From nobody Mon Jun 8 16:28:13 2026 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD2A02DCBF3 for ; Thu, 28 May 2026 01:43:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779932608; cv=none; b=f+e7bWYAllWdnLlAWl2XS3o+fzPH5dKsZRg6FJxQ9o2jukCmCS+k/MpHw5Lt/3zBhh+ExuAGTr998cX29JEsza/hg1gARD6118XYCygcbbNuqgMgY1dJm7V9VRBHcTZlu2TUIVCNyZocbTMTwgFATfbxaZsyGaQTVSrMq/IG5rs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779932608; c=relaxed/simple; bh=h/T6SiM2ubu8g8oNid71j+n7ZswJyCMGLkVaWpYnB/Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=MkYw16Whn4klX3LcYTVkuf0VU4gJlHkRZ/E9BNlCReXd+g3mhjekClppjbsQaYjCTpYIpzTeFqYmqfWFehn1f9eOGuk/kow6hOATNU9pmj5WnB+pbwp9KNNKKEkCYeHbN1zXI18pj6oMtAHB9rfsH8XOjUEd+3G8/FdNru554d0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KUGLgMbu; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KUGLgMbu" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-369576666d5so6021255a91.0 for ; Wed, 27 May 2026 18:43:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779932606; x=1780537406; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QYdtLIYZ2k9Licc99EchWmK+5CZZbIedrHJtohMWcUg=; b=KUGLgMbuA9pHQjyaTsPEPYeCb9dIjcYwdtkUako+rYNRcgTnizEo0FMKNYy5l2Y1JY +h7R2FAGQJuLViE+ws2uLeDj8dDNrMllw8Dt8iKo5ijz6ROkuguwI2tFm5bPNLumA2JH Xgf6bYjdPhU+SWUUJj91dPbJy3TWcRVlSaxRhppyUx5Gzsgqe0onJUdKc7m3hOOJjh/q TqXO2tLW7UXmi4g18IO10Ve34LcAvHLUgobYIljgy7DGowLfBlTyNalBlnFH8pi9sa4v BduiA5Q037fMJYE3/0mmkhDnPGSGAFer7cpJit4SX3VLmLqyXeN39NSSHqhTenAVwwUd rpvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779932606; x=1780537406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QYdtLIYZ2k9Licc99EchWmK+5CZZbIedrHJtohMWcUg=; b=PcsHquEcyARH7+JejLt+zljJ/cJtk99QcEPthS5WmHSw25qLqiIgVwAfokRa4wVJDW aJJnZ0oGnSyh7AMgTold8ztAaNDIHcMbjq4OZ6JmENtNi7KYqFbP21ddRG2ozMMWNZrh Avh3TnSlOiGvBAOEAYETXEaKIXkmuYufWirBmCCuJrsgDpURjct5gijTNecVs8fw6h2T W6oW4YWfhl8MLf8tzsJc3VgR/35s3dtETBbmFpGvAaWMT/5Zkkvlm6fA4g8XQRgnrenU b24/BQA6kG12wyRUDH2+AalUIqYEZylAnXEvkJDeQZI5oHjZCSVw3Xf91DAqysR/PSb8 OE6w== X-Forwarded-Encrypted: i=1; AFNElJ9NbFkwPlCq42Dim/hi5fdwQStk8yqUL9/e3ooehaUdEdaSpmUnqpNh1qXcVy7uZLJkfg1vFWHkRxMWtbs=@vger.kernel.org X-Gm-Message-State: AOJu0Yy9nLaJbJqnHDObAVe/wX8ElEWjTkq1REUTP1wjlgi/clUJtZMz ZKF+l7zjeqZ4uEABDD0M9Eh4vQdyTqoBFmjmtEATXfswBQdYTmoAvXMT X-Gm-Gg: Acq92OEL0Mj4OKhqwKettsmdKh+/3MYAS6f84T3R7xTI84MJFP9bD/RupXSubFVYJkG Pihx4I+pGKLIgPB9vbA936B+Z/0497F/AC3ZP/1nA9KLuGgFU/GHO2LDlWE0yhamqJEn6AiLean nPlZE4QgGkArSwjoTuZFcv+bhlRjsww1cWPu6wIHCvzjgzKfnT5Rx+JxQgaZguMLy9oE5brJC2B S/susmFfAnsC36h67c2bZHMT7oRNVwoBtzvNzBLFcO9IfTjuqxYKL4reHzhdl/ZA90RoHp619Fp g5V9t8u0YmCeTud9NEyGX9YFnYZVrfcoy+xs3f6hbNhgdfePvDRFSZ3bUIpEKMPFRnHv9T5V2t9 A1Mu0rCvdH7dAosXftswjIVgigbGxtVwMkRlTQvYOe2fUB9D8nc0ZATcJDBpxePY6djy11A753N s7M97Fuaa9NoOU9Kfk+8n6TBOKmUvb X-Received: by 2002:a17:90b:37cc:b0:36a:aa9:eea0 with SMTP id 98e67ed59e1d1-36a6749e856mr23704177a91.4.1779932606047; Wed, 27 May 2026 18:43:26 -0700 (PDT) Received: from [127.0.1.1] ([221.238.56.51]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36b908e4013sm214003a91.1.2026.05.27.18.43.