[PATCH v1 1/1] nvme: fix FDP configuration log parsing

[PATCH v1 1/1] nvme: fix FDP configuration log parsing

[liuxixin]

NUMFDPC in the FDP Configurations log (NVMe Base Specification, Figure 279)
is a 0-based count of configuration descriptors. Valid fdpcidx values are 0
through the NUMFDPC field value inclusive.

Fix the off-by-one check which incorrectly accepts fdpcidx == NUMFDPC+1.
Also validate descriptor sizes while walking the list so dsze == 0 or a
descriptor past the log end cannot cause unbounded iteration or reads past
the buffer.

Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parameters with the block layer")

Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..c5e77f5bc 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2231,7 +2231,8 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	struct nvme_fdp_config_desc *desc;
 	size_t size = sizeof(hdr);
 	void *log, *end;
-	int i, n, ret;
+	int i, ret;
+	u16 numfdpc;
 
 	ret = nvme_get_log_lsi(ctrl, 0, NVME_LOG_FDP_CONFIGS, 0,
 			       NVME_CSI_NVM, &hdr, size, 0, info->endgid);
@@ -2262,10 +2263,10 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 		goto out;
 	}
 
-	n = le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	numfdpc = le16_to_cpu(h->numfdpc);
+	if (fdp_idx > numfdpc) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
-			 fdp_idx, n);
+			 fdp_idx, numfdpc);
 		/* Proceed without registering FDP streams */
 		ret = 0;
 		goto out;
@@ -2275,7 +2276,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret = 0;
+			goto out;
+		}
+		log += dsze;
 		desc = log;
 		if (log >= end) {
 			dev_warn(ctrl->device,
-- 
2.43.0

Re: [PATCH v1 1/1] nvme: fix FDP configuration log parsing

[Keith Busch]

On Tue, May 26, 2026 at 03:52:38PM +0800, liuxixin wrote:
> @@ -2262,10 +2263,10 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
>  		goto out;
>  	}
>  
> -	n = le16_to_cpu(h->numfdpc) + 1;
> -	if (fdp_idx > n) {
> +	numfdpc = le16_to_cpu(h->numfdpc);
> +	if (fdp_idx > numfdpc) {

Can't this be fixed with just a simpler one-line change:

+	if (fdp_idx >= n) {

[PATCH v2 0/1] nvme: fix FDP configuration log parsing

[liuxixin]

Hi Keith,

Thanks for the review. v2 uses the minimal bounds fix you suggested:
keep n = NUMFDPC + 1 and compare with >= instead of >.

The descriptor walk validation (dsze == 0 / past end of log) is unchanged
from v1.

## Test plan
- Build: make M=drivers/nvme -j12 (linux-next, verified)

- Repro/validation (lab):
  Tested on linux-next 7.1.0-rc4-next-20260521 with QEMU 8.2 nvme-subsys,fdp=on.
  With a single FDP configuration (NUMFDPC field 0), forcing fdpcidx=1 triggers
  FDP invalid config descriptor list on the unfixed driver, while the fix
  rejects it early with FDP index:1 out of range:1 and skips stream
  registration.

Thanks,
liuxixin

[PATCH v2 1/1] nvme: fix FDP configuration log parsing

[liuxixin]

	<cover.1779848573.git.gliuxen@gmail.com>
From: liuxixin <gliuxen@gmail.com>
Date: Wed, 27 May 2026 10:22:32 +0800
Subject: [PATCH v2 1/1] nvme: fix FDP configuration log parsing

The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Also validate descriptor sizes while walking the list so dsze == 0 or a
descriptor past the log end cannot cause unbounded iteration or reads past
the buffer.

Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parameters with the block layer")

Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..40e87b563 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	}
 
 	n = le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	if (fdp_idx >= n) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
 			 fdp_idx, n);
 		/* Proceed without registering FDP streams */
@@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret = 0;
+			goto out;
+		}
+		log += dsze;
 		desc = log;
 		if (log >= end) {
 			dev_warn(ctrl->device,
-- 
2.43.0

Re: [PATCH v2 1/1] nvme: fix FDP configuration log parsing

[Nitesh Shetty]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

On 27/05/26 10:29AM, liuxixin wrote:
>	<cover.1779848573.git.gliuxen@gmail.com>
>From: liuxixin <gliuxen@gmail.com>
>Date: Wed, 27 May 2026 10:22:32 +0800
>Subject: [PATCH v2 1/1] nvme: fix FDP configuration log parsing
>
>The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
>incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).
>
>Also validate descriptor sizes while walking the list so dsze == 0 or a
>descriptor past the log end cannot cause unbounded iteration or reads past
>the buffer.
>
>Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parameters with the block layer")
>
>Signed-off-by: liuxixin <gliuxen@gmail.com>

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH v2 1/1] nvme: fix FDP configuration log parsing

[Christoph Hellwig]

On Wed, May 27, 2026 at 10:29:45AM +0800, liuxixin wrote:
> 	<cover.1779848573.git.gliuxen@gmail.com>
> From: liuxixin <gliuxen@gmail.com>
> Date: Wed, 27 May 2026 10:22:32 +0800
> Subject: [PATCH v2 1/1] nvme: fix FDP configuration log parsing
> 
> The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
> incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Looks good.

