Re: [PATCH v4 2/2] nvme: validate FDP configuration descriptor sizes

Next message: Matthieu Baerts (NGI0): "[PATCH net v2 04/11] mptcp: allow subflow rcv wnd to shrink"
Previous message: Matthieu Baerts (NGI0): "[PATCH net v2 10/11] mptcp: fix uninit-value in mptcp_established_options"
Next in thread: liuxixin: "[PATCH v5 0/1] nvme: validate FDP configuration descriptor sizes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Tue Jun 02 2026 - 08:21:25 EST

On Thu, May 28, 2026 at 06:00:02PM +0800, liuxixin wrote:
> @@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
> desc = log;
> end = log + size - sizeof(*h);
> for (i = 0; i < fdp_idx; i++) {
> - log += le16_to_cpu(desc->dsze);
> + u16 dsze = le16_to_cpu(desc->dsze);
> +
> + if (!dsze || log + dsze > end) {
> + dev_warn(ctrl->device,
> + "FDP invalid config descriptor at index %d\n", i);
> + ret = 0;
> + goto out;
> + }
> + log += dsze;
> desc = log;
> if (log >= end) {
> dev_warn(ctrl->device,

I think you can delete this "log >= end" check now that you added the
same check right above.