From badf3925680491859cc47586d6b39ed57e0aa3e4 Mon Sep 17 00:00:00 2001
From: jan <jan@openbsd.org>
Date: Thu, 25 Feb 2021 07:30:36 +0000
Subject: [PATCH] Prevent zero size devices from attaching

This also fixes two NULL ptr derefs in later code path.

OK patick@, krw@
---
 sys/dev/ic/nvme.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/sys/dev/ic/nvme.c b/sys/dev/ic/nvme.c
index 602f93d1fb3..9a79c8b1bfe 100644
--- a/sys/dev/ic/nvme.c
+++ b/sys/dev/ic/nvme.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nvme.c,v 1.90 2021/02/09 01:50:10 jmatthew Exp $ */
+/*	$OpenBSD: nvme.c,v 1.91 2021/02/25 07:30:36 jan Exp $ */
 
 /*
  * Copyright (c) 2014 David Gwynne <dlg@openbsd.org>
@@ -463,11 +463,16 @@ nvme_scsi_probe(struct scsi_link *link)
 	scsi_io_put(&sc->sc_iopool, ccb);
 
 	identify = NVME_DMA_KVA(mem);
-	if (rv == 0 && lemtoh64(&identify->nsze) > 0) {
-		/* Commit namespace if it has a size greater than zero. */
-		identify = malloc(sizeof(*identify), M_DEVBUF, M_WAITOK);
-		memcpy(identify, NVME_DMA_KVA(mem), sizeof(*identify));
-		sc->sc_namespaces[link->target].ident = identify;
+	if (rv == 0) {
+		if (lemtoh64(&identify->nsze) > 0) {
+			/* Commit namespace if it has a size greater than zero. */
+			identify = malloc(sizeof(*identify), M_DEVBUF, M_WAITOK);
+			memcpy(identify, NVME_DMA_KVA(mem), sizeof(*identify));
+			sc->sc_namespaces[link->target].ident = identify;
+		} else {
+			/* Don't attach a namespace if its size is zero. */
+			rv = ENXIO;
+		}
 	}
 
 	nvme_dmamem_free(sc, mem);
-- 
2.20.1