[PATCH v2 1/2] nvme: zns: cap zone report nr_zones by DMA buffer size
From: Xixin Liu
Date: Thu Jun 25 2026 - 20:59:50 EST
With Partial Report (PR=1), the Number of Zones (NZ) field in the report
header must equal the number of zone descriptors fully transferred in the
DMA buffer (ZNS Command Set Specification Rev 1.2, section 3.4.2).
nvme_ns_report_zones() does not cap the parse loop by max_in_buf derived
from buflen. Cap nz with min3() over the device-reported count, nr_zones -
zone_idx, and max_in_buf.
Signed-off-by: Xixin Liu <liuxixin@xxxxxxxxxx>
---
drivers/nvme/host/zns.c | 9 ++++++++---
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/zns.c b/drivers/nvme/host/zns.c
index 8ed1b6a33454..a1b2c3d4e5f6 100644
--- a/drivers/nvme/host/zns.c
+++ b/drivers/nvme/host/zns.c
@@ -178,7 +179,7 @@ int nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector,
struct nvme_zone_report *report;
struct nvme_command c = { };
int ret, zone_idx = 0;
- unsigned int nz, i;
+ unsigned int max_in_buf, nz, i;
size_t buflen;
if (ns->head->ids.csi != NVME_CSI_ZNS)
@@ -188,6 +189,9 @@ int nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector,
if (!report)
return -ENOMEM;
+ max_in_buf = (buflen - sizeof(struct nvme_zone_report)) /
+ sizeof(struct nvme_zone_descriptor);
+
c.zmr.opcode = nvme_cmd_zone_mgmt_recv;
c.zmr.nsid = cpu_to_le32(ns->head->ns_id);
c.zmr.numd = cpu_to_le32(nvme_bytes_to_numd(buflen));
@@ -207,7 +211,8 @@ int nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector,
goto out_free;
}
- nz = min((unsigned int)le64_to_cpu(report->nr_zones), nr_zones);
+ nz = min3((unsigned int)le64_to_cpu(report->nr_zones),
+ nr_zones - zone_idx, max_in_buf);
if (!nz)
break;
--
2.43.0