On Mon, Dec 19, 2022 at 10:59:06AM -0800, Keith Busch wrote: >From: Keith Busch > >Convert the max size to bytes to match the units of the divisor that >calculates the worst-case number of PRP entries. > >The result is used to determine how many PRP Lists are required. The >code was previously rounding this to 1 list, but we can require 2 in the >worst case. In that scenario, the driver would corrupt memory beyond the >size provided by the mempool. > >While unlikely to occur (you'd need a 4MB in exactly 127 phys segments >on a queue that doesn't support SGLs), this memory corruption has been >observed by kfence. > >Cc: Jens Axboe >Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations") >Signed-off-by: Keith Busch >--- > drivers/nvme/host/pci.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c >index f0f8027644bbf..fa182fcd4c3e8 100644 >--- a/drivers/nvme/host/pci.c >+++ b/drivers/nvme/host/pci.c >@@ -380,8 +380,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db, > */ > static int nvme_pci_npages_prp(void) > { >- unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE, >- NVME_CTRL_PAGE_SIZE); Similar calculation is present in apple.c too. Regardless, this looks good. Reviewed-by: Kanchan Joshi