Re: [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: Keith Busch <kbusch@kernel.org>
To: John Garry <john.g.garry@oracle.com>
Cc: Chao Shi <coshi036@gmail.com>, Jens Axboe <axboe@kernel.dk>,
	linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
	Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>,
	Daniel Wagner <dwagner@suse.de>, Hannes Reinecke <hare@suse.de>,
	Maurizio Lombardi <mlombard@arkamax.eu>,
	Sungwoo Kim <iam@sung-woo.kim>, Dave Tian <daveti@purdue.edu>,
	Weidong Zhu <weizhu@fiu.edu>
Subject: Re: [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace
Date: Tue, 2 Jun 2026 16:42:19 +0100	[thread overview]
Message-ID: <ah752_DIQdr_LHaB@kbusch-mbp> (raw)
In-Reply-To: <ah7znSpPM-H-ACaV@kbusch-mbp>

On Tue, Jun 02, 2026 at 04:15:41PM +0100, Keith Busch wrote:
> On Tue, Jun 02, 2026 at 02:10:07PM +0100, John Garry wrote:
> > On 15/05/2026 19:58, Chao Shi wrote:
> > > +	if (id->lbaf[lbaf].ds < SECTOR_SHIFT ||
> > > +	    check_shl_overflow(le64_to_cpu(id->nsze),> +			 id->lbaf[lbaf].ds -
> > SECTOR_SHIFT,
> > > +			       &capacity)) {
> > > +		dev_warn_once(ns->ctrl->device,
> > > +			"invalid LBA data size %u, skipping namespace\n",
> > > +			id->lbaf[lbaf].ds);
> > > +		ret = -ENODEV;
> > > +		goto out;
> > > +	}
> > 
> > JFYI, this is giving a C=1 warning:
> > 
> > drivers/nvme/host/core.c:2411:13: warning: unsigned value that used to  be signed checked against zero?
> > drivers/nvme/host/core.c:2411:13: signed value source
> > 
> > I can't seem to quieten it myself, though.
> > 
> > BTW, I would have thought that check_shl_overflow would catch
> > id->lbaf[lbaf].ds < SECTOR_SHIFT (so that we don't need the extra check).
> 
> I see it too. check_shl_overflow has checks that suggest it was
> expecting a signed type, as all the < 0 checks don't make sense for
> unsigned. The warning seems harmless, but I'd too like to see it
> suppressed.
> 
> I think it's odd that I'm not seeing a similar error for the similar
> usage in generic_check_addressable() from fs/libfs.c. They look the same
> to me with respect to the types passed in.

It appears that sparse is having trouble with the type provenance of a
__bitwise __le64 type. No idea why. As a test, I replaced the
le64_to_cpu() to a u64 type on stack initialized to a random ULL value
and the warning goes away. I say we can ignore the sparse warning, or we
can rewrite this to avoid the check_shl_overflow entirely.

---
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index cad9d97352615..6409a8218e3eb 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2372,8 +2372,8 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns,
 	struct nvme_zone_info zi = {};
 	struct nvme_id_ns *id;
 	unsigned int memflags;
-	sector_t capacity;
-	unsigned lbaf;
+	unsigned lbaf, shift = 0;
+	u64 capacity, nsze;
 	int ret;
 
 	ret = nvme_identify_ns(ns->ctrl, info->nsid, &id);
@@ -2407,10 +2407,13 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns,
 			goto out;
 	}
 
-	if (id->lbaf[lbaf].ds < SECTOR_SHIFT ||
-	    check_shl_overflow(le64_to_cpu(id->nsze),
-			       id->lbaf[lbaf].ds - SECTOR_SHIFT,
-			       &capacity)) {
+	nsze = le64_to_cpu(id->nsze);
+	if (id->lbaf[lbaf].ds >= SECTOR_SHIFT)
+		shift = id->lbaf[lbaf].ds - SECTOR_SHIFT;
+
+	if (shift < SECTOR_SHIFT || shift >= 64 || nsze > U64_MAX >> shift) {
 		dev_warn_once(ns->ctrl->device,
 			"invalid LBA data size %u, skipping namespace\n",
 			id->lbaf[lbaf].ds);
--

next prev parent reply	other threads:[~2026-06-02 15:42 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-15 18:58 [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace Chao Shi
2026-05-20 19:33 ` Keith Busch
2026-06-02 13:10 ` John Garry
2026-06-02 15:15   ` Keith Busch
2026-06-02 15:42     ` Keith Busch [this message]
2026-06-02 16:18       ` John Garry
2026-06-03 10:08         ` John Garry

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cad9d9735261 dfblob:6409a8218e3e )
 OR (
bs:"Re: [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ah752_DIQdr_LHaB@kbusch-mbp \
    --to=kbusch@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=coshi036@gmail.com \
    --cc=daveti@purdue.edu \
    --cc=dwagner@suse.de \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=iam@sung-woo.kim \
    --cc=john.g.garry@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=mlombard@arkamax.eu \
    --cc=sagi@grimberg.me \
    --cc=weizhu@fiu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox