 0x0, sizeof(errlog));
-
     trans_len =3D MIN(sizeof(errlog) - off, buf_len);
=20
     return nvme_dma(n, (uint8_t *)&errlog, trans_len,
--=20
2.24.1