From 088cdb4fc9aba587bc9ab2473b6a815a44748323 Mon Sep 17 00:00:00 2001
From: Daniel Wagner <wagi@kernel.org>
Date: Thu, 12 Mar 2026 11:23:55 +0100
Subject: [PATCH] cmds: allocated correct sized buffer for reading cap config
 list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The size of struct nvme_supported_cap_config_list_log only contains the
header. Thus first read the header and then allocated the correctly
sized buffer to read the log page.

Reported-by: 하태구 <hataegu0826@gmail.com>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
---
 libnvme/src/nvme/cmds.h | 29 ++++++++++++++++++++++++++---
 nvme.c                  |  6 +-----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/libnvme/src/nvme/cmds.h b/libnvme/src/nvme/cmds.h
index ef0a4fcde7..72efe3bbdd 100644
--- a/libnvme/src/nvme/cmds.h
+++ b/libnvme/src/nvme/cmds.h
@@ -16,6 +16,7 @@
 #include <string.h>
 #include <errno.h>
 #include <endian.h>
+#include <stdlib.h>
 
 enum nvme_cmd_dword_fields {
 	NVME_DEVICE_SELF_TEST_CDW10_STC_SHIFT			= 0,
@@ -6569,13 +6570,35 @@ nvme_get_log_media_unit_stat(struct nvme_transport_handle *hdl,
  */
 static inline int
 nvme_get_log_support_cap_config_list(struct nvme_transport_handle *hdl,
-		__u16 domid, struct nvme_supported_cap_config_list_log *cap)
+		__u16 domid, struct nvme_supported_cap_config_list_log **cap)
 {
+	struct nvme_supported_cap_config_list_log hdr, *log;
 	struct nvme_passthru_cmd cmd;
+	size_t size;
+	int err;
+
+	nvme_init_get_log_support_cap_config_list(&cmd, domid, &hdr);
+
+	err = nvme_get_log(hdl, &cmd, false, sizeof(hdr));
+	if (err)
+		return err;
 
-	nvme_init_get_log_support_cap_config_list(&cmd, domid, cap);
+	size = sizeof(hdr) +
+		sizeof(struct nvme_capacity_config_desc) * hdr.sccn;
+	log = (struct nvme_supported_cap_config_list_log *)malloc(size);
+	if (!log)
+		return -ENOMEM;
 
-	return nvme_get_log(hdl, &cmd, false, sizeof(*cap));
+	nvme_init_get_log_support_cap_config_list(&cmd, domid, log);
+
+	err = nvme_get_log(hdl, &cmd, false, size);
+	if (err) {
+		free(log);
+		return err;
+	}
+
+	*cap = log;
+	return 0;
 }
 
 /**
diff --git a/nvme.c b/nvme.c
index bcccfe7f29..9c9589766e 100644
--- a/nvme.c
+++ b/nvme.c
@@ -2110,11 +2110,7 @@ static int get_supp_cap_config_log(int argc, char **argv, struct command *acmd,
 	if (cfg.raw_binary)
 		flags = BINARY;
 
-	cap_log = nvme_alloc(sizeof(*cap_log));
-	if (!cap_log)
-		return -ENOMEM;
-
-	err = nvme_get_log_support_cap_config_list(hdl, cfg.domainid, cap_log);
+	err = nvme_get_log_support_cap_config_list(hdl, cfg.domainid, &cap_log);
 	if (err) {
 		nvme_show_err(
 		    "supported capacity configuration list log", err);