From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAA6FC001E0 for ; Sat, 21 Oct 2023 09:09:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230451AbjJUJJR (ORCPT ); Sat, 21 Oct 2023 05:09:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231314AbjJUJJN (ORCPT ); Sat, 21 Oct 2023 05:09:13 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D867010F3 for ; Sat, 21 Oct 2023 02:08:52 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 24ACDC433C9; Sat, 21 Oct 2023 09:08:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1697879332; bh=ex8VItc/FIPtJGVzU9iEA672lG5gWxXT7EJ6I+9smj4=; h=Subject:To:Cc:From:Date:From; b=BM9V770lANagX56oE7pxkbapEhi8I3I+lTLghwr8yos6UtpMNQXOM2rMkQ6gEmWFj ffcOeXIyvdnSDSmBH5m5Dwy9+sx+x6MVaGyVeICx72CZsZajJHSDzKmEHaZHLPfr0G 4opvY41sEyJQCdkOYbOVzMdoo9j7BukYJrG1z4PY= Subject: FAILED: patch "[PATCH] nvme: sanitize metadata bounce buffer for reads" failed to apply to 5.4-stable tree To: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, joshi.k@samsung.com, kch@nvidia.com Cc: From: Date: Sat, 21 Oct 2023 11:08:45 +0200 Message-ID: <2023102145-nacho-gulp-0f93@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2b32c76e2b0154b98b9322ae7546b8156cd703e6 # git commit -s git send-email --to '' --in-reply-to '2023102145-nacho-gulp-0f93@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2b32c76e2b0154b98b9322ae7546b8156cd703e6 Mon Sep 17 00:00:00 2001 From: Keith Busch Date: Mon, 16 Oct 2023 13:12:47 -0700 Subject: [PATCH] nvme: sanitize metadata bounce buffer for reads User can request more metadata bytes than the device will write. Ensure kernel buffer is initialized so we're not leaking unsanitized memory on the copy-out. Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata") Reviewed-by: Jens Axboe Reviewed-by: Christoph Hellwig Reviewed-by: Kanchan Joshi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index d8ff796fd5f2..747c879e8982 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -108,9 +108,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf, if (!buf) goto out; - ret = -EFAULT; - if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len)) - goto out_free_meta; + if (req_op(req) == REQ_OP_DRV_OUT) { + ret = -EFAULT; + if (copy_from_user(buf, ubuf, len)) + goto out_free_meta; + } else { + memset(buf, 0, len); + } bip = bio_integrity_alloc(bio, GFP_KERNEL, 1); if (IS_ERR(bip)) {