nvme: fix FDP configuration log parsing (NUMFDPC / fdpcidx)

[PATCH v1 0/1] nvme: fix FDP configuration log parsing (NUMFDPC / fdpcidx)

Posted by liuxixin 1 week, 6 days ago

Hi,

NUMFDPC in the FDP Configurations log (NVMe Base Specification, Figure 279)
is a 0-based count of configuration descriptors. Valid fdpcidx values are 0
through the NUMFDPC field value inclusive.

Since commit 30b5f20bb2dd (nvme: register fdp parameters with the block layer),
the host driver used:

  n = NUMFDPC + 1;
  if (fdp_idx > n)

which incorrectly accepts fdpcidx == NUMFDPC+1. When forcing fdpcidx=1 on a
namespace that reports a single FDP configuration (NUMFDPC field 0), the
unfixed driver proceeds into the descriptor walk and reports:

  FDP invalid config descriptor list

This patch fixes the bounds check and also validates descriptor sizes while
walking the descriptor list so dsze == 0 or a descriptor past the log end
cannot cause unbounded iteration or reads past the buffer.

## Test plan
- Build: make M=drivers/nvme -j12

- Repro/validation (lab):
  Tested on linux-next 7.1.0-rc4-next-20260521 with QEMU 8.2 nvme-subsys,fdp=on.
  With a single FDP configuration (NUMFDPC field 0), forcing fdpcidx=1 triggers
  FDP invalid config descriptor list on the unfixed driver, while the fix
  rejects it early with FDP index:1 out of range:0 and skips stream
  registration.

Thanks,
liuxixin