diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2025-12-01 16:43:27 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-13 17:20:44 +0100 |
| commit | a0167a4984ca0ac4195e869b157f22e2e54d2f68 (patch) | |
| tree | 08b9a947fa7ba8f4ce21d67fa446ad2fd0e2b609 /drivers | |
| parent | 549b68ba830ff0c5bc848179ddf7ccce582842b4 (diff) | |
nvme: reject invalid pr_read_keys() num_keys values
[ Upstream commit 38ec8469f39e0e96e7dd9b76f05e0f8eb78be681 ]
The pr_read_keys() interface has a u32 num_keys parameter. The NVMe
Reservation Report command has a u32 maximum length. Reject num_keys
values that are too large to fit.
This will become important when pr_read_keys() is exposed to untrusted
userspace via an <linux/pr.h> ioctl.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: c3320153769f ("nvme: fix memory allocation in nvme_pr_read_keys()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/nvme/host/pr.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c index 80dd09aa01a3..d330916a3199 100644 --- a/drivers/nvme/host/pr.c +++ b/drivers/nvme/host/pr.c @@ -200,7 +200,8 @@ retry: static int nvme_pr_read_keys(struct block_device *bdev, struct pr_keys *keys_info) { - u32 rse_len, num_keys = keys_info->num_keys; + size_t rse_len; + u32 num_keys = keys_info->num_keys; struct nvme_reservation_status_ext *rse; int ret, i; bool eds; @@ -210,6 +211,9 @@ static int nvme_pr_read_keys(struct block_device *bdev, * enough to get enough keys to fill the return keys buffer. */ rse_len = struct_size(rse, regctl_eds, num_keys); + if (rse_len > U32_MAX) + return -EINVAL; + rse = kzalloc(rse_len, GFP_KERNEL); if (!rse) return -ENOMEM; |