Commit 84164acb authored Dec 21, 2025 by Shin'ichiro Kawasaki Committed by Keith Busch Jan 13, 2026

nvmet: do not copy beyond sybsysnqn string length



Commit edd17206 ("nvmet: remove redundant subsysnqn field from
ctrl") replaced ctrl->subsysnqn with ctrl->subsys->subsysnqn. This
change works as expected because both point to strings with the same
data. However, their memory allocation lengths differ. ctrl->subsysnqn
had the fixed size defined as NVMF_NQN_FILED_LEN, while
ctrl->subsys->subsysnqn has variable length determined by kstrndup().
Due to this difference, KASAN slab-out-of-bounds occurs at memcpy() in
nvmet_passthru_override_id_ctrl() after the commit. The failure can be
recreated by running the blktests test case nvme/033. To prevent such
failures, replace memcpy() with strscpy(), which copies only the string
length and avoids overruns.

Fixes: edd17206 ("nvmet: remove redundant subsysnqn field from ctrl")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

parent 2fa8961d

drivers/nvme/target/passthru.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -150,7 +150,7 @@ static u16 nvmet_passthru_override_id_ctrl(struct nvmet_req *req)
		* code path with duplicate ctrl subsysnqn. In order to prevent that we
		* mask the passthru-ctrl subsysnqn with the target ctrl subsysnqn.
		*/
		memcpy(id->subnqn, ctrl->subsys->subsysnqn, sizeof(id->subnqn));
		strscpy(id->subnqn, ctrl->subsys->subsysnqn, sizeof(id->subnqn));

		/* use fabric id-ctrl values */
		id->ioccsz = cpu_to_le32((sizeof(struct nvme_command) +