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 18:43:25 -0700 (PDT) From: liuxixin To: linux-nvme@lists.infradead.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, linux-kernel@vger.kernel.org, gliuxen@gmail.com Subject: [PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check Date: Thu, 28 May 2026 09:43:24 +0800 Message-ID: <820c56d3908ffa2726e38c31eeb5d3d7701fc590.1779930057.git.gliuxen@gmail.com> In-Reply-To: References: <20260527133205.GA12042@lst.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: send-local.py Content-Type: text/plain; charset="utf-8" From: liuxixin Date: Thu, 28 May 2026 09:00:36 +0800 Subject: [PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check The fdpcidx bounds check sets n =3D NUMFDPC + 1 but used > instead of >=3D, incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1). Fixes: 30b5f20bb2dd ("nvme: register fdp parameters with the block layer") Reviewed-by: Nitesh Shetty Signed-off-by: liuxixin Reviewed-by: Christoph Hellwig --- drivers/nvme/host/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index c3032d6ad..766157ba6 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctr= l *ctrl, } =20 n =3D le16_to_cpu(h->numfdpc) + 1; - if (fdp_idx > n) { + if (fdp_idx >=3D n) { dev_warn(ctrl->device, "FDP index:%d out of range:%d\n", fdp_idx, n); /* Proceed without registering FDP streams */ --=20 2.43.0 From nobody Mon Jun 8 16:28:13 2026 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D19952DEA93 for ; Thu, 28 May 2026 01:43:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779932610; cv=none; b=RJBVfQt2gNFC3jwjiL/Y83fp7XDo70lwzUKRVBGrpqRI0bnnnxTzgWLwXKZT7V/Q+V49LGGTFrWWeYrzFk3DBvLCIe2YqPvkuktWe4UPk35sGH4qv7AExQ3QhcgnmgReJd/h6/bJgYtNwyO1mm7noTciPlkD/xdn2u2kbk27N9Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779932610; c=relaxed/simple; bh=vKN7pDpHyV6Bw8e3uG4TfEr8hof3koccblzrgFNNw/4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UjcR7G2LSbUtSjdEqBBNDvvyuNj8eOTK8i2bWePiLkBoEGwvR51DGt8OofGERbZz+WcZQFQ7WXVmsYQXY67uygPn/UQqAbB8kCveqAlfWbHgwGaqZFAC3KnjESjOtI5FSdbt8Vuu3BeMkYnAK4nUjyGbK+qpkdgPaZwWw41wFbI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YTs+/o1y; arc=none smtp.client-ip=209.85.216.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YTs+/o1y" Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-366be8040a9so5302362a91.3 for ; Wed, 27 May 2026 18:43:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779932608; x=1780537408; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dN8Z9T4IWkrtYoaDxqA3HhPpfCsTpRrl/bezOTTtp0I=; b=YTs+/o1yKgWWuuE71GVDB3x5aMRnXMN5zw4zd/hkTsrbG2i0CsHVWjZv01r30pT7qi tmA03rFJ8jmspitpmZ1OokR1Xmlb3IbWFO1vzUK36TsGrSZkR86laG+KRcuatPuJ8wCV RhToKxbrVFCKAw72VMNcRXEqRCFD0cZUTPSKS6GQRyS0kTX4U95DuNaTWKtqmYi7MTCw j7FfDi1gPpBsM1GSSzGcWRRWqWYZoRFZEWjRVQb5IqWbKMvjxZffX+wMstA931rEV9Ks RR3FBRuZaS8Wx6ChZKSuTq1awsArnBwjdcHfmHpKgUfte2pJXIGB9PUPkop61naI/7R4 99xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779932608; x=1780537408; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dN8Z9T4IWkrtYoaDxqA3HhPpfCsTpRrl/bezOTTtp0I=; b=ouuanuToQkVzkeIPuY+7IxmmUhrfk9N4HEJ3iazxf0uK6vJcRhrZziPz0AZbFg34iw BMLCoK6EMjQgJziO+ocBAW0KvWo9Qp84J6J+71suSdqq9igaP8iuErerkXqvgoJ1E0E4 1FfsVnYqPznnFl/t/GlgkFXNlyh9MVYFg23t7l8vxpP1IEJ1ASKSaqXNcJDbc8QdB+Gp yn0jPptL6MYVOh5GxlVSNY+w6C5f8dxb1s+pre6mqTrgUO1Cf471Y+pC4ijP/DKNuVQ/ DgbyiV4OOilh2jtb1AYdlfcsjtMUTeqiV0Yw3ZKJMiVkJk35ycNgHYxnO/V3jfLVjzyG uxUQ== X-Forwarded-Encrypted: i=1; AFNElJ/iyHR8M4mlGP8eSFxRAnlrWR7xW3a1FtneP1nDq5xd33AgG4OmjM1X8ZJJLuEY//Nb3cdmPAxAci+F0Zk=@vger.kernel.org X-Gm-Message-State: AOJu0YyUNh7lFFp5EC4N6fywmsmIHIelF+qN/F4KFeWdp6KRun3WzKw+ hI37yaXJGjyfzVLAWvBYStY5R6fWJJWlic40QHVPDf9pkAH2VAYr0DWpu96Jfvw09wg= X-Gm-Gg: Acq92OGRYBhejbsHvHOcOPZkRyuJGCDZK5w87Xc9EW3D5sTdhPtdQKaVe92OB0uw04b xG2QUsRJpaEXs7Xs6yDx/VWXHRuxANGRfCuCBSYMelKFPXD6P7CpzDQvC0TbhpjB7CXsKqBdYgh uyuGpQencwBI81fCK1aAAU7mAs8ap5gZteSsY68DfGR5d/03bS2RFiYBZRAPwgDJ15+DpFLjMEu Pbhb4+kGdqETmble8qVEk5LJ0Iboa45PagGu0z+NLDBLbhF47cQ5j38mYd4NduJf2+x3KH0KvhW C+eOWWMfMZ+uTpRuPQ+UYyWWmKYKqg9IA8T4HVRtdDCZWJ+0jWUhUTMzc+dKh/iIxiFUvMI8eim 0cEcHxotmLYTCU6AYfywTF9OiVIpNVLNuMiXidDNkEXyAgGHLN/bC7kxc6Qcvb49LTgrT16gLNq ySyEK8jZ5yg1O1b8ak9Zek3oKglAuT X-Received: by 2002:a17:90b:5404:b0:36b:769c:e5bb with SMTP id 98e67ed59e1d1-36b769ce696mr1893080a91.5.1779932608152; Wed, 27 May 2026 18:43:28 -0700 (PDT) Received: from [127.0.1.1] ([221.238.56.51]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36b908e4013sm214003a91.1.2026.05.27.18.43.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 18:43:27 -0700 (PDT) From: liuxixin To: linux-nvme@lists.infradead.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, linux-kernel@vger.kernel.org, gliuxen@gmail.com Subject: [PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes Date: Thu, 28 May 2026 09:43:26 +0800 Message-ID: <46b82f1d635ed01017fcceec5d56d5cfd5cfcb79.1779930057.git.gliuxen@gmail.com> In-Reply-To: References: <20260527133205.GA12042@lst.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: send-local.py Content-Type: text/plain; charset="utf-8" From: liuxixin Date: Thu, 28 May 2026 09:00:37 +0800 Subject: [PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes Validate descriptor sizes while walking the FDP configurations log so dsze =3D=3D 0 or a descriptor past the log end cannot cause unbounded iteration or reads past the buffer. Reviewed-by: Nitesh Shetty Signed-off-by: liuxixin Reviewed-by: Christoph Hellwig --- drivers/nvme/host/core.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 766157ba6..40e87b563 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ct= rl *ctrl, desc =3D log; end =3D log + size - sizeof(*h); for (i =3D 0; i < fdp_idx; i++) { - log +=3D le16_to_cpu(desc->dsze); + u16 dsze =3D le16_to_cpu(desc->dsze); + + if (!dsze || log + dsze > end) { + dev_warn(ctrl->device, + "FDP invalid config descriptor at index %d\n", i); + ret =3D 0; + goto out; + } + log +=3D dsze; desc =3D log; if (log >=3D end) { dev_warn(ctrl->device, --=20 2.43.0