nvme: Fix discard buffer overrun

This patch checks the discard range array bounds before setting it in
case the driver gets a badly formed request.

Signed-off-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 1f92783..2fd8688 100644 (file)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -518,9 +518,11 @@ static blk_status_t nvme_setup_discard(struct nvme_ns *ns, struct request *req,
                u64 slba = nvme_block_nr(ns, bio->bi_iter.bi_sector);
                u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift;
 
-               range[n].cattr = cpu_to_le32(0);
-               range[n].nlb = cpu_to_le32(nlb);
-               range[n].slba = cpu_to_le64(slba);
+               if (n < segments) {
+                       range[n].cattr = cpu_to_le32(0);
+                       range[n].nlb = cpu_to_le32(nlb);
+                       range[n].slba = cpu_to_le64(slba);
+               }
                n++;
        }