> 
> Also validate descriptor sizes while walking the list so dsze == 0 or a
> descriptor past the log end cannot cause unbounded iteration or reads past
> the buffer.

Also looks good, although I would have split that into a separate
patch.

> Fixes: 30b5f20bb2ddab013035399e5c7e6577da49320a ("nvme: register fdp parameters with the block layer")

Please shorten the sha id to 12 characters, i.e:

Fixes: 30b5f20bb2dd ("nvme: register fdp parameters with the block layer")

[PATCH v3 0/2] nvme: fix FDP configuration log parsing

[liuxixin]

Hi Christoph, Keith, Nitesh,

Thanks for the reviews on v2.

v3 splits the series as Christoph suggested:
  1/2 - fdpcidx bounds check (>= instead of >), with Fixes tag
  2/2 - validate descriptor sizes while walking the log

1/2 also applies Keith's suggestion to use >= while keeping n = NUMFDPC + 1.
Uses a 12-character Fixes commit id per Christoph's feedback, and includes
Nitesh's Reviewed-by tags on both patches.

## Test plan
- Build: make M=drivers/nvme -j12 (linux-next, verified)

- QEMU (fdp-lab, tested as one patch before this split): linux-next 7.1-rc4,
  QEMU 8.2 nvme-subsys,fdp=on; fdpcidx=1 / NUMFDPC 0 - unfixed: invalid
  descriptor list; fixed: FDP index:1 out of range:1.  v3 splits commits only;
  no functional change, no re-test.

Thanks,
liuxixin

[PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check

[liuxixin]

	<cover.1779930057.git.gliuxen@gmail.com>
From: liuxixin <gliuxen@gmail.com>
Date: Thu, 28 May 2026 09:00:36 +0800
Subject: [PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check

The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Fixes: 30b5f20bb2dd ("nvme: register fdp parameters with the block layer")
Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..766157ba6 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	}
 
 	n = le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	if (fdp_idx >= n) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
 			 fdp_idx, n);
 		/* Proceed without registering FDP streams */
-- 
2.43.0

[PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes

[liuxixin]

	<cover.1779930057.git.gliuxen@gmail.com>
From: liuxixin <gliuxen@gmail.com>
Date: Thu, 28 May 2026 09:00:37 +0800
Subject: [PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes

Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 766157ba6..40e87b563 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret = 0;
+			goto out;
+		}
+		log += dsze;
 		desc = log;
 		if (log >= end) {
 			dev_warn(ctrl->device,
-- 
2.43.0

Re: [PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check

[Christoph Hellwig]

On Thu, May 28, 2026 at 09:43:24AM +0800, liuxixin wrote:
> 	<cover.1779930057.git.gliuxen@gmail.com>
> From: liuxixin <gliuxen@gmail.com>
> Date: Thu, 28 May 2026 09:00:36 +0800
> Subject: [PATCH v3 1/2] nvme: fix FDP fdpcidx bounds check

Somehow the mail format got messed up here.

Either way, the patch itself looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes

[Christoph Hellwig]

On Thu, May 28, 2026 at 09:43:26AM +0800, liuxixin wrote:
> 	<cover.1779930057.git.gliuxen@gmail.com>
> From: liuxixin <gliuxen@gmail.com>
> Date: Thu, 28 May 2026 09:00:37 +0800
> Subject: [PATCH v3 2/2] nvme: validate FDP configuration descriptor sizes

Same formatting issue as the last one.

The patch itself looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

[PATCH v4 0/2] nvme: fix FDP configuration log parsing

[liuxixin]

Hi Christoph, Keith, Nitesh,

v4 is a re-spin of v3 with no functional changes.  Fixes the garbled
mail format on v3 and adds Christoph's Reviewed-by tags on both patches
(v3 already had Nitesh's Reviewed-by).

## Test plan
- Build: make M=drivers/nvme -j12 (linux-next, verified)

- QEMU (fdp-lab, tested as one patch before this split): linux-next 7.1-rc4,
  QEMU 8.2 nvme-subsys,fdp=on; fdpcidx=1 / NUMFDPC 0 - unfixed: invalid
  descriptor list; fixed: FDP index:1 out of range:1.  v4 is tag/format
  only; no re-test.

