On Wed, 2019-01-23 at 11:06 -0800, Bart Van Assche wrote: +AD4 Some time ago blk+AF8-execute+AF8-rq() was modified such that it no longer +AD4 allocates a sense buffer. Make sg+AF8-io() allocate and use a sense buffer. +AD4 This patch avoids that the following bug is triggered when running the +AD4 libiscsi tests against the scsi+AF8-debug driver: +AD4 +AD4 usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 18)+ACE +AD4 ------------+AFs cut here +AF0------------- +AD4 kernel BUG at mm/usercopy.c:102+ACE +AD4 CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+- +ACM-3 +AD4 Hardware name: QEMU Standard PC (i440FX +- PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +AD4 RIP: 0010:usercopy+AF8-abort+-0x7a/0x7c +AD4 Call Trace: +AD4 +AF8AXw-check+AF8-object+AF8-size.cold.1+-0x37/0x3d +AD4 sg+AF8-io+-0x5a2/0x700 +AD4 scsi+AF8-cmd+AF8-ioctl+-0x4d4/0x540 +AD4 scsi+AF8-cmd+AF8-blk+AF8-ioctl+-0x7b/0x8b +AD4 sd+AF8-ioctl+-0xba/0x150 +AD4 blkdev+AF8-ioctl+-0x6e1/0xea0 +AD4 block+AF8-ioctl+-0x79/0x90 +AD4 do+AF8-vfs+AF8-ioctl+-0x12b/0x9b0 +AD4 ksys+AF8-ioctl+-0x41/0x80 +AD4 +AF8AXw-x64+AF8-sys+AF8-ioctl+-0x43/0x50 +AD4 do+AF8-syscall+AF8-64+-0x71/0x210 +AD4 entry+AF8-SYSCALL+AF8-64+AF8-after+AF8-hwframe+-0x49/0xbe +AD4 +AD4 Cc: Christoph Hellwig +ADw-hch+AEA-lst.de+AD4 +AD4 Cc: Martin K. Petersen +ADw-martin.petersen+AEA-oracle.com+AD4 +AD4 Cc: Douglas Gilbert +ADw-dgilbert+AEA-interlog.com+AD4 +AD4 Cc: +ADw-stable+AEA-vger.kernel.org+AD4 +ACM v4.11+- +AD4 Fixes: 82ed4db499b8 (+ACI-block: split scsi+AF8-request out of struct request+ACI) +AD4 Signed-off-by: Bart Van Assche +ADw-bvanassche+AEA-acm.org+AD4 +AD4 --- +AD4 block/scsi+AF8-ioctl.c +AHw 2 +-+- +AD4 1 file changed, 2 insertions(+-) +AD4 +AD4 diff --git a/block/scsi+AF8-ioctl.c b/block/scsi+AF8-ioctl.c +AD4 index 533f4aee8567..066929ec0d61 100644 +AD4 --- a/block/scsi+AF8-ioctl.c +AD4 +-+-+- b/block/scsi+AF8-ioctl.c +AD4 +AEAAQA -299,6 +-299,7 +AEAAQA static int sg+AF8-io(struct request+AF8-queue +ACo-q, struct gendisk +ACo-bd+AF8-disk, +AD4 struct request +ACo-rq+ADs +AD4 struct scsi+AF8-request +ACo-req+ADs +AD4 struct bio +ACo-bio+ADs +AD4 +- u8 sense+AFs-SCSI+AF8-SENSE+AF8-BUFFERSIZE+AF0AOw +AD4 +AD4 if (hdr-+AD4-interface+AF8-id +ACEAPQ 'S') +AD4 return -EINVAL+ADs +AD4 +AEAAQA -361,6 +-362,7 +AEAAQA static int sg+AF8-io(struct request+AF8-queue +ACo-q, struct gendisk +ACo-bd+AF8-disk, +AD4 +AD4 bio +AD0 rq-+AD4-bio+ADs +AD4 req-+AD4-retries +AD0 0+ADs +AD4 +- req-+AD4-sense +AD0 sense+ADs +AD4 +AD4 start+AF8-time +AD0 jiffies+ADs Please ignore this patch - I just realized that this is not the right way to fix the reported issue. Bart.
