[PATCH v2] nvme: fix memory allocation in nvme_pr_read_keys()
Keith Busch
kbusch at kernel.org
Mon Mar 2 07:53:22 PST 2026
On Fri, Feb 27, 2026 at 07:19:28PM -0500, Sungwoo Kim wrote:
> nvme_pr_read_keys() takes num_keys from userspace and uses it to
> calculate the allocation size for rse via struct_size(). The upper
> limit is PR_KEYS_MAX (64K).
>
> A malicious or buggy userspace can pass a large num_keys value that
> results in a 4MB allocation attempt at most, causing a warning in
> the page allocator when the order exceeds MAX_PAGE_ORDER.
Thanks, applied to nvme-7.0.
More information about the Linux-nvme
mailing list