[PATCHv2] nvme: sanitize metadata bounce buffer for reads
Jens Axboe
axboe at kernel.dk
Mon Oct 16 18:14:56 PDT 2023
On 10/16/23 5:06 PM, Keith Busch wrote:
> From: Keith Busch <kbusch at kernel.org>
>
> User can request more metadata bytes than the device will write. Ensure
> kernel buffer is initialized so we are not leaking unsanitized memory on
> the completion's copy-out.
>
> Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
> Signed-off-by: Keith Busch <kbusch at kernel.org>
> ---
> v1->v2:
>
> correctly split data direction handling (axboe)
>
> drivers/nvme/host/ioctl.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
> index 788b36e7915ab..eb2ef3e149614 100644
> --- a/drivers/nvme/host/ioctl.c
> +++ b/drivers/nvme/host/ioctl.c
> @@ -36,9 +36,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
> if (!buf)
> goto out;
>
> - ret = -EFAULT;
> - if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
> - goto out_free_meta;
> + if (req_op(req) == REQ_OP_DRV_OUT) {
> + ret = -EFAULT;
> + if (copy_from_user(buf, ubuf, len))
> + goto out_free_meta;
> + } else {
> + memset(buf, 0, len);
> + }
>
> bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
> if (IS_ERR(bip)) {
Reviewed-by: Jens Axboe <axboe at kernel.dk>
--
Jens Axboe
More information about the Linux-nvme
mailing list