From nobody Mon Jun 8 15:36:54 2026 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3196F39EF2A for ; Thu, 28 May 2026 09:31:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779960712; cv=none; b=dKEHmJoNWTgCFkfFS0cnCQQYtG2zuL7sRPS05E46ZcNCSGnoMcfpmkYEgrLEXMaN+e+00LwYSsi3UNhuaNhPamqRvQzcsl3/tjBQ+fi0P06P0q7y0LUHM3PFJRhzBWhaAUWB27c3K5qjGak5LQSmIvYwbfMb1UhA6aCIjDhjUfg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779960712; c=relaxed/simple; bh=hWYpbqmuW7DfjN8og8Y4Y7YM7OQJI4C6LuSHlYp/y1E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cdxoLBSZ0jeT67zJKer0MHMXQypo7xlc0oHjAxQsCXe0Sa+Fn7F3aI8g48Vi707m/cSkZI4UCafvXKq1fwDBj1WDtkYiYMIPNomxPbNxLQra4fgABfvDtyPVlbL/JbhFzeKwordv6hFdqUTY76kBkypll2X3dttyxyIeW66JCT0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gLWD4Gjz; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gLWD4Gjz" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-36ba706ab46so12174a91.1 for ; Thu, 28 May 2026 02:31:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779960710; x=1780565510; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1BL71DOAkq0sLsiyukDrRcXJ19tZkTPOHhufsrp79qw=; b=gLWD4GjzoMelTfe/BxnzpNTR18Hvh8n1eY0W+VZKxQguQApHsaaRt7QAkDH+QLdIZi m0lwrVqfHXR621GiSHxej1DFc8T6HVI6qI89BydA1BE+mztUJpk8Rtmpze4QF8yQsCDG oYV4ESSeSLTwWl5faPZqfLfCm9tqh1pV7IUXBhFvuqMJhxT8yRZRCKadlN9X7d+nRZvY V4pz1yAW7jjPBubP1rhzGvwhGmNUW5RpOYEB2913XuY3Y08YBTcDwzU36c6fLuytIuYN LPRfTagQoVvTG3Jusn1SPyP5gp7fsV3M8iNcwREv3byeWFZ1bPsGBRMpFdwUPFCnP2k6 lP/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779960710; x=1780565510; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1BL71DOAkq0sLsiyukDrRcXJ19tZkTPOHhufsrp79qw=; b=FYnGjiovShdoEttHXrug4viEijMmT0AljP/EZjy6TjckNs9v9JA3B9ZsvVS4BkStme IlBuCCIIpFARsn5b7VH1enjJo9pBvd+Rp797/9d3vE0ShQvfL/rM8C2yST6brXqb7Bky 7dSYQ9WEij4/i1YnctDAh3+aLUeCfEQNv4Roy5Rhwz5Xn2RqKwxTWCq6Vo235fhbtiZq 7y2yNeM6Xvv4KIFQOYJAQ8mHganUvTJL3D6c2FJL5Nmew9YV/PMBVYZ0wqZrUSbs2M5Y VRC9I0epuaSnKvmFQwi1fnn6LQryEn9+SYQ30HkzfH9gzOAr6uolcHdddfYkd0/n5GJM +Z8A== X-Forwarded-Encrypted: i=1; AFNElJ9zQ7W83utduA5l2Iny2GaCGygedbSLr08l+2taf6gjbdEfCMz2ZnFaFE5vj5hruV57tHekAJ0VqMoJrDM=@vger.kernel.org X-Gm-Message-State: AOJu0YyqIwkdnHm21KZMFhrRofaY6dc2hbJ6fKMDWRBPnt0NL/blfGzi 72g6rskh1pijklfwQbY1ag6rSRnSCMX7YlksQhpz//ecR8pDnB1PoYRH X-Gm-Gg: Acq92OFNMpWNvwXOmkt6BZD6pphBTVFbICFwaG4ejmXJ3HyssXhKP1/4EdAydmpfjtG CkvBsGcl5CAHL1saJa+u6g3u1Yg9gNR1JE6IKNtL3jCm5Wu4HRupSwFBbqSIwMjpxSeYQogl+0v TnXGw+TiWyO3IVGqHJNsLs0/Rs6orRFrXACBM3xH5zo9kgEV0nvcDK/0Pgzhm1ihtEcmPCwXwbx F6M+UO3qPaM0GSCu3oVomfQYUqHMAuRW8pdMQa56kggodEJcs7T0jZLKF8ST9u6gOtkEUdHSYZ1 lM9h74uERWqCvkfEz9ENKn46Hapvqt1fsinFhuHklJvFviN+rnHeJT0iogbbPiLPkLTyFn7QOO3 CP23Us0acm3ei0+XsDTw7ldRM70j3asrUammTjS34Zk1Vydp04bExtg67mHFRMoJI+CNn861VjB BFjTGaSe2lvFQTPeFhH5gW5yaOo2ZDw9ie7LSo8bQ= X-Received: by 2002:a17:902:fc85:b0:2bc:e2ed:fd03 with SMTP id d9443c01a7336-2beb06a041emr293910615ad.39.1779960710128; Thu, 28 May 2026 02:31:50 -0700 (PDT) Received: from [127.0.1.1] ([221.238.56.51]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb56ca7fcsm173561985ad.27.2026.05.28.02.31.