diff options
| author | Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> | 2025-12-21 16:37:14 +0900 |
|---|---|---|
| committer | Keith Busch <kbusch@kernel.org> | 2026-01-13 13:50:29 -0800 |
| commit | 84164acba33158208c2b0e8e5607bdd43edc0dd4 (patch) | |
| tree | ee00bfcec54e1e205add7ea2725b8a872827e16b /tools/perf/scripts/python/stackcollapse.py | |
| parent | nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() (diff) | |
| download | linux-84164acba33158208c2b0e8e5607bdd43edc0dd4.tar.gz linux-84164acba33158208c2b0e8e5607bdd43edc0dd4.zip | |
nvmet: do not copy beyond sybsysnqn string length
Commit edd17206e363 ("nvmet: remove redundant subsysnqn field from
ctrl") replaced ctrl->subsysnqn with ctrl->subsys->subsysnqn. This
change works as expected because both point to strings with the same
data. However, their memory allocation lengths differ. ctrl->subsysnqn
had the fixed size defined as NVMF_NQN_FILED_LEN, while
ctrl->subsys->subsysnqn has variable length determined by kstrndup().
Due to this difference, KASAN slab-out-of-bounds occurs at memcpy() in
nvmet_passthru_override_id_ctrl() after the commit. The failure can be
recreated by running the blktests test case nvme/033. To prevent such
failures, replace memcpy() with strscpy(), which copies only the string
length and avoids overruns.
Fixes: edd17206e363 ("nvmet: remove redundant subsysnqn field from ctrl")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')
0 files changed, 0 insertions, 0 deletions