Re: [PATCH] libnvdimm/labels: Prevent integer overflow in __nd_label_validate()

Next message: Xixin Liu: "[PATCH v1 0/1] nvme: zns: cap zone report nr_zones by DMA buffer size"
Previous message: Ryan Chen: "[PATCH 2/2] clk: aspeed: add AST2700 PECI clock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas

Date: Wed Jun 24 2026 - 01:46:40 EST

On 2026-06-21, David Laight wrote:
> The same could be done for nslot - any value above 64k is pretty much
> guaranteed to be garbage

I took that up in v2, but it does not hold against the code, so v3 drops it.

The allocation it was meant to bound -- ndd->data in nd_label_data_init() --
is kvzalloc(config_size), not nslot-derived, so capping nslot shrinks nothing.
And the cap is unsafe: on ND_NSINDEX_INIT the kernel writes
nslot = nvdimm_num_label_slots(ndd) = config_size / label_size, which is above
64K once config_size is past ~8.4MB. A 64K cap then rejects labels the kernel
itself wrote, so a freshly-formatted large device fails its own next probe.

The (u64) cast in patch 1 already makes the bound exact, so the overflow is
closed without the cap. v3 keeps the cast; the labelsize-shift UB the review
also turned up is a separate fix, not a stand-in for the cap.

Thanks,
Bryam