From nobody Sun May 24 19:34:22 2026
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82B8C409633
	for <linux-kernel@vger.kernel.org>; Fri, 22 May 2026 15:06:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.67.36.66
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779462412; cv=none;
 b=SuWrtOh7XhjFuLfkbMcGrOcqc+dtBYb/weKQDhNO/lNqPZXxeTBhro/OOf7rrf089ofDA/UmCs6jhH81Zfv9Dq+uWb1yaDCERBc4LLvkr9KJYkhLtfCTfJYxQXWsAF77pdi/vWRlDW0z7qQkQvSy92IiVCaQwSqb74qoi6qY1mc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779462412; c=relaxed/simple;
	bh=1P3pMavMc4HjSGfbjrpNgXQCUkT9lvExvVFF3Xwpo8g=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=EpG+93uHHNnph+dzd0hAdmDwhAJWdo8vAmZhKppg6hHzNdNM7ZNRdvJds+S+Fb+J28LN1zUqXhSzDfPdcopI2j9pJxC1UDrcNAt47bPYnnDu9qNSUTJ7rk0XzOPjkfMGJ93ZAiRjZ0qnCSQJsoFwKJ5mJv31HIYLyqGpj9SObxY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=posteo.net;
 spf=pass smtp.mailfrom=posteo.net;
 dkim=pass (2048-bit key) header.d=posteo.net header.i=@posteo.net
 header.b=VTWyZG56; arc=none smtp.client-ip=185.67.36.66
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=posteo.net
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=posteo.net
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=posteo.net header.i=@posteo.net
 header.b="VTWyZG56"
Received: from submission (posteo.de [185.67.36.169])
	by mout02.posteo.de (Postfix) with ESMTPS id 81AB9240101
	for <linux-kernel@vger.kernel.org>; Fri, 22 May 2026 17:06:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=2017;
	t=1779462402; bh=sg08rMUqXdrdIcoEudWa6vs3/YkB0tjUu7NFlKjrICE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:
	 Content-Transfer-Encoding:From;
	b=VTWyZG569nM+kfJnRKZB3aRej2s/iUmsxP+1xB4QEYKuFo58hwhFsShML0Gdovgkn
	 8CMe0oxoFFjnLCU0InT5+Nxz/abhKvS194DviIPDa8ug92fNU9RDelqQy8doX412l/
	 b0uDA4py2ScGh+KhY8PKrMSeLlBFtKEAhoZyfflhKh+pibhUCt5MN5ZxE1GeMgbPXP
	 KFl5JKu2rrk4mfa7aZsdmDs90elDkHvkSvROzQSKYkx+hvBKYKu4tnEoLTt9nNVnKJ
	 IzJmA1NZk/mpKgD5lKCk4RJV/rid/ftTU5xZ/ASiNmj4E5bHZe9ks6yGw7t9Qr/znC
	 cCL8XBLq49z8w==
Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4gMTBn0vFXz9rxL;
	Fri, 22 May 2026 17:06:40 +0200 (CEST)
From: Mateusz Nowicki <mateusz.nowicki@posteo.net>
To: Keith Busch <kbusch@kernel.org>,
	Jens Axboe <axboe@kernel.dk>,
	Christoph Hellwig <hch@lst.de>,
	Sagi Grimberg <sagi@grimberg.me>
Cc: linux-nvme@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] nvme-pci: fix out-of-bounds access in
 nvme_setup_descriptor_pools
Date: Fri, 22 May 2026 15:06:42 +0000
Message-ID: <20260522150628.399288-1-mateusz.nowicki@posteo.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

nvme_setup_descriptor_pools() indexes dev->descriptor_pools[] using the
numa_node forwarded from hctx->numa_node by its single caller,
nvme_init_hctx_common().  On a non-NUMA kernel hctx->numa_node is
NUMA_NO_NODE (-1).  Because the parameter was declared 'unsigned', the
value becomes UINT_MAX and the index walks off the array (sized to
nr_node_ids), faulting during nvme_alloc_ns() and leaving the namespace
without a /dev node.

Reproduces on any NVMe controller probed by a CONFIG_NUMA=3Dn kernel

  BUG: unable to handle page fault for address: ffff889101603d38
  RIP: 0010:nvme_init_hctx_common+0x5a/0x190 [nvme]
  Call Trace:
   nvme_init_hctx+0x10/0x20 [nvme]
   nvme_alloc_ns+0x9e/0xa10 [nvme_core]
   nvme_scan_ns+0x301/0x3b0 [nvme_core]
   nvme_scan_ns_async+0x23/0x30 [nvme_core]

Switch the parameter to int and fall back to node 0 for negative or
out-of-range values; node 0 is always present.

Signed-off-by: Mateusz Nowicki <mateusz.nowicki@posteo.net>
---
 drivers/nvme/host/pci.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 9fd04cd7c5cb..ecec0f9cff98 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -587,11 +587,17 @@ static bool nvme_dbbuf_update_and_check_event(u16 val=
ue, __le32 *dbbuf_db,
 }
=20
 static struct nvme_descriptor_pools *
-nvme_setup_descriptor_pools(struct nvme_dev *dev, unsigned numa_node)
+nvme_setup_descriptor_pools(struct nvme_dev *dev, int numa_node)
 {
-	struct nvme_descriptor_pools *pools =3D &dev->descriptor_pools[numa_node];
+	struct nvme_descriptor_pools *pools;
 	size_t small_align =3D NVME_SMALL_POOL_SIZE;
=20
+	/* hctx->numa_node may be NUMA_NO_NODE; fall back to node 0. */
+	if (numa_node < 0 || numa_node >=3D nr_node_ids)
+		numa_node =3D 0;
+
+	pools =3D &dev->descriptor_pools[numa_node];
+
 	if (pools->small)
 		return pools; /* already initialized */
=20
--=20
2.53.0