From nobody Sun Feb  8 21:28:27 2026
Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E93EC77F10
	for <linux-kernel@vger.kernel.org>; Thu, 26 Dec 2024 10:53:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=95.143.211.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735210392; cv=none;
 b=q10gFSBJeeBuzPbyC/Euk2zJ65yKI3Xq+LhnjUgOvhcuG2kun0IXtnpj7/4nm4HRLgbOTQDEiShgAclSGySLfPc6AuRl1OQIswIknO4DXKEibyhOklOhj7V84CXX4d/XzmquhBFwQ+XVGmFGvR9ktpfYoCCVAp22srjxESH7LEU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735210392; c=relaxed/simple;
	bh=gzzt8lfpV2JwHongiJFDrLRipglfqbLFoZd2BgMoLRM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=jiYdxBnBSloUUEYk1s36cevtpBG0ePa7nFUGScaSRT4CCvc83RyoiQO21/TqX+MuVcKIkc2etI8ruTLs20vfbpxA+BPpIYdJU6Ju1Pe35rXDey65YZoZ1mYyd9L00LObJ8sodMirpgk0QHViWTbOcCFtL9gRJpCrnTwPtyaD0uI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=swemel.ru;
 spf=pass smtp.mailfrom=swemel.ru;
 dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru
 header.b=KotxGFUC; arc=none smtp.client-ip=95.143.211.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=swemel.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=swemel.ru
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru
 header.b="KotxGFUC"
From: Denis Arefev <arefev@swemel.ru>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail;
	t=1735209946;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1IcPfFbWoUBqvJSanhGuWYWlu2ObW6L/daxhAa6qLKk=;
	b=KotxGFUC7/FiHod128i8iympIKObgxdmAf0IjAZz62CZu1bmCyzCqDE7i06sOZYaSbtLXo
	WFjuAyBRteG7L2elOjzjS1nGlKPNH7rLzKQXZWTWbOTCAOBnijY3I39M1BTOUpfDiBGmN6
	/1xfrbx2bwshxk3pMqZJ/GQkRF9esHg=
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>,
	Chaitanya Kulkarni <kch@nvidia.com>,
	Hannes Reinecke <hare@kernel.org>,
	Keith Busch <kbusch@kernel.org>,
	linux-nvme@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	syzbot+a84181c81389771eb46a@syzkaller.appspotmail.com
Subject: 
 =?UTF-8?q?=5BPATCH=5D=20nvme=3A=20Enter=20string=20size=20calculation=20=E2=80=9Csubsysnqn=E2=80=9D?=
Date: Thu, 26 Dec 2024 13:45:35 +0300
Message-ID: <20241226104546.13705-1-arefev@swemel.ru>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When memory is allocated, the size of the string=20
is calculated nvmet_subsys_alloc(...).
When memory was accessed, constant size was used.

Fixes: 95409e277d83 ("nvmet: implement unique discovery NQN")
Reported-by: syzbot+a84181c81389771eb46a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Da84181c81389771eb46a
Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
 drivers/nvme/target/configfs.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index eeee9e9b854c..2f74204d000e 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -2247,14 +2247,15 @@ static struct config_group nvmet_hosts_group;
 static ssize_t nvmet_root_discovery_nqn_show(struct config_item *item,
 					     char *page)
 {
-	return snprintf(page, PAGE_SIZE, "%s\n", nvmet_disc_subsys->subsysnqn);
+	return snprintf(page, strnlen(nvmet_disc_subsys->subsysnqn, PAGE_SIZE),
+			"%s\n", nvmet_disc_subsys->subsysnqn);
 }
=20
 static ssize_t nvmet_root_discovery_nqn_store(struct config_item *item,
 		const char *page, size_t count)
 {
 	struct list_head *entry;
-	size_t len;
+	size_t len, nqn_len;
=20
 	len =3D strcspn(page, "\n");
 	if (!len || len > NVMF_NQN_FIELD_LEN - 1)
@@ -2271,8 +2272,9 @@ static ssize_t nvmet_root_discovery_nqn_store(struct =
config_item *item,
 			return -EINVAL;
 		}
 	}
-	memset(nvmet_disc_subsys->subsysnqn, 0, NVMF_NQN_FIELD_LEN);
-	memcpy(nvmet_disc_subsys->subsysnqn, page, len);
+	nqn_len =3D strnlen(nvmet_disc_subsys->subsysnqn, NVMF_NQN_SIZE);
+	memset(nvmet_disc_subsys->subsysnqn, 0, nqn_len);
+	memcpy(nvmet_disc_subsys->subsysnqn, page, nqn_len);
 	up_write(&nvmet_config_sem);
=20
 	return len;
--=20
2.43.0