From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FB1040DFA5;
	Mon, 27 Apr 2026 05:30:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777267850; cv=none; b=L8df+jZF2DwXWpDKUxtmvRkebyhdogYmqI7vY8QhFtmHxuSPhfR5psW+E+3yyl6UcEreZrRQ4fWCNmhbAwjQa5Cp6pkXbpMa/un0vu0YTQlfUxBGp/lh0G3l2TqaaNYMN7DDKio6dttxWDWpc1IHV0RgHBPNM3Rl4hrhbPoflbQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777267850; c=relaxed/simple;
	bh=zM0v6VqgoySR2CiA5H4Q5YFlHnUVTM7lRp0ZIity4dk=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=hdwdINx5bBCIJUaiAQrfMNo6g6pjJ97qL4fYzx9qZ8pAXOdkB2LGKGAnAazay8oqp+r9mA/FsFqFHPEkXAT1NNRdJsvHB/XlEdYpg5LyRXTaKcMmsMesVz1Eoop+U8YL6bGBaTNzpSIPLj4eY1rrDJVkXl4YTYYTL3GvjPqMk4I=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nlfMk/yd; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nlfMk/yd"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74C1EC19425;
	Mon, 27 Apr 2026 05:30:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1777267850;
	bh=zM0v6VqgoySR2CiA5H4Q5YFlHnUVTM7lRp0ZIity4dk=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=nlfMk/ydTPFXH4hipfvRCq07Sd/q/03iwqrmejTabIg6DGEe1Gbu+a+A7LWLkv4hr
	 3GlA6H4Fvn+jPNziqcI4GEUxQpLJq1GgPkr0/uTAWcBE9MnJc8lKfppm24bqrsMi+h
	 +nJsUevGln5dgNVX8JRwYwnMUC4bHsWWX46Sr4Bb0943HkWgNmJDOXlyV5FvZ9v5pN
	 vvmez8V7ihWv0vtewIBXUetSLOt+BhWjhnpZRVJ3UXrDbCxtIOTbS/SajgFypDRKCO
	 WjEvUNBZsDuycW303XIEajJnxyoeuu/OexNiIavN/W2sFv0yN0aPSSZwaoZu4U8pRl
	 uoJbBKGGN/AcA==
Message-ID: <f3005356-c9d8-4bc4-af72-ad02866bc8bc@kernel.org>
Date: Mon, 27 Apr 2026 14:30:40 +0900
Precedence: bulk
X-Mailing-List: stable@vger.kernel.org
List-Id: <stable.vger.kernel.org>
List-Subscribe: <mailto:stable+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:stable+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] nvmet: pci-epf: fix heap overflow for invalid I/O
 SQES/CQES from the host
To: Junrui Luo <moonafterrain@outlook.com>, Christoph Hellwig <hch@lst.de>,
 Sagi Grimberg <sagi@grimberg.me>, Chaitanya Kulkarni <kch@nvidia.com>,
 Manivannan Sadhasivam <mani@kernel.org>,
 =?UTF-8?Q?Krzysztof_Wilczy=C5=84ski?= <kwilczynski@kernel.org>,
 Keith Busch <kbusch@kernel.org>
Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
 Yuhao Jiang <danisjiang@gmail.com>, stable@vger.kernel.org
References: <SYBPR01MB7881878B234CD11D13DCAFCCAF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com>
Content-Language: en-US
From: Damien Le Moal <dlemoal@kernel.org>
Organization: Western Digital Research
In-Reply-To: <SYBPR01MB7881878B234CD11D13DCAFCCAF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 4/24/26 11:24 PM, Junrui Luo wrote:
> nvmet_pci_epf_enable_ctrl() computes ctrl->io_sqes and ctrl->io_cqes
> from the host-controlled CC.IOSQES/CC.IOCQES fields and only rejects
> values below sizeof(struct nvme_command) / sizeof(struct nvme_completion).
> The resulting sizes are used as DMA transfer lengths against the
> fixed-size iod->cmd (64B) and iod->cqe (16B) buffers.
> 
> An oversized IOSQES causes nvmet_pci_epf_transfer() to overflow
> iod->cmd with host-controlled data, and an oversized IOCQES causes
> memcpy_toio() to leak adjacent slab memory back to the host.
> 
> Change both checks from '<' to '!='.
> 
> Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>

Looks OK.

Reviewed-by: Damien Le Moal <dlemoal@kernel.org>

-- 
Damien Le Moal
Western Digital Research