On Mon, Feb 04, 2019 at 04:37:46PM +0100, Hannes Reinecke wrote:
> static int bsg_scsi_complete_rq(struct request *rq, struct sg_io_v4 *hdr)
So this is bsg_scsi_ops that you quote.
> This expects the 'response' to be allocated.
> Yet nowhere in the block/bsg.c we actually _do_ allocate the 'response'
> field.
> And as the header is pretty much copied from userspace we don't really have
> any control about the contents of the 'response' nor the 'response_len'
> parameter.
>
> These fields used to be filled by mpt3sas (to hold the sense code), but with
> commit 651a01364994 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP
> passthrough") the sense code handling got removed.
But all the transport bsg users actually use bsg_transport_ops and thus
should never end up in the above code.
Something in this bug report does not add up.
