From patchwork Tue Dec 25 21:11:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kangjie Lu X-Patchwork-Id: 10742669 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 38B1D746 for ; Tue, 25 Dec 2018 21:12:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27E2228938 for ; Tue, 25 Dec 2018 21:12:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1C1AB28A49; Tue, 25 Dec 2018 21:12:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0CBB628938 for ; Tue, 25 Dec 2018 21:12:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725902AbeLYVMI (ORCPT ); Tue, 25 Dec 2018 16:12:08 -0500 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:38332 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725859AbeLYVMI (ORCPT ); Tue, 25 Dec 2018 16:12:08 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id B7AEFBDC for ; Tue, 25 Dec 2018 21:12:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8veA5YU6G1S for ; Tue, 25 Dec 2018 15:12:06 -0600 (CST) Received: from mail-it1-f200.google.com (mail-it1-f200.google.com [209.85.166.200]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 8ACBBBC4 for ; Tue, 25 Dec 2018 15:12:06 -0600 (CST) Received: by mail-it1-f200.google.com with SMTP id 128so17953640itw.8 for ; Tue, 25 Dec 2018 13:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=mBoB4pQ+YOOc6ishphiaade6t4erG59WztbH8MgNTPc=; b=eD00LeYmbAo5esxVuawTBLqADzWNa9KE3K21JvNME0K6k+8d1mShrWUTTzSqEEpHnC zDuusx3CJFCVHI63hMoiBf067xb9xUPwA76knA3QQ93DtobcoTiqrpOquluVeBNFwsQx q3bqwLCzv1U8eJEc1XTWfUc8PDDDoynZXf/dV/iJOCrYpE4X/SFE4RvnVHoYqfiB93kl 7oD5/s3UduV3x1Tf2o0TlCE3hqlE/ZDWvfBQ4vXqeEbl1jLlR5m02fumlsUe6ZN/Cer5 anu8ouVAv+U4P5jG9y4p6hciQV7QvLaBFICL8ikT10MHEtNlkZ0W9jj0jiR9/Iwyo1dT eUbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=mBoB4pQ+YOOc6ishphiaade6t4erG59WztbH8MgNTPc=; b=CYEWBuk/wYNLc61dGkA8rfk8Yx2G23796tail/dr/t5FAUVs2guqT0ipqIAFinLS5y DMWglpRMsdku6aNaBuLXzRy0uHstTG48scWV2hnSdVgQFfXIpLGeMUeycITLz1aDEh/k X1GJ78yZM+2v7CBpTamy9U566MUqwEevKDtJnCQahXXJuCHdwM9x1BShMeCda/hjEmaB Au6ZyL2Q4jLQebggnN0jLkHL19DkecE7xS58KK7suCxqHYyJTwlKbu6GzwHESrYqgO2C sScXSrclxz8qRi68hbSZ4C6jIeSkFdl1LgS4EGflxO+cDE99N4fjAS+Jn4CAhB+C0P7W MajA== X-Gm-Message-State: AJcUukf517R+RLYUCQq91/nWjVt/OPyN0j0qj5fGJmQA7VohN1uqJSz1 QfUZDuJodnWPjILPNGRV8wNqdNbI4FM5aOyvm/z1FltJL+k+ootL9SesaDeIUdVj4ThLcJgF43L V5J8GA4rcNrIcIU3B4y5HhM2vGw== X-Received: by 2002:a6b:b90a:: with SMTP id j10mr11527144iof.172.1545772326135; Tue, 25 Dec 2018 13:12:06 -0800 (PST) X-Google-Smtp-Source: ALg8bN5Fwrm1n3HIuKV0Wm51M5/J4WsBaHbtHG33YvvLsYTvjaAx9aXLVZxWzGfrPzXEXXTolVs6QQ== X-Received: by 2002:a6b:b90a:: with SMTP id j10mr11527134iof.172.1545772325897; Tue, 25 Dec 2018 13:12:05 -0800 (PST) Received: from localhost.localdomain (host-173-230-104-22.mnmigsc.mn.minneapolis.us.clients.pavlovmedia.net. [173.230.104.22]) by smtp.gmail.com with ESMTPSA id t71sm6796846ita.32.2018.12.25.13.12.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Dec 2018 13:12:05 -0800 (PST) From: Kangjie Lu To: kjlu@umn.edu Cc: pakki001@umn.edu, Adaptec OEM Raid Solutions , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] scsi: aacraid: fix a potential data inconsistency caused by double-fetch Date: Tue, 25 Dec 2018 15:11:36 -0600 Message-Id: <20181225211136.69702-1-kjlu@umn.edu> X-Mailer: git-send-email 2.17.2 (Apple Git-113) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP "user_srb->count" may be changed by malicious user races. Let's set "user_srbcmd->count" fetched in the second copy to be the one fetched in the first copy. Signed-off-by: Kangjie Lu --- drivers/scsi/aacraid/commctrl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index 25f6600d6c09..eb18117c431a 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -539,6 +539,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) rcode = -EFAULT; goto cleanup; } + /* Ensure user_srb->count is not changed */ + user_srbcmd->count = fibsize; flags = user_srbcmd->flags; /* from user in cpu order */ switch (flags & (SRB_DataIn | SRB_DataOut)) {