Commit 2f619916 authored by Daniel Wagner's avatar Daniel Wagner Committed by Yuntao Liu
Browse files

nvmet: always initialize cqe.result 

mainline inclusion
from mainline-v6.10-rc4
commit cd0c1b8e045a8d2785342b385cb2684d9b48e426
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMT
CVE: CVE-2024-41079

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd0c1b8e045a8d2785342b385cb2684d9b48e426



--------------------------------

The spec doesn't mandate that the first two double words (aka results)
for the command queue entry need to be set to 0 when they are not
used (not specified). Though, the target implemention returns 0 for TCP
and FC but not for RDMA.

Let's make RDMA behave the same and thus explicitly initializing the
result field. This prevents leaking any data from the stack.

Signed-off-by: default avatarDaniel Wagner <dwagner@suse.de>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
Conflicts:
	drivers/nvme/target/fabrics-cmd-auth.c
[removed file]
Signed-off-by: default avatarYuntao Liu <liuyuntao12@huawei.com>
parent 4f1da763

drivers/nvme/target/core.c

+1 −0
Original line number Diff line number Diff line
@@ -910,6 +910,7 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq, 
	req->metadata_sg_cnt = 0;

	req->transfer_len = 0;

	req->metadata_len = 0;

	req->cqe->result.u64 = 0;

	req->cqe->status = 0;

	req->cqe->sq_head = 0;

	req->ns = NULL;

drivers/nvme/target/fabrics-cmd.c

+0 −6
Original line number Diff line number Diff line
@@ -170,9 +170,6 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) 
	if (status)

		goto out;



	/* zero out initial completion result, assign values as needed */

	req->cqe->result.u32 = 0;



	if (c->recfmt != 0) {

		pr_warn("invalid connect version (%d).\n",

			le16_to_cpu(c->recfmt));
@@ -242,9 +239,6 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) 
	if (status)

		goto out;



	/* zero out initial completion result, assign values as needed */

	req->cqe->result.u32 = 0;



	if (c->recfmt != 0) {

		pr_warn("invalid connect version (%d).\n",

			le16_to_cpu(c->recfmt));