[PATCH] nvmet: do not copy beyond sybsysnqn string length
Chaitanya Kulkarni
chaitanyak at nvidia.com
Mon Dec 22 14:14:55 PST 2025
On 12/20/25 23:37, Shin'ichiro Kawasaki wrote:
> Commit edd17206e363 ("nvmet: remove redundant subsysnqn field from
> ctrl") replaced ctrl->subsysnqn with ctrl->subsys->subsysnqn. This
> change works as expected because both point to strings with the same
> data. However, their memory allocation lengths differ. ctrl->subsysnqn
> has the fixed size defined as NVMF_NQN_FILED_LEN, while
> ctrl->subsys->subsysnqn has variable length determined by kstrndup().
> Due to this difference, KASAN slab-out-of-bounds occurs at memcpy() in
> nvmet_passthru_override_id_ctrl() after the commit. The failure can be
> recreated by running the blktests test case nvme/033. To prevent such
> failures, replace memcpy() with strscpy(), which copies only the string
> length and avoids overruns.
>
> Fixes: edd17206e363 ("nvmet: remove redundant subsysnqn field from ctrl")
> Signed-off-by: Shin'ichiro Kawasaki<shinichiro.kawasaki at wdc.com>
Looks good.
Reviewed-by: Chaitanya Kulkarni <kch at nvidia.com>
-ck
More information about the Linux-nvme
mailing list