nvme: sanitize metadata bounce buffer for reads

User can request more metadata bytes than the device will write. Ensure
kernel buffer is initialized so we're not leaking unsanitized memory on
the copy-out.

Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index d8ff796fd5f21d17c8a213cfdd07699a6e7523ec..747c879e8982b803525238afd1572fc90197fd6d 100644 (file)
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -108,9 +108,13 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf,
        if (!buf)
                goto out;
 
-       ret = -EFAULT;
-       if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
-               goto out_free_meta;
+       if (req_op(req) == REQ_OP_DRV_OUT) {
+               ret = -EFAULT;
+               if (copy_from_user(buf, ubuf, len))
+                       goto out_free_meta;
+       } else {
+               memset(buf, 0, len);
+       }
 
        bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
        if (IS_ERR(bip)) {