From patchwork Tue Feb 21 18:03:50 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Omar Sandoval <osandov@osandov.com>
X-Patchwork-Id: 9585337
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DDDF06042F for <patchwork-linux-block@patchwork.kernel.org>;
	Tue, 21 Feb 2017 19:05:44 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB8BC28610
	for <patchwork-linux-block@patchwork.kernel.org>;
	Tue, 21 Feb 2017 19:05:44 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E0A33285A6; Tue, 21 Feb 2017 19:05:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 55C3B28611
	for <patchwork-linux-block@patchwork.kernel.org>;
	Tue, 21 Feb 2017 19:05:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932116AbdBUSFW (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Tue, 21 Feb 2017 13:05:22 -0500
Received: from mail-pg0-f46.google.com ([74.125.83.46]:32945 "EHLO
	mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753345AbdBUSEe (ORCPT
	<rfc822;linux-block@vger.kernel.org>);
	Tue, 21 Feb 2017 13:04:34 -0500
Received: by mail-pg0-f46.google.com with SMTP id z128so1750395pgb.0
	for <linux-block@vger.kernel.org>;
	Tue, 21 Feb 2017 10:04:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=osandov-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=BzadqxhUSORdSfT4EWwW5CdntRV+LGx0mCnjlKKPLJ8=;
	b=gss5qWusbt6YICtnt//7Vy6mmGkCRoby0geG2gmjj+BHMDLT62XQ0GMnL6vFI+8kmU
	GWPVfO4FGURaKfb/sHH9cojtYhCKBIINhj+YeGh4oOGDXGYh2BLqgStLcPpYJWTtk1Ua
	dTek91yuV8kgvQj5o26edo7jDW5uKqk0WSuFJ1u57jEeWbO68FDTviKLvKZQALiPKeHi
	0ccKM+g5Q0iHXb1JrddIhiISeOQOL9hmK6KC423xOMPumT4dls2bXb8k2TH2xkUVaQ9f
	Il1w/2obPnJnAvSN7MWv+df3CR3bf+WUNBUUiooAlT9ZM85I+MAzQdDs2NEbVMddQUxw
	mSsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=BzadqxhUSORdSfT4EWwW5CdntRV+LGx0mCnjlKKPLJ8=;
	b=V4yEUmYW/rcRHNHr0bHNQyCXp+NRbGpZ5RjH4R7yid++pMlTNNSm8j1JHMtsZh3ncc
	pj57Btw5sXphPio5oWhNEvVg85XbIfWCbYgi7s/OobDRF8daukSdQ29nFGze7wxgtKyk
	zkQZgCHaslQ37eWCpzpxFvHFIYG+FoPRSGgHas9GbUNyWwXw29mZSgQbKmRkdEtKkJOe
	AleABjUqpQoH31UE1eQorWprMKVdDQ/qAQ9Z4Q8ikiymepOqjIWJoSPjLOt9aZBLdspw
	iVKyYqiBwT50KFJAPFr2F0HL7Rk3vTRKmkGTrroBdH0X6+Nr2vVGrTo71NWLRPbIpYnT
	4ldw==
X-Gm-Message-State: 
 AMke39k0SjGnU8ctv29GRtBuhDyrxGjr/wPq4Q8ka18J/yPDQ7pYOE6WzPhA3/Pt+F6FdNgl
X-Received: by 10.98.204.25 with SMTP id a25mr11678887pfg.6.1487700273154;
	Tue, 21 Feb 2017 10:04:33 -0800 (PST)
Received: from vader.thefacebook.com ([2620:10d:c090:200::2:7fc8])
	by smtp.gmail.com with ESMTPSA id
	l25sm42248980pfg.134.2017.02.21.10.04.32
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 21 Feb 2017 10:04:32 -0800 (PST)
From: Omar Sandoval <osandov@osandov.com>
To: Jens Axboe <axboe@fb.com>, linux-block@vger.kernel.org
Cc: Christoph Hellwig <hch@lst.de>, kernel-team@fb.com
Subject: [PATCH] scsi_transport_sas: fix BSG ioctl memory corruption
Date: Tue, 21 Feb 2017 10:03:50 -0800
Message-Id: 
 <e33a218846e718a310fd8bd92acbafd0b6252aca.1487700062.git.osandov@fb.com>
X-Mailer: git-send-email 2.11.1
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Omar Sandoval <osandov@fb.com>

The end_device and sas_host devices support BSG ioctls, but the
request_queue allocated for them isn't set up to allocate the struct
scsi_request payload. This leads to memory corruption in the call to
scsi_req_init() in bsg_map_hdr(), since it will memset past the end of
the allocated request. Fix it by setting ->cmd_size on the allocated
request_queue.

Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Signed-off-by: Omar Sandoval <osandov@fb.com>
---
I don't know what sg ioctls these devices actually support, but I tested
this with sg_inq, which previously caused KASAN splats.

 drivers/scsi/scsi_transport_sas.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
index 126a5ee00987..f94535130a34 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -227,27 +227,31 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy)
 		return 0;
 	}
 
+	q = blk_alloc_queue(GFP_KERNEL);
+	if (!q)
+		return -ENOMEM;
+	q->cmd_size = sizeof(struct scsi_request);
+
 	if (rphy) {
-		q = blk_init_queue(sas_non_host_smp_request, NULL);
+		q->request_fn = sas_non_host_smp_request;
 		dev = &rphy->dev;
 		name = dev_name(dev);
 		release = NULL;
 	} else {
-		q = blk_init_queue(sas_host_smp_request, NULL);
+		q->request_fn = sas_host_smp_request;
 		dev = &shost->shost_gendev;
 		snprintf(namebuf, sizeof(namebuf),
 			 "sas_host%d", shost->host_no);
 		name = namebuf;
 		release = sas_host_release;
 	}
-	if (!q)
-		return -ENOMEM;
+	error = blk_init_allocated_queue(q);
+	if (error)
+		goto out_cleanup_queue;
 
 	error = bsg_register_queue(q, dev, name, release);
-	if (error) {
-		blk_cleanup_queue(q);
-		return -ENOMEM;
-	}
+	if (error)
+		goto out_cleanup_queue;
 
 	if (rphy)
 		rphy->q = q;
@@ -261,6 +265,10 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy)
 
 	queue_flag_set_unlocked(QUEUE_FLAG_BIDI, q);
 	return 0;
+
+out_cleanup_queue:
+	blk_cleanup_queue(q);
+	return error;
 }
 
 static void sas_bsg_remove(struct Scsi_Host *shost, struct sas_rphy *rphy)