[PATCH v2] nvme-pci: fix out-of-bounds access in nvme_setup_descriptor_pools
Keith Busch
kbusch at kernel.org
Wed May 27 09:34:07 PDT 2026
On Sat, May 23, 2026 at 08:28:16AM +0000, Mateusz Nowicki wrote:
> nvme_setup_descriptor_pools() indexes dev->descriptor_pools[] using the
> numa_node forwarded from hctx->numa_node by its single caller,
> nvme_init_hctx_common(). On a non-NUMA kernel hctx->numa_node is
> NUMA_NO_NODE (-1). Because the parameter was declared 'unsigned', the
> value becomes UINT_MAX and the index walks off the array (sized to
> nr_node_ids), faulting during nvme_alloc_ns() and leaving the namespace
> without a /dev node.
Thanks, applied to nvme-7.2.
More information about the Linux-nvme
mailing list