[PATCH] nvmet: do not copy beyond sybsysnqn string length
Keith Busch
kbusch at kernel.org
Tue Jan 13 13:50:58 PST 2026
On Sun, Dec 21, 2025 at 04:37:14PM +0900, Shin'ichiro Kawasaki wrote:
> Commit edd17206e363 ("nvmet: remove redundant subsysnqn field from
> ctrl") replaced ctrl->subsysnqn with ctrl->subsys->subsysnqn. This
> change works as expected because both point to strings with the same
> data. However, their memory allocation lengths differ. ctrl->subsysnqn
> has the fixed size defined as NVMF_NQN_FILED_LEN, while
> ctrl->subsys->subsysnqn has variable length determined by kstrndup().
> Due to this difference, KASAN slab-out-of-bounds occurs at memcpy() in
> nvmet_passthru_override_id_ctrl() after the commit. The failure can be
> recreated by running the blktests test case nvme/033. To prevent such
> failures, replace memcpy() with strscpy(), which copies only the string
> length and avoids overruns.
Thanks, applied to nvme-6.19.
More information about the Linux-nvme
mailing list