Re: [PATCH v2] nvme: fix memory allocation in nvme_pr_read_keys()

Next message: Marcelo Tosatti: "[PATCH v2 4/5] swap: apply new queue_percpu_work_on() interface"
Previous message: Yosry Ahmed: "Re: [PATCH v5 update 29/32] mm: memcontrol: prepare for reparenting non-hierarchical stats"
In reply to: Christoph Hellwig: "Re: [PATCH v2] nvme: fix memory allocation in nvme_pr_read_keys()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Mon Mar 02 2026 - 11:00:09 EST

On Fri, Feb 27, 2026 at 07:19:28PM -0500, Sungwoo Kim wrote:
> nvme_pr_read_keys() takes num_keys from userspace and uses it to
> calculate the allocation size for rse via struct_size(). The upper
> limit is PR_KEYS_MAX (64K).
>
> A malicious or buggy userspace can pass a large num_keys value that
> results in a 4MB allocation attempt at most, causing a warning in
> the page allocator when the order exceeds MAX_PAGE_ORDER.

Thanks, applied to nvme-7.0.