Commit 045de296 authored Jan 08, 2024 by Keith Busch Committed by Li Lingfeng Jan 08, 2024

nvme: sanitize metadata bounce buffer for reads

mainline inclusion
from mainline-v6.1-rc1
commit 2b32c76e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8UHPD
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b32c76e2b0154b98b9322ae7546b8156cd703e6



----------------------------------------

User can request more metadata bytes than the device will write. Ensure
kernel buffer is initialized so we're not leaking unsanitized memory on
the copy-out.

Fixes: 0b7f1f26 ("nvme: use the block layer for userspace passthrough metadata")
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

Conflicts:
  Commit 2405252a ("nvme: move the ioctl code to a separate file") move
  nvme_add_user_metadata() from drivers/nvme/host/core.c to
  drivers/nvme/host/ioctl.c;
  Commit 38c0ddab ("nvme: refactor nvme_add_user_metadata") changed to
  use REQ_OP_DRV_OUT to identify the write request.
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 2807514f

drivers/nvme/host/core.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -966,9 +966,13 @@ static void nvme_add_user_metadata(struct bio bio, void __user *ubuf,
		if (!buf)
		goto out;

		if (write) {
		ret = -EFAULT;
		if (write && copy_from_user(buf, ubuf, len))
		if (copy_from_user(buf, ubuf, len))
		goto out_free_meta;
		} else {
		memset(buf, 0, len);
		}

		bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
		if (IS_ERR(bip)) {