Re: [PATCH v2] nvme-pci: fix out-of-bounds access in nvme_setup_descriptor_pools

Next message: Eugen Hristev: "Re: [PATCH v4] staging: media: Remove deprecated Atmel ISC drivers"
Previous message: Michael Bommarito: "[PATCH v2 1/2] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr"
In reply to: Christoph Hellwig: "Re: [PATCH v2] nvme-pci: fix out-of-bounds access in nvme_setup_descriptor_pools"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Wed May 27 2026 - 12:34:22 EST

On Sat, May 23, 2026 at 08:28:16AM +0000, Mateusz Nowicki wrote:
> nvme_setup_descriptor_pools() indexes dev->descriptor_pools[] using the
> numa_node forwarded from hctx->numa_node by its single caller,
> nvme_init_hctx_common(). On a non-NUMA kernel hctx->numa_node is
> NUMA_NO_NODE (-1). Because the parameter was declared 'unsigned', the
> value becomes UINT_MAX and the index walks off the array (sized to
> nr_node_ids), faulting during nvme_alloc_ns() and leaving the namespace
> without a /dev node.

Thanks, applied to nvme-7.2.