[PATCH] nvmet: pci-epf: fix heap overflow for invalid I/O SQES/CQES from the host

[Junrui Luo]

nvmet_pci_epf_enable_ctrl() computes ctrl->io_sqes and ctrl->io_cqes
from the host-controlled CC.IOSQES/CC.IOCQES fields and only rejects
values below sizeof(struct nvme_command) / sizeof(struct nvme_completion).
The resulting sizes are used as DMA transfer lengths against the
fixed-size iod->cmd (64B) and iod->cqe (16B) buffers.

An oversized IOSQES causes nvmet_pci_epf_transfer() to overflow
iod->cmd with host-controlled data, and an oversized IOCQES causes
memcpy_toio() to leak adjacent slab memory back to the host.

Change both checks from '<' to '!='.

Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver")
Reported-by: Yuhao Jiang <danisjiang at gmail.com>
Cc: stable at vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain at outlook.com>
---
 drivers/nvme/target/pci-epf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/target/pci-epf.c b/drivers/nvme/target/pci-epf.c
index 4e9db96ebfec..4fdd92508609 100644
--- a/drivers/nvme/target/pci-epf.c
+++ b/drivers/nvme/target/pci-epf.c
@@ -1859,14 +1859,14 @@ static int nvmet_pci_epf_enable_ctrl(struct nvmet_pci_epf_ctrl *ctrl)
 	ctrl->mps_mask = ctrl->mps - 1;
 
 	ctrl->io_sqes = 1UL << nvmet_cc_iosqes(ctrl->cc);
-	if (ctrl->io_sqes < sizeof(struct nvme_command)) {
+	if (ctrl->io_sqes != sizeof(struct nvme_command)) {
 		dev_err(ctrl->dev, "Unsupported I/O SQES %zu (need %zu)\n",
 			ctrl->io_sqes, sizeof(struct nvme_command));
 		goto err;
 	}
 
 	ctrl->io_cqes = 1UL << nvmet_cc_iocqes(ctrl->cc);
-	if (ctrl->io_cqes < sizeof(struct nvme_completion)) {
+	if (ctrl->io_cqes != sizeof(struct nvme_completion)) {
 		dev_err(ctrl->dev, "Unsupported I/O CQES %zu (need %zu)\n",
 			ctrl->io_cqes, sizeof(struct nvme_completion));
 		goto err;

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260424-fixes-5ec30cad02cc

Best regards,
-- 
Junrui Luo <moonafterrain at outlook.com>