| Message ID | 20190123190645.119109-1-bvanassche@acm.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block: Allocate a sense buffer before executing an SG_IO ioctl | expand |
On Wed, 2019-01-23 at 11:06 -0800, Bart Van Assche wrote: > Some time ago blk_execute_rq() was modified such that it no longer > allocates a sense buffer. Make sg_io() allocate and use a sense buffer. > This patch avoids that the following bug is triggered when running the > libiscsi tests against the scsi_debug driver: > > usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 18)! > ------------[ cut here ]------------ > kernel BUG at mm/usercopy.c:102! > CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+ #3 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 > RIP: 0010:usercopy_abort+0x7a/0x7c > Call Trace: > __check_object_size.cold.1+0x37/0x3d > sg_io+0x5a2/0x700 > scsi_cmd_ioctl+0x4d4/0x540 > scsi_cmd_blk_ioctl+0x7b/0x8b > sd_ioctl+0xba/0x150 > blkdev_ioctl+0x6e1/0xea0 > block_ioctl+0x79/0x90 > do_vfs_ioctl+0x12b/0x9b0 > ksys_ioctl+0x41/0x80 > __x64_sys_ioctl+0x43/0x50 > do_syscall_64+0x71/0x210 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Cc: Christoph Hellwig <hch@lst.de> > Cc: Martin K. Petersen <martin.petersen@oracle.com> > Cc: Douglas Gilbert <dgilbert@interlog.com> > Cc: <stable@vger.kernel.org> # v4.11+ > Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") > Signed-off-by: Bart Van Assche <bvanassche@acm.org> > --- > block/scsi_ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c > index 533f4aee8567..066929ec0d61 100644 > --- a/block/scsi_ioctl.c > +++ b/block/scsi_ioctl.c > @@ -299,6 +299,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, > struct request *rq; > struct scsi_request *req; > struct bio *bio; > + u8 sense[SCSI_SENSE_BUFFERSIZE]; > > if (hdr->interface_id != 'S') > return -EINVAL; > @@ -361,6 +362,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, > > bio = rq->bio; > req->retries = 0; > + req->sense = sense; > > start_time = jiffies; Please ignore this patch - I just realized that this is not the right way to fix the reported issue. Bart.
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c index 533f4aee8567..066929ec0d61 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -299,6 +299,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, struct request *rq; struct scsi_request *req; struct bio *bio; + u8 sense[SCSI_SENSE_BUFFERSIZE]; if (hdr->interface_id != 'S') return -EINVAL; @@ -361,6 +362,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, bio = rq->bio; req->retries = 0; + req->sense = sense; start_time = jiffies;
Some time ago blk_execute_rq() was modified such that it no longer allocates a sense buffer. Make sg_io() allocate and use a sense buffer. This patch avoids that the following bug is triggered when running the libiscsi tests against the scsi_debug driver: usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 18)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 RIP: 0010:usercopy_abort+0x7a/0x7c Call Trace: __check_object_size.cold.1+0x37/0x3d sg_io+0x5a2/0x700 scsi_cmd_ioctl+0x4d4/0x540 scsi_cmd_blk_ioctl+0x7b/0x8b sd_ioctl+0xba/0x150 blkdev_ioctl+0x6e1/0xea0 block_ioctl+0x79/0x90 do_vfs_ioctl+0x12b/0x9b0 ksys_ioctl+0x41/0x80 __x64_sys_ioctl+0x43/0x50 do_syscall_64+0x71/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe Cc: Christoph Hellwig <hch@lst.de> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Douglas Gilbert <dgilbert@interlog.com> Cc: <stable@vger.kernel.org> # v4.11+ Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Bart Van Assche <bvanassche@acm.org> --- block/scsi_ioctl.c | 2 ++ 1 file changed, 2 insertions(+)