Commit ca22c566 authored Jan 08, 2026 by Caleb Sander Mateos Committed by Jens Axboe Jan 10, 2026

block: zero non-PI portion of auto integrity buffer



The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.

Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: c546d6f4 ("block: only zero non-PI metadata tuples in bio_integrity_prep")
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent f0d385f6

block/bio-integrity-auto.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -140,7 +140,7 @@ bool bio_integrity_prep(struct bio *bio)
		return true;
		set_flags = false;
		gfp \|= __GFP_ZERO;
		} else if (bi->csum_type == BLK_INTEGRITY_CSUM_NONE)
		} else if (bi->metadata_size > bi->pi_tuple_size)
		gfp \|= __GFP_ZERO;
		break;
		default: