[PATCH v1 1/1] nvme: fix FDP configuration log parsing

[liuxixin]

NUMFDPC in the FDP Configurations log (NVMe Base Specification, Figure 279)
is a 0-based count of configuration descriptors. Valid fdpcidx values are 0
through the NUMFDPC field value inclusive.

Fix the off-by-one check which incorrectly accepts fdpcidx == NUMFDPC+1.
Also validate descriptor sizes while walking the list so dsze == 0 or a
descriptor past the log end cannot cause unbounded iteration or reads past
the buffer.

Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parameters with the block layer")

Signed-off-by: liuxixin <gliuxen@xxxxxxxxx>
---
 drivers/nvme/host/core.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..c5e77f5bc 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2231,7 +2231,8 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	struct nvme_fdp_config_desc *desc;
 	size_t size = sizeof(hdr);
 	void *log, *end;
-	int i, n, ret;
+	int i, ret;
+	u16 numfdpc;
 
 	ret = nvme_get_log_lsi(ctrl, 0, NVME_LOG_FDP_CONFIGS, 0,
 			       NVME_CSI_NVM, &hdr, size, 0, info->endgid);
@@ -2262,10 +2263,10 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 		goto out;
 	}
 
-	n = le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	numfdpc = le16_to_cpu(h->numfdpc);
+	if (fdp_idx > numfdpc) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
-			 fdp_idx, n);
+			 fdp_idx, numfdpc);
 		/* Proceed without registering FDP streams */
 		ret = 0;
 		goto out;
@@ -2275,7 +2276,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret = 0;
+			goto out;
+		}
+		log += dsze;
 		desc = log;
 		if (log >= end) {
 			dev_warn(ctrl->device,
-- 
2.43.0