From patchwork Thu May 18 22:40:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Long Li X-Patchwork-Id: 9735351 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3AAB7600CC for ; Thu, 18 May 2017 22:41:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 25C54288F1 for ; Thu, 18 May 2017 22:41:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1864E28904; Thu, 18 May 2017 22:41:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 895A1288F1 for ; Thu, 18 May 2017 22:41:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932517AbdERWlh (ORCPT ); Thu, 18 May 2017 18:41:37 -0400 Received: from a2nlsmtp01-05.prod.iad2.secureserver.net ([198.71.225.49]:50712 "EHLO a2nlsmtp01-05.prod.iad2.secureserver.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755090AbdERWlf (ORCPT ); Thu, 18 May 2017 18:41:35 -0400 Received: from linuxonhyperv.com ([107.180.71.197]) by : HOSTING RELAY : with SMTP id BU5wdwy0uCQzGBU5wd0USU; Thu, 18 May 2017 15:40:33 -0700 x-originating-ip: 107.180.71.197 Received: from longli by linuxonhyperv.com with local (Exim 4.89) (envelope-from ) id 1dBU5w-0007V2-8J; Thu, 18 May 2017 15:40:32 -0700 From: Long Li To: "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, KY Srinivasan , Bart Van Assche , Christoph Hellwig , Stephen Hemminger Cc: Long Li , stable@vger.kernel.org Subject: [PATCH v2] scsi: zero per-cmd private driver data for each MQ I/O Date: Thu, 18 May 2017 15:40:05 -0700 Message-Id: <1495147205-28778-1-git-send-email-longli@exchange.microsoft.com> X-Mailer: git-send-email 1.7.1 X-CMAE-Envelope: MS4wfC1tBxcOSXoRdxfKIckx1L0Nn6tl7mIAL2yzuMle6qj70QU8ddk0b8k3CRlQIyeU0rU0IMD8QaPRG8gaVlW2El3LHotaLhaeGOIgJbPm3zKfMAXdMtnU orsbovvokXNwomCMWg+1QcvYmiPPpV43CFTT0LP2FWsK7WjmFZBznyxjoUYX6YNJ1zbKbv5vB/1q+w543YkEpabgGpoY0Ew0y8fUIv+rdK6raNxlpFAdBYeb 3YHHrlaCH7Li1dOUOxe6TnxjvebGV2ld8TZZcdALxe4v87QkPvgity2S9Ydk8vs5QDObkuO4BOt9cH4m4TKZ2fIEuSyZ2oANr9I6J5BM35UxplOIvicmuGYR BOJTYw7uvO88/jffN6iEpvr7KYUEbkA6uetIgzgqWf0r+1gLoZHzOGYpsWRgvJ+70p8tXWsiXJMR3H8CzDB50UpLJJ3l3WBVQuY31ah6HZ3ul07JSA0A/ChF gAcFnGhxzZ2EB8mabZyVD6ve0q84kUJa2xxosA== Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Long Li In lower layer driver's (LLD) scsi_host_template, the driver may optionally ask SCSI to allocate its private driver memory for each command, by specifying cmd_size. This memory is allocated at the end of scsi_cmnd by SCSI. Later when SCSI queues a command, the LLD can use scsi_cmd_priv to get to its private data. Some LLD, e.g. hv_storvsc, doesn't clear its private data before use. In this case, the LLD may get to stale or uninitialized data in its private driver memory. This may result in unexpected driver and hardware behavior. Fix this problem by also zeroing the private driver memory before passing them to LLD. Signed-off-by: Long Li Reviewed-by: Bart Van Assche Reviewed-by: KY Srinivasan Reviewed-by: Christoph Hellwig CC: stable@vger.kernel.org --- drivers/scsi/scsi_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 19125d7..a821593 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1850,7 +1850,7 @@ static int scsi_mq_prep_fn(struct request *req) /* zero out the cmd, except for the embedded scsi_request */ memset((char *)cmd + sizeof(cmd->req), 0, - sizeof(*cmd) - sizeof(cmd->req)); + sizeof(*cmd) - sizeof(cmd->req) + shost->hostt->cmd_size); req->special = cmd;