On Wed, 2019-01-23 at 11:06 -0800, Bart Van Assche wrote:
Some time ago blk_execute_rq() was modified such that it no longer allocates a sense buffer. Make sg_io() allocate and use a sense buffer. This patch avoids that the following bug is triggered when running the libiscsi tests against the scsi_debug driver:
usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 18)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 RIP: 0010:usercopy_abort+0x7a/0x7c Call Trace: __check_object_size.cold.1+0x37/0x3d sg_io+0x5a2/0x700 scsi_cmd_ioctl+0x4d4/0x540 scsi_cmd_blk_ioctl+0x7b/0x8b sd_ioctl+0xba/0x150 blkdev_ioctl+0x6e1/0xea0 block_ioctl+0x79/0x90 do_vfs_ioctl+0x12b/0x9b0 ksys_ioctl+0x41/0x80 __x64_sys_ioctl+0x43/0x50 do_syscall_64+0x71/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Cc: Christoph Hellwig hch@lst.de Cc: Martin K. Petersen martin.petersen@oracle.com Cc: Douglas Gilbert dgilbert@interlog.com Cc: stable@vger.kernel.org # v4.11+ Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Bart Van Assche bvanassche@acm.org
block/scsi_ioctl.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c index 533f4aee8567..066929ec0d61 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -299,6 +299,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, struct request *rq; struct scsi_request *req; struct bio *bio;
- u8 sense[SCSI_SENSE_BUFFERSIZE];
if (hdr->interface_id != 'S') return -EINVAL; @@ -361,6 +362,7 @@ static int sg_io(struct request_queue *q, struct gendisk *bd_disk, bio = rq->bio; req->retries = 0;
- req->sense = sense;
start_time = jiffies;
Please ignore this patch - I just realized that this is not the right way to fix the reported issue.
Bart.