Re: [PATCH v2] nvme-pci: fix CMB mapping when CMBSZ Size field is zero

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Returning 0 from `nvme_cmb_size_unit()` to reject invalid SZU values evaluates to a size of 0, bypassing the rejection and triggering the exact bug the patch attempts to fix.
--

commit efcd71708003c14038a1fdc79b6233cc4b6a8192
Author: kangfenglong <kangfenglong@huawei.com>

nvme-pci: fix CMB mapping when CMBSZ Size field is zero

This commit restores the check for a zero SZ field in the CMBSZ register,
limits the Size Units (SZU) to valid values, and adds an overflow check
when calculating the CMB size to avoid mapping errors.

> diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
> index e6267a6aa3801..2794298aa9e66 100644
> --- a/drivers/nvme/host/pci.c
> +++ b/drivers/nvme/host/pci.c
> @@ -1814,6 +1814,9 @@ static u64 nvme_cmb_size_unit(struct nvme_dev *dev)
>  {
>  	u8 szu = (dev->cmbsz >> NVME_CMBSZ_SZU_SHIFT) & NVME_CMBSZ_SZU_MASK;
>  
> +	if (szu > 6)
> +		return 0;
> +

[Severity: High]
If this boundary check returns 0 to reject an invalid SZU value, will this
0 value be used in subsequent calculations rather than triggering an abort?

>  	return 1ULL << (12 + 4 * szu);
>  }
>  
> @@ -1838,9 +1841,12 @@ static void nvme_map_cmb(struct nvme_dev *dev)
>  	dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
>  	if (!dev->cmbsz)
>  		return;
> +	if (!nvme_cmb_size(dev))
> +		return;
>  	dev->cmbloc = readl(dev->bar + NVME_REG_CMBLOC);
>  
> -	size = nvme_cmb_size_unit(dev) * nvme_cmb_size(dev);
> +	if (check_mul_overflow(nvme_cmb_size_unit(dev), nvme_cmb_size(dev), &size))
> +		return;
>  	offset = nvme_cmb_size_unit(dev) * NVME_CMB_OFST(dev->cmbloc);
>  	bar = NVME_CMB_BIR(dev->cmbloc);
>  	bar_size = pci_resource_len(pdev, bar);

[Severity: High]
If nvme_cmb_size_unit() returned 0, won't check_mul_overflow() compute
0 * sz = 0, return false (no overflow), and set size = 0 without returning
early?

Because size evaluates to 0, execution continues, and later in the function
pci_p2pdma_add_resource() will be called with size=0 and offset=0.

As noted in the commit message, calling pci_p2pdma_add_resource() with size=0
causes the P2PDMA subsystem to default to mapping the entire remaining BAR.
Does this defeat the SZU boundary check above and re-trigger the exact memory
mapping warning this patch is attempting to fix?

Should nvme_map_cmb() explicitly check if nvme_cmb_size_unit() == 0 or if the
resulting size == 0 before continuing?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260622012147.40600-1-kangfenglong@huawei.com?part=1