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 02:31:49 -0700 (PDT) From: liuxixin To: linux-nvme@lists.infradead.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, linux-kernel@vger.kernel.org, gliuxen@gmail.com Subject: [PATCH v4 1/2] nvme: fix FDP fdpcidx bounds check Date: Thu, 28 May 2026 18:00:01 +0800 Message-ID: In-Reply-To: References: <20260527133205.GA12042@lst.de> <20260528083016.GB7073@lst.de> <20260528083043.GC7073@lst.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: send-local.py Content-Type: text/plain; charset="utf-8" The fdpcidx bounds check sets n =3D NUMFDPC + 1 but used > instead of >=3D, incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1). Fixes: 30b5f20bb2dd ("nvme: register fdp parameters with the block layer") Reviewed-by: Nitesh Shetty Reviewed-by: Christoph Hellwig Signed-off-by: liuxixin --- drivers/nvme/host/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index c3032d6ad..766157ba6 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctr= l *ctrl, } =20 n =3D le16_to_cpu(h->numfdpc) + 1; - if (fdp_idx > n) { + if (fdp_idx >=3D n) { dev_warn(ctrl->device, "FDP index:%d out of range:%d\n", fdp_idx, n); /* Proceed without registering FDP streams */ --=20 2.43.0 From nobody Mon Jun 8 15:36:54 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8183361DC3 for ; Thu, 28 May 2026 09:31:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779960714; cv=none; b=GZqVjOFxkr3ecl8hby2CLwUaERgq5p/EnhQOKSaNGFJAR1GGy6f4nn8/x9DJA0uIhDbPf5Sj8gRmeKYytJVAvYqy92ruHnq2AEzxTxv6A9sybVj3senjNCfwsOBIMkdcC8KolBEDw/EAzuXEvyiVCuh+jed5KZ4rV8k17qFdSsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779960714; c=relaxed/simple; bh=3/k8i/FAfbzpwQaG0+MB0qW63cQ1Fs/cpc4Gfi1c/1g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=YStQI0OJ4Y/Fs0GfICv0GiQGvpZ4Qvf3u/0na8Bp1lNaO3KkcbCJ9ByRJQrnoDmIZB9BqKRKn7KrpFjgXGPAOONOF+XdHqrT5bSyAk3zhVfhRyTZvkw/V8FHjQMs2tvB6HLQ5T99Ceg9rSERvP1xLHfOnMrksUlqxUzrETIgMEc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QZ08yX+1; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QZ08yX+1" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2bab82d75fdso64034695ad.2 for ; Thu, 28 May 2026 02:31:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779960712; x=1780565512; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XxB8couJfSeRJkgFA78R4nRWKjJBmx0PLO3J8/y/sqs=; b=QZ08yX+1i8q++gEgV4NrSy/XQPvckdSLg0BGn7m1gZ1UD+wjV1d711ctFtXqToRQgj zlcBfTuQ7tjI22eMkdf+I25u2I2NTXWe5NTmIABvw1vBSRiVblYWrqk1WtmhKnkGZ+8C 7MxO1eVoejGN3ZFHosYK4PJUzv2D6n5BbN8GNoM8HjGCN/V+4dl+rRZPG7DLtExrUf4t 2KdWkkfd/YEm8BjaC6AIOnEnVCFd5kzBkN30zHhCPvvbudgNbi6j+gHZmgF1QZ4x9jdF wxLbO6JuZPika0MdsOdiyIag8cdzLWVcOFs3+PoAoP3HZyzSC7FK8I+hBGUuq7pIxy+4 