From patchwork Wed Jan 23 19:10:09 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bart Van Assche <bvanassche@acm.org>
X-Patchwork-Id: 10777751
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 07E4F913
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Wed, 23 Jan 2019 19:10:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EBD732DA7B
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Wed, 23 Jan 2019 19:10:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DFF682DAA4; Wed, 23 Jan 2019 19:10:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 616242DA9C
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Wed, 23 Jan 2019 19:10:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726418AbfAWTKm (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Wed, 23 Jan 2019 14:10:42 -0500
Received: from out002.mailprotect.be ([83.217.72.86]:34239 "EHLO
        out002.mailprotect.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726365AbfAWTKl (ORCPT
        <rfc822;linux-scsi@vger.kernel.org>); Wed, 23 Jan 2019 14:10:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=mailprotect.be; s=mail;
 h=Content-Transfer-Encoding:MIME-Version:References
        :In-Reply-To:Message-Id:Date:Subject:Cc:To:From:reply-to:sender:bcc:
        content-type; bh=kahWysBLpakRynoS9Yu14qVtbsQiQq3uYbgzI7AkWbk=;
 b=ZfqK2Ru//UlU
        EtCRs7J/xxL0XqmrTwYiSffR0IGxJA6EmK+C4gpMU+OhV3eR+orPTLZAudO8RDG66oCssm2um5gpR
        76pAwG8CZ2hjX+c2cMxlbrZyiVT0gXPOslkiNCbEQ7CsH9TkPdWZp3DC5ZirGi347ttK9gg/F9AEl
        8osx2BjQhJVdP6ZhQ2rS3kSKvLXeBqmVxPUdvgE/Z9qhnlume9HKlK90BjX5keUi1aQzZmAMXoYOf
        aplac9PjT73kGcoUt6stplbHCyV1Xl+e7du1fPzoi3aR++xzkcDWWTP/p9iP21ymBuSMs8xL4zCQA
        PLxqlCm+tX+8oU0TnuF31w==;
Received: from smtp-auth.mailprotect.be ([178.208.39.155])
        by com-mpt-out002.mailprotect.be with esmtp (Exim 4.89)
        (envelope-from <bvanassche@acm.org>)
        id 1gmNux-00096N-Ss; Wed, 23 Jan 2019 20:10:32 +0100
Received: from desktop-bart.svl.corp.google.com (unknown [104.133.8.89])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by smtp-auth.mailprotect.be (Postfix) with ESMTPSA id 477A9C04F4;
        Wed, 23 Jan 2019 20:10:27 +0100 (CET)
From: Bart Van Assche <bvanassche@acm.org>
To: "Martin K . Petersen" <martin.petersen@oracle.com>,
        "James E . J . Bottomley" <jejb@linux.vnet.ibm.com>
Cc: linux-scsi@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
        Douglas Gilbert <dgilbert@interlog.com>,
        Hannes Reinecke <hare@suse.com>, Christoph Hellwig <hch@lst.de>
Subject: [PATCH v2 3/7] Fix bidi handling
Date: Wed, 23 Jan 2019 11:10:09 -0800
Message-Id: <20190123191013.119684-4-bvanassche@acm.org>
X-Mailer: git-send-email 2.20.1.321.g9e740568ce-goog
In-Reply-To: <20190123191013.119684-1-bvanassche@acm.org>
References: <20190123191013.119684-1-bvanassche@acm.org>
MIME-Version: 1.0
X-Originating-IP: 178.208.39.155
X-SpamExperts-Domain: mailprotect.be
X-SpamExperts-Username: 178.208.39.128/27
Authentication-Results: mailprotect.be;
 auth=pass smtp.auth=178.208.39.128/27@mailprotect.be
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.02)
X-Recommended-Action: accept
X-Filter-ID: 
 EX5BVjFpneJeBchSMxfU5phO+h2sDQt1JCL9ht7Wz49602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx
 q3u0UDjvO1tLifGj39bI0bcPyaJsYTZnx3upumnqWBHj0/Vmi/pASQQA8gPlICyOXF4VQA3r681n
 IyHanrMzYl1QUFnGrJlGZdzQSLJYSD89hpteF8v30ykPg8qyrdUV98WGlbOjhJdwZpOImhB57vlA
 Ovnv7bRi5a8LLfqBhzJbqPiIMA+NOnrCrjOMG+XIApsj4flbNpUCGeLmhx53FRJAP1Ea5ASWYHcP
 06zXqyXOojRJS4zkb/990+k58JhyOxgsBpuyJgTJsjWw5+0eZIpQIcK9yrRZBI4MtpSGpU9W4FdB
 tQesEelBF7Ngqas1fLSi+EsXiGRbN4cS9m3JKQpYnU+jEObu+ZQGpXspg4TOqv23+spbzJ3vJBBY
 vcIXZcvdbj7fjbZn+1a2iCCdPFy3WGiBkBZc+BBb+UeYFBhPAZQ65C2d4vB6Mmh6nzlzGKK4CNTd
 FmC4kGAnKNZdqPIYy5/0C0oKEgxQF7G4ajroXShVPl5s3ZvBSOdcZaQYlKee2Vxut4iZ5ZA89caf
 AqxM+VvJzb/lgTl6fJxyntEfhZCKje4ZQ0jUIEfcq3/8iFZW9aviZrI0q854skGDr1SFWz9TrEbL
 my3uPSE9vyN9HoGBpQQMs9mOAuVGeNoxAGUS1QpH0KIcRmoNU2oljXXErZz3MdU5SJeoVHj5h7lL
 06fEAVxIuI4woYdcsisZprERKCJ/DkyeAC+56yw1+v2L6yfd9ewBVsBW3b/nActkIYPJJfuOUoks
 aCfSH23JFY6Md8TPjYHoRQJhikEW6KsZ+zue7BC3AMAEl0rnf3CZyCzXyHvANPJxkPHiWBBpWvV/
 D/1d7+l+PmxJCFvdxzgiQpciHL7m0tbh53ymoHabC27dTg89DC5i0aYrX3CEliNHuhrNF60+avvg
 /+bRlKSBrZtGAsEeujkNDaI1BZL4xlheqFLWgStYx12aCdmJgllbwzHk4lhd7+Z3ohEuqbhw2IGi
 K9BLVundUFjc1iJ5Hl/Q7TeMzDg6HYuTCyYgL61SIkBTYQaaIIEsvvc4Hs2Al+JCBW+Rho4Ph4F7
 35SUHIxrP601Lz/dsiahQ1DFoGJGH4QvNEG2z3H+DG8i/+nwAPUMRDNTlQhcPtKTIltiNXw4wYHH
 9itV4zOHtaDgH2x2DZDqYQ==
X-Report-Abuse-To: spam@com-mpt-mgt001.mailprotect.be
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Some code in the SCSI core interprets blk_mq_rq_to_pdu(cmd->request->next_rq)
as a struct scsi_data_buffer, e.g. scsi_mq_prep_fn(). Other code in the SCSI
core interprets the same data structure as a struct scsi_request, e.g.
scsi_io_completion(). Avoid this confusion by using the SCSI data buffer
associated with "next_rq" for bidi requests. This patch avoids that
submitting a bidi command triggers a NULL pointer dereference.

Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Fixes: d285203cf647 ("scsi: add support for a blk-mq based I/O path.") # v3.17
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
 drivers/scsi/scsi_lib.c  | 35 +++++++++++++++--------------------
 include/scsi/scsi_cmnd.h | 13 +++++++++----
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 6bfbe50ef38e..bcbf266e4172 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -556,15 +556,10 @@ static void scsi_uninit_cmd(struct scsi_cmnd *cmd)
 
 static void scsi_mq_free_sgtables(struct scsi_cmnd *cmd)
 {
-	struct scsi_data_buffer *sdb;
-
 	if (cmd->sdb.table.nents)
 		sg_free_table_chained(&cmd->sdb.table, true);
-	if (cmd->request->next_rq) {
-		sdb = cmd->request->next_rq->special;
-		if (sdb)
-			sg_free_table_chained(&sdb->table, true);
-	}
+	if (scsi_bidi_cmnd(cmd))
+		sg_free_table_chained(&scsi_in(cmd)->table, true);
 	if (scsi_prot_sg_count(cmd))
 		sg_free_table_chained(&cmd->prot_sdb.table, true);
 }
@@ -1059,7 +1054,7 @@ blk_status_t scsi_init_io(struct scsi_cmnd *cmd)
 		return ret;
 
 	if (blk_bidi_rq(rq)) {
-		ret = scsi_init_sgtable(rq->next_rq, rq->next_rq->special);
+		ret = scsi_init_sgtable(rq->next_rq, scsi_in(cmd));
 		if (ret)
 			goto out_free_sgtables;
 	}
@@ -1595,12 +1590,17 @@ static unsigned int scsi_mq_sgl_size(struct Scsi_Host *shost)
 		sizeof(struct scatterlist);
 }
 
+static void scsi_init_sdb(struct Scsi_Host *shost, struct scsi_cmnd *cmd)
+{
+	cmd->sdb.table.sgl = (void *)cmd + sizeof(struct scsi_cmnd) +
+			shost->hostt->cmd_size;
+}
+
 static blk_status_t scsi_mq_prep_fn(struct request *req)
 {
 	struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
 	struct scsi_device *sdev = req->q->queuedata;
 	struct Scsi_Host *shost = sdev->host;
-	struct scatterlist *sg;
 
 	scsi_init_command(sdev, cmd);
 
@@ -1611,8 +1611,7 @@ static blk_status_t scsi_mq_prep_fn(struct request *req)
 	cmd->tag = req->tag;
 	cmd->prot_op = SCSI_PROT_NORMAL;
 
-	sg = (void *)cmd + sizeof(struct scsi_cmnd) + shost->hostt->cmd_size;
-	cmd->sdb.table.sgl = sg;
+	scsi_init_sdb(shost, cmd);
 
 	/*
 	 * Always initialize cmd->prot_sdb.nents such that
@@ -1620,17 +1619,13 @@ static blk_status_t scsi_mq_prep_fn(struct request *req)
 	 */
 	memset(&cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer));
 	if (scsi_host_get_prot(shost))
-		cmd->prot_sdb.table.sgl = (void *)&sg + scsi_mq_sgl_size(shost);
+		cmd->prot_sdb.table.sgl = (void *)&cmd->sdb +
+			scsi_mq_sgl_size(shost);
 
 	if (blk_bidi_rq(req)) {
-		struct request *next_rq = req->next_rq;
-		struct scsi_data_buffer *bidi_sdb = blk_mq_rq_to_pdu(next_rq);
-
-		memset(bidi_sdb, 0, sizeof(struct scsi_data_buffer));
-		bidi_sdb->table.sgl =
-			(struct scatterlist *)(bidi_sdb + 1);
-
-		next_rq->special = bidi_sdb;
+		memset(&scsi_in_cmd(cmd)->sdb, 0,
+		       sizeof(scsi_in_cmd(cmd)->sdb));
+		scsi_init_sdb(shost, scsi_in_cmd(cmd));
 	}
 
 	blk_mq_start_request(req);
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 0406c0fbee3e..78183e851a0d 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -215,14 +215,19 @@ static inline int scsi_get_resid(struct scsi_cmnd *cmd)
 
 static inline int scsi_bidi_cmnd(struct scsi_cmnd *cmd)
 {
-	return blk_bidi_rq(cmd->request) &&
-		(cmd->request->next_rq->special != NULL);
+	return blk_bidi_rq(cmd->request);
+}
+
+static inline struct scsi_cmnd *scsi_in_cmd(struct scsi_cmnd *cmd)
+{
+	if (likely(!scsi_bidi_cmnd(cmd)))
+		return cmd;
+	return blk_mq_rq_to_pdu(cmd->request->next_rq);
 }
 
 static inline struct scsi_data_buffer *scsi_in(struct scsi_cmnd *cmd)
 {
-	return scsi_bidi_cmnd(cmd) ?
-		cmd->request->next_rq->special : &cmd->sdb;
+	return &scsi_in_cmd(cmd)->sdb;
 }
 
 static inline struct scsi_data_buffer *scsi_out(struct scsi_cmnd *cmd)