Thanks,
liuxixin

[PATCH v4 1/2] nvme: fix FDP fdpcidx bounds check

[liuxixin]

The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Fixes: 30b5f20bb2dd ("nvme: register fdp parameters with the block layer")
Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c3032d6ad..766157ba6 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2263,7 +2263,7 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	}
 
 	n = le16_to_cpu(h->numfdpc) + 1;
-	if (fdp_idx > n) {
+	if (fdp_idx >= n) {
 		dev_warn(ctrl->device, "FDP index:%d out of range:%d\n",
 			 fdp_idx, n);
 		/* Proceed without registering FDP streams */
-- 
2.43.0

[PATCH v4 2/2] nvme: validate FDP configuration descriptor sizes

[liuxixin]

Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 766157ba6..40e87b563 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
+			dev_warn(ctrl->device,
+				 "FDP invalid config descriptor at index %d\n", i);
+			ret = 0;
+			goto out;
+		}
+		log += dsze;
 		desc = log;
 		if (log >= end) {
 			dev_warn(ctrl->device,
-- 
2.43.0

Re: [PATCH v4 2/2] nvme: validate FDP configuration descriptor sizes

[Keith Busch]

On Thu, May 28, 2026 at 06:00:02PM +0800, liuxixin wrote:
> @@ -2275,7 +2275,15 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
>  	desc = log;
>  	end = log + size - sizeof(*h);
>  	for (i = 0; i < fdp_idx; i++) {
> -		log += le16_to_cpu(desc->dsze);
> +		u16 dsze = le16_to_cpu(desc->dsze);
> +
> +		if (!dsze || log + dsze > end) {
> +			dev_warn(ctrl->device,
> +				 "FDP invalid config descriptor at index %d\n", i);
> +			ret = 0;
> +			goto out;
> +		}
> +		log += dsze;
>  		desc = log;
>  		if (log >= end) {
>  			dev_warn(ctrl->device,

I think you can delete this "log >= end" check now that you added the
same check right above.

Re: [PATCH v4 1/2] nvme: fix FDP fdpcidx bounds check

[Keith Busch]

On Thu, May 28, 2026 at 06:00:01PM +0800, liuxixin wrote:
> The fdpcidx bounds check sets n = NUMFDPC + 1 but used > instead of >=,
> incorrectly accepting fdp_idx when it equals n (i.e. NUMFDPC + 1).

Thanks, applied patch 1 to nvme-7.2.

Take a look at my omment on patch 2 and let me know if we should wait for
a new version for that one.

[PATCH v5 0/1] nvme: validate FDP configuration descriptor sizes

[liuxixin]

Hi Keith,

Thanks for applying v4 1/2 to nvme-7.2.

v5 is only the descriptor-size validation patch, with your feedback on
v4 2/2: remove the redundant "log >= end" check inside the walk loop
now that dsze is validated before advancing.

## Test plan
- Build: make M=drivers/nvme -j$(nproc) (linux-next)
- fdp-lab: dsze==0 / walk past end -> "FDP invalid config descriptor at
  index %d" (see fdp-lab/TEST-FDP-BOUNDS.md)

Thanks,
liuxixin

[PATCH v5 1/1] nvme: validate FDP configuration descriptor sizes

[liuxixin]

Validate descriptor sizes while walking the FDP configurations log so
dsze == 0 or a descriptor past the log end cannot cause unbounded
iteration or reads past the buffer.

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: liuxixin <gliuxen@gmail.com>
---
 drivers/nvme/host/core.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 766157ba6..48633a8bb 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2275,14 +2275,16 @@ static int nvme_query_fdp_granularity(struct nvme_ctrl *ctrl,
 	desc = log;
 	end = log + size - sizeof(*h);
 	for (i = 0; i < fdp_idx; i++) {
-		log += le16_to_cpu(desc->dsze);
-		desc = log;
-		if (log >= end) {
+		u16 dsze = le16_to_cpu(desc->dsze);
+
+		if (!dsze || log + dsze > end) {
 			dev_warn(ctrl->device,
-				 "FDP invalid config descriptor list\n");
+				 "FDP invalid config descriptor at index %d\n", i);
 			ret = 0;
 			goto out;
 		}
+		log += dsze;
+		desc = log;
 	}
 
 	if (le32_to_cpu(desc->nrg) > 1) {
-- 
2.43.0

Re: [PATCH v5 1/1] nvme: validate FDP configuration descriptor sizes

[Keith Busch]

On Tue, Jun 02, 2026 at 10:00:01PM +0800, liuxixin wrote:
> Validate descriptor sizes while walking the FDP configurations log so
> dsze == 0 or a descriptor past the log end cannot cause unbounded
> iteration or reads past the buffer.

Thanks, applied to nvme-7.2.