Re: [PATCH] nvme: core: reject invalid LBA data size from Identify Namespace

Next message: Sasha Levin: "[PATCH AUTOSEL 6.18] ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo platforms"
Previous message: Simon Horman: "Re: [PATCH v4 net] ax25: fix OOB read after address header strip in ax25_rcv()"
In reply to: Maurizio Lombardi: "Re: [PATCH] nvme: core: reject invalid LBA data size from Identify Namespace"
Next in thread: Chao Shi: "[PATCH v2 0/1] nvme: core: reject invalid LBA data size from Identify Namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Mon Apr 20 2026 - 11:45:08 EST

On Sat, Apr 18, 2026 at 12:28:34AM -0400, Chao Shi wrote:
> memflags = blk_mq_freeze_queue(ns->disk->queue);
> + if (id->lbaf[lbaf].ds < SECTOR_SHIFT ||
> + check_shl_overflow(le64_to_cpu(id->nsze),
> + id->lbaf[lbaf].ds - SECTOR_SHIFT,
> + &capacity)) {
> + dev_warn_once(ns->ctrl->device,
> + "invalid LBA data size %u, skipping namespace\n",
> + id->lbaf[lbaf].ds);
> + ret = -EIO;

I think ENODEV is more appropriate errno.

> + blk_mq_unfreeze_queue(ns->disk->queue, memflags);
> + goto out;

I don't see any particular reason why we shouldn't validate this value
before starting the queue updates and freezing the queue, like we for
the ncap field up higher. Doing that would make the error case much
simpler. Case in point, you're missing the corresponding
queue_limits_cancel_update() for this error case.

> + }
> ns->head->lba_shift = id->lbaf[lbaf].ds;
> ns->head->nuse = le64_to_cpu(id->nuse);
> - capacity = nvme_lba_to_sect(ns->head, le64_to_cpu(id->nsze));
> nvme_set_ctrl_limits(ns->ctrl, &lim, false);
> nvme_configure_metadata(ns->ctrl, ns->head, id, nvm, info);
> nvme_set_chunk_sectors(ns, id, &lim);
> --
> 2.43.0
>