From patchwork Tue Feb 21 18:03:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Omar Sandoval X-Patchwork-Id: 9585337 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DDDF06042F for ; Tue, 21 Feb 2017 19:05:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB8BC28610 for ; Tue, 21 Feb 2017 19:05:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E0A33285A6; Tue, 21 Feb 2017 19:05:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 55C3B28611 for ; Tue, 21 Feb 2017 19:05:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932116AbdBUSFW (ORCPT ); Tue, 21 Feb 2017 13:05:22 -0500 Received: from mail-pg0-f46.google.com ([74.125.83.46]:32945 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753345AbdBUSEe (ORCPT ); Tue, 21 Feb 2017 13:04:34 -0500 Received: by mail-pg0-f46.google.com with SMTP id z128so1750395pgb.0 for ; Tue, 21 Feb 2017 10:04:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osandov-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=BzadqxhUSORdSfT4EWwW5CdntRV+LGx0mCnjlKKPLJ8=; b=gss5qWusbt6YICtnt//7Vy6mmGkCRoby0geG2gmjj+BHMDLT62XQ0GMnL6vFI+8kmU GWPVfO4FGURaKfb/sHH9cojtYhCKBIINhj+YeGh4oOGDXGYh2BLqgStLcPpYJWTtk1Ua dTek91yuV8kgvQj5o26edo7jDW5uKqk0WSuFJ1u57jEeWbO68FDTviKLvKZQALiPKeHi 0ccKM+g5Q0iHXb1JrddIhiISeOQOL9hmK6KC423xOMPumT4dls2bXb8k2TH2xkUVaQ9f Il1w/2obPnJnAvSN7MWv+df3CR3bf+WUNBUUiooAlT9ZM85I+MAzQdDs2NEbVMddQUxw mSsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=BzadqxhUSORdSfT4EWwW5CdntRV+LGx0mCnjlKKPLJ8=; b=V4yEUmYW/rcRHNHr0bHNQyCXp+NRbGpZ5RjH4R7yid++pMlTNNSm8j1JHMtsZh3ncc pj57Btw5sXphPio5oWhNEvVg85XbIfWCbYgi7s/OobDRF8daukSdQ29nFGze7wxgtKyk zkQZgCHaslQ37eWCpzpxFvHFIYG+FoPRSGgHas9GbUNyWwXw29mZSgQbKmRkdEtKkJOe AleABjUqpQoH31UE1eQorWprMKVdDQ/qAQ9Z4Q8ikiymepOqjIWJoSPjLOt9aZBLdspw iVKyYqiBwT50KFJAPFr2F0HL7Rk3vTRKmkGTrroBdH0X6+Nr2vVGrTo71NWLRPbIpYnT 4ldw== X-Gm-Message-State: AMke39k0SjGnU8ctv29GRtBuhDyrxGjr/wPq4Q8ka18J/yPDQ7pYOE6WzPhA3/Pt+F6FdNgl X-Received: by 10.98.204.25 with SMTP id a25mr11678887pfg.6.1487700273154; Tue, 21 Feb 2017 10:04:33 -0800 (PST) Received: from vader.thefacebook.com ([2620:10d:c090:200::2:7fc8]) by smtp.gmail.com with ESMTPSA id l25sm42248980pfg.134.2017.02.21.10.04.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Feb 2017 10:04:32 -0800 (PST) From: Omar Sandoval To: Jens Axboe , linux-block@vger.kernel.org Cc: Christoph Hellwig , kernel-team@fb.com Subject: [PATCH] scsi_transport_sas: fix BSG ioctl memory corruption Date: Tue, 21 Feb 2017 10:03:50 -0800 Message-Id: X-Mailer: git-send-email 2.11.1 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Omar Sandoval The end_device and sas_host devices support BSG ioctls, but the request_queue allocated for them isn't set up to allocate the struct scsi_request payload. This leads to memory corruption in the call to scsi_req_init() in bsg_map_hdr(), since it will memset past the end of the allocated request. Fix it by setting ->cmd_size on the allocated request_queue. Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Omar Sandoval --- I don't know what sg ioctls these devices actually support, but I tested this with sg_inq, which previously caused KASAN splats. drivers/scsi/scsi_transport_sas.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c index 126a5ee00987..f94535130a34 100644 --- a/drivers/scsi/scsi_transport_sas.c +++ b/drivers/scsi/scsi_transport_sas.c @@ -227,27 +227,31 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy) return 0; } + q = blk_alloc_queue(GFP_KERNEL); + if (!q) + return -ENOMEM; + q->cmd_size = sizeof(struct scsi_request); + if (rphy) { - q = blk_init_queue(sas_non_host_smp_request, NULL); + q->request_fn = sas_non_host_smp_request; dev = &rphy->dev; name = dev_name(dev); release = NULL; } else { - q = blk_init_queue(sas_host_smp_request, NULL); + q->request_fn = sas_host_smp_request; dev = &shost->shost_gendev; snprintf(namebuf, sizeof(namebuf), "sas_host%d", shost->host_no); name = namebuf; release = sas_host_release; } - if (!q) - return -ENOMEM; + error = blk_init_allocated_queue(q); + if (error) + goto out_cleanup_queue; error = bsg_register_queue(q, dev, name, release); - if (error) { - blk_cleanup_queue(q); - return -ENOMEM; - } + if (error) + goto out_cleanup_queue; if (rphy) rphy->q = q; @@ -261,6 +265,10 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy) queue_flag_set_unlocked(QUEUE_FLAG_BIDI, q); return 0; + +out_cleanup_queue: + blk_cleanup_queue(q); + return error; } static void sas_bsg_remove(struct Scsi_Host *shost, struct sas_rphy *rphy)