From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D804F3EDE57 for ; Tue, 2 Jun 2026 15:42:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780414949; cv=none; b=tko0QYL0ml/7kYAI/hjDaw8Rra+i5y+ipbLpWYiOcITjhqUjGsKGROdHIIGyrEvelLQuZsNktq8cStcHpZ6iYFG/GKXi0O0aZKd+aKKDh4IO1/5kNZhMlGAnlBnspFAGheZZ0yKOZTQd6NVLhz/9s7j7hY4Lkojh6j+eCPGAk9w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780414949; c=relaxed/simple; bh=ZVvIDS4oVuTxz0uF9Wjfmrp8I9Y1BFw4uP6B/7o0vMc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=B2B6gtuQhXBqYTZOCP8abL8UTdhibbZNUAsOEVzX2G2aoybWr/gJ3KXv/aaA42NMx6SziMsDPiTivMxrY7Zw5ZI03viA4dIvmds57DjCwQlDQ/F2KH12vIZG8fjVW80o94Yobr2tMA/b6Ks4qBzK+iflmv+8SRVYSdyOyqFcSco= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nWFze1K8; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nWFze1K8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 292C51F00898; Tue, 2 Jun 2026 15:42:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780414946; bh=KqGEmNyA5hT2LLfsgXtkSAUY2yGrhW9fUacz4P9Ho98=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=nWFze1K8ww8P+C3c7ENGikKa3kP5LgZu+2tT2UAh6APf1KvvciyP55h/Xsynfkzh0 HdRCjql0Tu/UfagIvZ3yn6Iy/4qbjIPOTQuXZeT99/5DEf/B4kGsYZI3GQOCqsIm7Z GzN0MG2bRKPqKQZfWQbDzvC5BWml1F+nXTVhx5fzXCyuARqAcqUCIEp2zBr5KHJEJ5 F6z1Cy23Q3Ya11o9ClQoK0PGQYbYyjvQ5G/3wSiM0ARrfrriykpJrQE0nwW/ekMGng AV5uir1SA+sH5KDISxf+m6CRJe6x5hjHGG0gDqf4dtulNGbo2clZlS7Zo42q0Sordy UWCx4b/26hGqg== Date: Tue, 2 Jun 2026 16:42:19 +0100 From: Keith Busch To: John Garry Cc: Chao Shi , Jens Axboe , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, Christoph Hellwig , Sagi Grimberg , Daniel Wagner , Hannes Reinecke , Maurizio Lombardi , Sungwoo Kim , Dave Tian , Weidong Zhu Subject: Re: [PATCH v3] nvme: core: reject invalid LBA data size from Identify Namespace Message-ID: References: <20260515185853.2761456-1-coshi036@gmail.com> <0938b6f8-8001-4fcf-95a4-327fa9077163@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Tue, Jun 02, 2026 at 04:15:41PM +0100, Keith Busch wrote: > On Tue, Jun 02, 2026 at 02:10:07PM +0100, John Garry wrote: > > On 15/05/2026 19:58, Chao Shi wrote: > > > + if (id->lbaf[lbaf].ds < SECTOR_SHIFT || > > > + check_shl_overflow(le64_to_cpu(id->nsze),> + id->lbaf[lbaf].ds - > > SECTOR_SHIFT, > > > + &capacity)) { > > > + dev_warn_once(ns->ctrl->device, > > > + "invalid LBA data size %u, skipping namespace\n", > > > + id->lbaf[lbaf].ds); > > > + ret = -ENODEV; > > > + goto out; > > > + } > > > > JFYI, this is giving a C=1 warning: > > > > drivers/nvme/host/core.c:2411:13: warning: unsigned value that used to be signed checked against zero? > > drivers/nvme/host/core.c:2411:13: signed value source > > > > I can't seem to quieten it myself, though. > > > > BTW, I would have thought that check_shl_overflow would catch > > id->lbaf[lbaf].ds < SECTOR_SHIFT (so that we don't need the extra check). > > I see it too. check_shl_overflow has checks that suggest it was > expecting a signed type, as all the < 0 checks don't make sense for > unsigned. The warning seems harmless, but I'd too like to see it > suppressed. > > I think it's odd that I'm not seeing a similar error for the similar > usage in generic_check_addressable() from fs/libfs.c. They look the same > to me with respect to the types passed in. It appears that sparse is having trouble with the type provenance of a __bitwise __le64 type. No idea why. As a test, I replaced the le64_to_cpu() to a u64 type on stack initialized to a random ULL value and the warning goes away. I say we can ignore the sparse warning, or we can rewrite this to avoid the check_shl_overflow entirely. --- diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index cad9d97352615..6409a8218e3eb 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -2372,8 +2372,8 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns, struct nvme_zone_info zi = {}; struct nvme_id_ns *id; unsigned int memflags; - sector_t capacity; - unsigned lbaf; + unsigned lbaf, shift = 0; + u64 capacity, nsze; int ret; ret = nvme_identify_ns(ns->ctrl, info->nsid, &id); @@ -2407,10 +2407,13 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns, goto out; } - if (id->lbaf[lbaf].ds < SECTOR_SHIFT || - check_shl_overflow(le64_to_cpu(id->nsze), - id->lbaf[lbaf].ds - SECTOR_SHIFT, - &capacity)) { + nsze = le64_to_cpu(id->nsze); + if (id->lbaf[lbaf].ds >= SECTOR_SHIFT) + shift = id->lbaf[lbaf].ds - SECTOR_SHIFT; + + if (shift < SECTOR_SHIFT || shift >= 64 || nsze > U64_MAX >> shift) { dev_warn_once(ns->ctrl->device, "invalid LBA data size %u, skipping namespace\n", id->lbaf[lbaf].ds); --