git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
	Sun, 21 Dec 2025 07:37:14 +0000 (16:37 +0900)
committer	Keith Busch <kbusch@kernel.org>
	Tue, 13 Jan 2026 21:50:29 +0000 (13:50 -0800)
commit	84164acba33158208c2b0e8e5607bdd43edc0dd4
tree	ee00bfcec54e1e205add7ea2725b8a872827e16b	tree \| snapshot
parent	2fa8961d3a6a1c2395d8d560ffed2c782681bade	commit \| diff

nvmet: do not copy beyond sybsysnqn string length

Commit edd17206e363 ("nvmet: remove redundant subsysnqn field from
ctrl") replaced ctrl->subsysnqn with ctrl->subsys->subsysnqn. This
change works as expected because both point to strings with the same
data. However, their memory allocation lengths differ. ctrl->subsysnqn
had the fixed size defined as NVMF_NQN_FILED_LEN, while
ctrl->subsys->subsysnqn has variable length determined by kstrndup().
Due to this difference, KASAN slab-out-of-bounds occurs at memcpy() in
nvmet_passthru_override_id_ctrl() after the commit. The failure can be
recreated by running the blktests test case nvme/033. To prevent such
failures, replace memcpy() with strscpy(), which copies only the string
length and avoids overruns.

Fixes: edd17206e363 ("nvmet: remove redundant subsysnqn field from ctrl")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>