From: sashiko-bot@kernel.org
To: kangfenglong <kangfenglong@huawei.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH] nvme-pci: fix CMB mapping when CMBSZ Size field is zero
Date: Thu, 18 Jun 2026 08:39:13 +0000 [thread overview]
Message-ID: <20260618083914.3873C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618082616.20656-1-kangfenglong@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A 64-bit shift overflow in `nvme_cmb_size_unit()` causes undefined behavior and integer overflow, allowing a malicious device or surprise removal to bypass the patch's zero-size check.
--
commit cff061918a7d037b79313b9dd26c4235a518f58f
Author: kangfenglong <kangfenglong@huawei.com>
nvme-pci: fix CMB mapping when CMBSZ Size field is zero
This commit restores a check for a zero SZ field to verify the controller
actually has a CMB before proceeding with mapping. This prevents size
from defaulting to the entire remaining BAR and triggering memory
hotplug alignment warnings.
> diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
> index e6267a6aa3801..14f0f141df5bb 100644
> --- a/drivers/nvme/host/pci.c
> +++ b/drivers/nvme/host/pci.c
> @@ -1838,6 +1838,8 @@ static void nvme_map_cmb(struct nvme_dev *dev)
> dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
> if (!dev->cmbsz)
> return;
> + if (!nvme_cmb_size(dev))
> + return;
> dev->cmbloc = readl(dev->bar + NVME_REG_CMBLOC);
>
> size = nvme_cmb_size_unit(dev) * nvme_cmb_size(dev);
[Severity: High]
This is a pre-existing issue, but could this multiplication still silently
overflow to zero and bypass the new zero-size check?
If a device advertises a Size Units (SZU) of 12 and a Size (SZ) of 16,
nvme_cmb_size_unit() calculates 1ULL << 60. The multiplication here
then becomes (1ULL << 60) * 16, which mathematically equals 1ULL << 64.
This wraps around to exactly 0 in a 64-bit unsigned integer. Since SZ is 16,
the new nvme_cmb_size(dev) check is passed, but size still becomes 0,
potentially triggering the same pci_p2pdma_add_resource() issue this
patch aims to fix.
Additionally, if the PCIe device is surprise-removed, readl() returns
0xFFFFFFFF, resulting in SZU = 15. The shift calculation in
nvme_cmb_size_unit():
return 1ULL << (12 + 4 * szu);
evaluates to 1ULL << 72. This is undefined behavior and can result in an
unaligned size being passed down.
Does this calculation need further bounds checking or validation to handle
integer overflows and surprise removals?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618082616.20656-1-kangfenglong@huawei.com?part=1
prev parent reply other threads:[~2026-06-18 8:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 8:26 [PATCH] nvme-pci: fix CMB mapping when CMBSZ Size field is zero kangfenglong
2026-06-18 8:39 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618083914.3873C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kangfenglong@huawei.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox