block: zero non-PI portion of auto integrity buffer

The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.

Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: c546d6f43833 ("block: only zero non-PI metadata tuples in bio_integrity_prep")
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/block/bio-integrity-auto.c b/block/bio-integrity-auto.c
index 9850c338548d330b20387c674eeb7e6f4a031d88..cff025b06be18f73b4718827d208d41b5cc87d4c 100644 (file)
--- a/block/bio-integrity-auto.c
+++ b/block/bio-integrity-auto.c
@@ -140,7 +140,7 @@ bool bio_integrity_prep(struct bio *bio)
                                return true;
                        set_flags = false;
                        gfp |= __GFP_ZERO;
-               } else if (bi->csum_type == BLK_INTEGRITY_CSUM_NONE)
+               } else if (bi->metadata_size > bi->pi_tuple_size)
                        gfp |= __GFP_ZERO;
                break;
        default: