| Message ID | 1571293177-117087-3-git-send-email-zhengbin13@huawei.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | scsi: core: fix uninit-value access of variable sshdr | expand |
zhengbin, > We can init sshdr in sr_get_events, but there have many callers of > scsi_execute, scsi_execute_req, we have to troubleshoot all callers, > the simpler way is init sshdr in __scsi_execute. There aren't that many callers. I'd prefer to make sure that everybody is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like we're generally OK, but please verify. Thanks!
On 2019/10/18 10:40, Martin K. Petersen wrote: > zhengbin, > >> We can init sshdr in sr_get_events, but there have many callers of >> scsi_execute, scsi_execute_req, we have to troubleshoot all callers, >> the simpler way is init sshdr in __scsi_execute. > There aren't that many callers. I'd prefer to make sure that everybody > is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like > we're generally OK, but please verify. OK, I have troubleshoot callers, there are similar bug(scsi_report_opcode, cache_type_store, scsi_test_unit_ready, scsi_report_lun_scan, sd_spinup_disk, read_capacity_16, read_capacity_10, sr_get_events, alua_rtpg, alua_stpg, send_trespass_cmd, hp_sw_tur, hp_sw_start_stop, send_mode_select, sd_sync_cache, sd_start_stop_device, sr_do_ioctl). I modify these in a patch? or every .c a patch, use a patchset? > > Thanks! >
zhengbin,
> I modify these in a patch? or every .c a patch, use a patchset?
A patchset consisting of one patch per file, please.
Thank you!
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 5447738..d5e29c5 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -255,6 +255,13 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, struct scsi_request *rq; int ret = DRIVER_ERROR << 24; + /* + * Zero-initialize sshdr for those callers that check the *sshdr + * contents even if no sense data is available. + */ + if (sshdr) + memset(sshdr, 0, sizeof(struct scsi_sense_hdr)); + req = blk_get_request(sdev->request_queue, data_direction == DMA_TO_DEVICE ? REQ_OP_SCSI_OUT : REQ_OP_SCSI_IN, BLK_MQ_REQ_PREEMPT);
kmsan report a warning in 5.1-rc4: BUG: KMSAN: uninit-value in sr_get_events drivers/scsi/sr.c:207 [inline] BUG: KMSAN: uninit-value in sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243 CPU: 1 PID: 13858 Comm: syz-executor.0 Tainted: G B 5.1.0-rc4+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:619 __msan_warning+0x7a/0xf0 mm/kmsan/kmsan_instr.c:310 sr_get_events drivers/scsi/sr.c:207 [inline] sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243 The reason is as follows: sr_get_events struct scsi_sense_hdr sshdr; -->uninit scsi_execute_req -->If fail, will not set sshdr scsi_sense_valid(&sshdr) -->access sshdr We can init sshdr in sr_get_events, but there have many callers of scsi_execute, scsi_execute_req, we have to troubleshoot all callers, the simpler way is init sshdr in __scsi_execute. Signed-off-by: zhengbin <zhengbin13@huawei.com> --- drivers/scsi/scsi_lib.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.7.4