[ Upstream commit cc8f7fe1f5eab010191aa4570f27641876fa1267 ]
Add __GFP_ZERO flag for alloc_page in function bio_copy_kern to initialize the buffer of a bio.
Signed-off-by: Haimin Zhang tcs.kernel@gmail.com Reviewed-by: Chaitanya Kulkarni kch@nvidia.com Reviewed-by: Christoph Hellwig hch@lst.de Link: https://lore.kernel.org/r/20220216084038.15635-1-tcs.kernel@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk [nobelbarakat: Backported to 5.10: Manually added flag] Signed-off-by: Nobel Barakat nobelbarakat@google.com --- This changes fixes a kernel info leak since it's possible for bio_copy_kern to copy unitialized memory into userspace.
For the backport, I had to manually add the __GFP_ZERO flag since alloc_page on 5.10 uses a different parameter than on 5.15. On 5.10, alloc_page is called with q->bounce_gfp whereas on 5.15 it's called with GFP_NOIO.
Version 5.4 is also affected, and I intend to submit a backport there as well.
block/blk-map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-map.c b/block/blk-map.c index 21630dccac62..ede73f4f7014 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -488,7 +488,7 @@ if (bytes > len) bytes = len;
- page = alloc_page(q->bounce_gfp | gfp_mask); + page = alloc_page(q->bounce_gfp | __GFP_ZERO | gfp_mask); if (!page) goto cleanup;