[PATCH 0/2] nvmet-pci: validate endpoint queue IDs
Michael Bommarito
michael.bommarito at gmail.com
Thu Jul 9 19:30:13 PDT 2026
A PCI root-complex host can crash an NVMe PCI endpoint target with
malformed queue IDs. The endpoint transport allocates its SQ/CQ arrays
using ctrl->nr_queues, which is capped by endpoint interrupt capacity,
but the common target admin validation only checks queue IDs against
subsys->max_qid. A host can therefore submit Create/Delete SQ/CQ commands
with qids that pass the common checks yet index past the smaller endpoint
transport arrays.
Patch 1 rejects queue IDs outside ctrl->nr_queues before the endpoint
SQ/CQ arrays are indexed. Patch 2 adds same-translation-unit KUnit/KASAN
coverage: a valid queue ID that must still be accepted and the
out-of-range Create/Delete SQ/CQ cases that must now be rejected.
Reproduced with the KUnit/KASAN test: the stock Create CQ path faults in
nvmet_pci_epf_create_cq() after nvmet_check_io_cqid() accepts qid 2 with
max_qid 8 and nr_queues 2; patched rejects the malformed cases while the
benign control still passes.
Cc: stable at vger.kernel.org
Michael Bommarito (2):
nvmet-pci: validate queue IDs against endpoint queues
nvmet-pci: add KUnit coverage for endpoint queue IDs
drivers/nvme/target/Kconfig | 11 +++
drivers/nvme/target/pci-epf.c | 151 ++++++++++++++++++++++++++++++++--
2 files changed, 157 insertions(+), 5 deletions(-)
--
2.53.0
More information about the Linux-nvme
mailing list