[PATCH 0/2] nvmet-pci: validate endpoint queue IDs

Michael Bommarito michael.bommarito at gmail.com
Thu Jul 9 19:30:13 PDT 2026


A PCI root-complex host can crash an NVMe PCI endpoint target with
malformed queue IDs. The endpoint transport allocates its SQ/CQ arrays
using ctrl->nr_queues, which is capped by endpoint interrupt capacity,
but the common target admin validation only checks queue IDs against
subsys->max_qid. A host can therefore submit Create/Delete SQ/CQ commands
with qids that pass the common checks yet index past the smaller endpoint
transport arrays.

Patch 1 rejects queue IDs outside ctrl->nr_queues before the endpoint
SQ/CQ arrays are indexed. Patch 2 adds same-translation-unit KUnit/KASAN
coverage: a valid queue ID that must still be accepted and the
out-of-range Create/Delete SQ/CQ cases that must now be rejected.

Reproduced with the KUnit/KASAN test: the stock Create CQ path faults in
nvmet_pci_epf_create_cq() after nvmet_check_io_cqid() accepts qid 2 with
max_qid 8 and nr_queues 2; patched rejects the malformed cases while the
benign control still passes.

Cc: stable at vger.kernel.org

Michael Bommarito (2):
  nvmet-pci: validate queue IDs against endpoint queues
  nvmet-pci: add KUnit coverage for endpoint queue IDs

 drivers/nvme/target/Kconfig   |  11 +++
 drivers/nvme/target/pci-epf.c | 151 ++++++++++++++++++++++++++++++++--
 2 files changed, 157 insertions(+), 5 deletions(-)

--
2.53.0



More information about the Linux-nvme mailing list