Patch "nvme-pci: fix mempool alloc size" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Jan 2023 22:34:38 -0500

This is a note to let you know that I've just added the patch titled

    nvme-pci: fix mempool alloc size

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvme-pci-fix-mempool-alloc-size.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8e74933922f67a099abb3e5dea64c7c6ae7b3e19
Author: Keith Busch <kbusch@xxxxxxxxxx>
Date:   Mon Dec 19 10:59:06 2022 -0800

    nvme-pci: fix mempool alloc size
    
    [ Upstream commit c89a529e823d51dd23c7ec0c047c7a454a428541 ]
    
    Convert the max size to bytes to match the units of the divisor that
    calculates the worst-case number of PRP entries.
    
    The result is used to determine how many PRP Lists are required. The
    code was previously rounding this to 1 list, but we can require 2 in the
    worst case. In that scenario, the driver would corrupt memory beyond the
    size provided by the mempool.
    
    While unlikely to occur (you'd need a 4MB in exactly 127 phys segments
    on a queue that doesn't support SGLs), this memory corruption has been
    observed by kfence.
    
    Cc: Jens Axboe <axboe@xxxxxxxxx>
    Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations")
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Reviewed-by: Jens Axboe <axboe@xxxxxxxxx>
    Reviewed-by: Kanchan Joshi <joshi.k@xxxxxxxxxxx>
    Reviewed-by: Chaitanya Kulkarni <kch@xxxxxxxxxx>
    Signed-off-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 948b027a75d3..0452fb96df69 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -372,8 +372,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
  */
 static int nvme_pci_npages_prp(void)
 {
-	unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE,
-				      NVME_CTRL_PAGE_SIZE);
+	unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
+	unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
 	return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8);
 }
 






