From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from verein.lst.de (verein.lst.de [213.95.11.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EA77332911 for ; Wed, 11 Feb 2026 16:09:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.95.11.211 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770826144; cv=none; b=Pzgpqlyz3WLlPgJi9ZuY0GyWSBmXLYGAy4izlIZtqAd18fKdIMghJOLw2Ce/tcPdkX2Rfx4BaCtRNsVHbIGJUCxWXdy18zq7QbyPlVn1rSw3/cHO6chmYyZnznpWCJ4wbgLaCebUZETIvxA0D+AOAQzYjeFZXJiIX/zTqOHdDrg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770826144; c=relaxed/simple; bh=xNi4yvtJmkrM6DqktUlb1WpYW0b2B+xbFX3F2XYfcJA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ZQ9dY9mbwjBNjFVTlCSLH/tD6PL9PiER3Vu1GAglyeVwLKVZcO5hwthO3TL/14skpIQ1ly/ZCnqblfhOBgXXf3EOgaus3iYE3PeBM5jHFE2aUMneHHfYjrSPI3oWFZ7gsZddV43WMnQt2QNuh02cArz2dW7SMJz8fL0ZUOQOgf0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de; spf=pass smtp.mailfrom=lst.de; arc=none smtp.client-ip=213.95.11.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lst.de Received: by verein.lst.de (Postfix, from userid 2407) id E5AFE68C7B; Wed, 11 Feb 2026 17:08:59 +0100 (CET) Date: Wed, 11 Feb 2026 17:08:59 +0100 From: Christoph Hellwig To: YunJe Shin Cc: Hannes Reinecke , Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni , Keith Busch , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, ioerts@kookmin.ac.kr Subject: Re: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090) Message-ID: <20260211160859.GA11869@lst.de> References: <20260211055036.2675866-1-ioerts@kookmin.ac.kr> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260211055036.2675866-1-ioerts@kookmin.ac.kr> User-Agent: Mutt/1.5.17 (2007-11-01) On Wed, Feb 11, 2026 at 02:50:03PM +0900, YunJe Shin wrote: > < snip> Please don't spam the commit message with the entire backtrace. > index 5946681cb0e3..2bcee44b3395 100644 > --- a/drivers/nvme/target/fabrics-cmd-auth.c > +++ b/drivers/nvme/target/fabrics-cmd-auth.c > @@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req) > goto done_failure1; > if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) { > if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) { > + size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) + > + sizeof(struct nvmf_auth_dhchap_protocol_descriptor); This should be be using struct_size. And all of this is way too long, please use the chance to split this out into a helper: if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) { if (!nvmet_restart_dhchap_auth(req)) goto done_kfree; } else if (data->auth_id != req->sq->dhchap_step) case struct_ > + > + if (tl < min_len) { > + status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR; > + req->error_loc = > + offsetof(struct nvmf_auth_send_command, tl); > + goto done_kfree; > + } None of the functions here uses nvme errors returns, but instead uses dhchap_status. Should this be NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead? (not really an expert on the dhchap status conventions, maybe someone else can chime in)