Z4Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779960712; x=1780565512; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XxB8couJfSeRJkgFA78R4nRWKjJBmx0PLO3J8/y/sqs=; b=ITGx5eW2iko8T1kwreC8npc+R8PV4lCGOHJKJVWzWgo4+nHUhznmJ3IdlzSxwhoPEv yjja8ljqX2gKZoFdCcHcMXk3oBr6SckZt6iU0h/gniEDxCWdsPoMvY/Kq0bFOVcFiAfy lr/Jr/N+kGu2dCp7cB2LrIDumbb36Or60R7ZCY6aZ4/tnHPebURDE1/EX9qfsSG0k0fh sBiAx2dme0QuxcGhlOG68v+PHeXnGWjRyZqQxMQMf4S6KtBDVVl3RW7dL8FYkiZU0MSR DMP0bepjHpp2PyCXPpZey0aDixi21dgtqxXHq7jEqZH1x+5J/mPTaRxLJUF9ELREIt8r p6iw== X-Forwarded-Encrypted: i=1; AFNElJ9pIfWvbt/DIg4KE3AI0ytkQbBnB0d8xPIhpZYVgmq8rTtPxkY62B94yV3Ny9eUkCmOwy1wcv/TUOPM/Us=@vger.kernel.org X-Gm-Message-State: AOJu0Yy3ZAQolKfhmA1R/xACnOcIgZbl22eXMn+WcseAXKwZgxHbRmM3 Yr3jEHufgB/uJmJdH2MPNRe5MQGBJ5UHuUF3DpUvIYYQRL1UF2Qcxd2I X-Gm-Gg: Acq92OGPZI56oRWjqfGi7gY5nquXu6Q4tXYe9hNE9zAVmxnNywPp8oDot8caxu1AtJq yXASO+UGrFU2gG/o2BNyQdBI/hSXiNVFMynhg8y93rYJS9DA8TrkyObFX8oAeIf4PPrGWpWqefJ auZDAhVvZQB92j5VPr7SOed3Lhlxuq4l0pqSv4IiWXQxKKzMf/HZGKsKMWlRaI5nyp4zfesWUGH njDIpNvQ2itxOAGYQNKiUKhppBVwqexKv8wbW3Dg2cPN14SQ1dFKkggE1QTgb4PBZjxJ6ZRxa6u ZYqabMvpZ1ybeFJwgl499JSzD0bUMBGTuY9zZaxopx5jpMCen5ulOVWKf5zCfx5ozEx4DUpHe5K A1FzCwK4ikS3/LHtDEzWyJWHWUN9glkyCXGlla/hL6/GK0eoWBsLJ0Ux5fqgnPAp3bOM2FbRZJ/ BpLq726XgACl/4AiePZNsnXyELjGCs X-Received: by 2002:a17:902:da92:b0:2b2:5857:583e with SMTP id d9443c01a7336-2beb080a6dbmr287274375ad.31.1779960712334; Thu, 28 May 2026 02:31:52 -0700 (PDT) Received: from [127.0.1.1] ([221.238.56.51]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb56ca7fcsm173561985ad.27.2026.05.28.02.31.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 02:31:52 -0700 (PDT) From: liuxixin To: linux-nvme@lists.infradead.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, linux-kernel@vger.kernel.org, gliuxen@gmail.com Subject: [PATCH v4 2/2] nvme: validate FDP configuration descriptor sizes Date: Thu, 28 May 2026 18:00:02 +0800 Message-ID: In-Reply-To: References: <20260527133205.GA12042@lst.de> <20260528083016.GB7073@lst.de> <20260528083043.GC7073@lst.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: send-local.py Content-Type: text/plain; charset="utf-8" Validate descriptor sizes while walking the FDP configurations log so dsze =3D=3D 0 or a descriptor past the log end cannot cause unbounded iteration or reads past the buffer. Reviewed-by: Nitesh Shetty Reviewed-by: Christoph Hellwig Signed-off-by: liuxixin --- drivers/nvme/host/core.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 766157ba6..40e87b563 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ct= rl *ctrl, desc =3D log; end =3D log + size - sizeof(*h); for (i =3D 0; i < fdp_idx; i++) { - log +=3D le16_to_cpu(desc->dsze); + u16 dsze =3D le16_to_cpu(desc->dsze); + + if (!dsze || log + dsze > end) { + dev_warn(ctrl->device, + "FDP invalid config descriptor at index %d\n", i); + ret =3D 0; + goto out; + } + log +=3D dsze; desc =3D log; if (log >=3D end) { dev_warn(ctrl->device, --=20 2.43.0