From nobody Mon Jun  8 19:46:26 2026
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D84C435DA79
	for <linux-kernel@vger.kernel.org>; Wed, 27 May 2026 02:29:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779848991; cv=none;
 b=eE2W5mHmpKTV9XnIhkO+FZvRuSAaUq81ficR0E+2RPZhSfs6caMFEgegI+eJSbhwzmBU99+V/5Yv4LGkktaAlhKkpuKfofEb91A792dABb4cnGhGlle2eG/U8yUfwcVBk90RehXnYejYzxIMJSueRMbbRJOsttYBu0JKPG3Lsuw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779848991; c=relaxed/simple;
	bh=CIpnl7U3q5NHMfEPxCYD7ZX/KTmRrkG2D3saZkvKqK4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=GlYRuTuRW5oxdqR2RtcExh1q4MpGZ2EVvvV1TxCqHa+LPqjX4yAWhGS7M6yLb3gpkAZMP9KCpH7xMNdwTlCa6Rlymx27pd9b+hqG56/rGlNrAqhglIl66qyKhKrMD0qRWu2N8SpOt8SJ1YyKZA3jLMVOLkT46716y2H7f3QhJvM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CUfGtoQA; arc=none smtp.client-ip=209.85.210.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CUfGtoQA"
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-83659d38e38so4590882b3a.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 26 May 2026 19:29:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779848987; x=1780453787;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SOIvww4p9dI6iVgYWCUzrJL7pR9pb6hrrJ+56OmeK5o=;
        b=CUfGtoQACONAvjnZjPiefkSRdxThlElDqeHblbEJ2hqMoVzMSVuafEhp9sJVdLaT9v
         JlaYH0SG507x0/OZfTY8J3VoMg7bDiCxkmdAEMWHHQc8eHEmc1Tz+mBZ9VeeW0zK/Q9l
         d0ksNM3Gxe5PHXGDoRoPiH3oCYMKFoEbzEwXVFSQ7wil5P7QHSnQYPey8rPdgrt6ypDA
         f9gGqst3zr2LY2dUdb3Q/+LUIG6THKLZg9I7nAKlIXdfUP7zsicN7q+8YSql0Nlj8iSt
         If+HyET0B5B8739B/8sopCC3CgjOBerd5WnPsgDWzfQdg5SCRonOF7A9BZjfz5zE3iq7
         eTgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779848987; x=1780453787;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=SOIvww4p9dI6iVgYWCUzrJL7pR9pb6hrrJ+56OmeK5o=;
        b=ACLAah7r1VqRAb2/1qAePN2MZpTr8DZbXNFRHLJpX9m8oS19qQPOH5iVujpnZkBy1X
         +TIFfqZopc3fTnLWiiQoEqJnYOrO/TG+GPLzog+zypEoLaXGdaSpEHOkgoBypiw/S+oZ
         en0eLFTtnA6EZpyAjquYxFdF53Xz9X6rRgya+BrMbCf2xOEdizi11AwPTOXrVhlXleDy
         Ta10VmTG1S/sMjrs31HjoKT1A8tFEuAvwYIvbs0+oU+oE3tLzFk+5w1pTDPvTaPjJu9k
         vTMU2iD6T9Eafw4nQeGOakerdCbwvoeumsdKC5xKM/OAbT5sWO90J2yN07jaW7DkHau8
         6xJw==
X-Forwarded-Encrypted: i=1;
 AFNElJ91jaRn4OGjxeylYpsDDA+CxHcmYcaAeZ9ENFEiexAotT0u1Gyhu+qwJYC0IbJdzClsNcI3/R3vfC1somQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz9ccFIlInPm5CYd7DqxSPF8iR8PxfQPfOFACrdDUBy2AXuPaL/
	Giv7QjKroAChyedRDGeStQqvhsQ1AQEmYHeXMfjBOu+fEVXLzMBi/33M
X-Gm-Gg: Acq92OEW/z/bHwmAv8HPx7KQvOe3gau3u6eUBNpDawbi/ZyGEncoINyd4Uawc87CaPw
	fgPEjo2/zd1fOzc6OGvqD4U96bISy1YFWqDUbnaytBPNL7h7JjbZOi6daiAWvhtGUwZUhHXB90g
	astYUOeaqknoLDL7lWubVDsH+tRTvAVU9erx04qBEMxXv7D5zPJOnA2aXZyzLKE0kTKDTSidSjc
	iOANShzjyPKE51TMMD6/acmKXF8fSvLU9WvwYokNW6EWHF0I6gir+6JFyClIwRqetXPI0hbfAG0
	+dBnYR0GiuTn7tDbBGEL7TfsHeUloQvtF5I6Pll06XBu+KtL1EB9rJISRaeu4Dwac4Rl9IgHE6/
	M/VsJu1FHInrCODSszbaIVMlUyZldctmwcLO6PKTJn+591E4Vu1AjQsMxqZjuypY/VgLpj2SU3I
	dUVr7mEq0doFgGCmhmO/mbwcZvPwJe
X-Received: by 2002:a05:6a00:8c10:b0:81f:9b4c:81c0 with SMTP id
 d2e1a72fcca58-8415f58d727mr19397002b3a.41.1779848987559;
        Tue, 26 May 2026 19:29:47 -0700 (PDT)
Received: from [127.0.1.1] ([221.238.56.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-841d72eac34sm634308b3a.49.2026.05.26.19.29.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 May 2026 19:29:47 -0700 (PDT)
From: liuxixin <gliuxen@gmail.com>
To: linux-nvme@lists.infradead.org
Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me,
 linux-kernel@vger.kernel.org
Subject: [PATCH v2 1/1] nvme: fix FDP configuration log parsing
Date: Wed, 27 May 2026 10:29:45 +0800
Message-ID: 
 <a989258938de2d1fb01e70fd5ea2e50185cc6899.1779848573.git.gliuxen@gmail.com>
In-Reply-To: <cover.1779848573.git.gliuxen@gmail.com>
References: <ahWw_09BJkQi9zQe@kbusch-mbp>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Mailer: send-local.py
Content-Type: text/plain; charset="utf-8"

	<cover.1779848573.git.gliuxen@gmail.com>
From: liuxixin <gliuxen@gmail.com>
Date: Wed, 27 May 2026 10:22:32 +0800
Subject: [PATCH v2 1/1] nvme: fix FDP configuration log parsing

The fdpcidx bounds check sets n =3D NUMFDPC + 1 but used > instead of >=3D,
incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Also validate descriptor sizes while walking the list so dsze =3D=3D 0 or a
descriptor past the log end cannot cause unbounded iteration or reads past
the buffer.

Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parame=
ters with the block layer")

Signed-off-by: liuxixin <gliuxen@gmail.com>
Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
---
 drivers/nvme/host/core.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..40e87b563 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctr=
l *ctrl,
 	}
=20
 	n =3D le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	if (fdp_idx >=3D n) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
 			 fdp_idx, n);
 		/* Proceed without registering FDP streams */
@@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ct=
rl *ctrl,
 	desc =3D log;
 	end =3D log + size - sizeof(*h);
 	for (i =3D 0; i < fdp_idx; i++) {
-		log +=3D le16_to_cpu(desc->dsze);
+		u16 dsze =3D le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret =3D 0;
+			goto out;
+		}
+		log +=3D dsze;
 		desc =3D log;
 		if (log >=3D end) {
 			dev_warn(ctrl->device,
--=20
2.43.0