From: Bart Van Assche <Bart.VanAssche@sandisk.com>
To: "jejb@linux.vnet.ibm.com" <jejb@linux.vnet.ibm.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"longli@exchange.microsoft.com" <longli@exchange.microsoft.com>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>
Cc: "longli@microsoft.com" <longli@microsoft.com>
Subject: Re: [Possible Phish Fraud][PATCH] scsi: zero per-cmd driver data for each MQ I/O
Date: Mon, 15 May 2017 23:02:56 +0000 [thread overview]
Message-ID: <1494889376.2567.8.camel@sandisk.com> (raw)
In-Reply-To: <1494450443-2921-1-git-send-email-longli@exchange.microsoft.com>
On Wed, 2017-05-10 at 14:07 -0700, Long Li wrote:
> From: Long Li <longli@microsoft.com>
>
> Lower layer driver may not initialize private data before use. Zero them
> out to prevent use of stale data.
>
> Signed-off-by: Long Li <longli@microsoft.com>
> ---
> drivers/scsi/scsi_lib.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index 19125d7..a821593 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -1850,7 +1850,7 @@ static int scsi_mq_prep_fn(struct request *req)
>
> /* zero out the cmd, except for the embedded scsi_request */
> memset((char *)cmd + sizeof(cmd->req), 0,
> - sizeof(*cmd) - sizeof(cmd->req));
> + sizeof(*cmd) - sizeof(cmd->req) + shost->hostt->cmd_size);
>
> req->special = cmd;
Hello Long,
Sorry but this patch looks wrong to me. Since scsi_mq_prep_fn() is called
after scsi_req_init(), erasing struct scsi_request from scsi_mq_prep_fn()
will erase the values that were set by scsi_req_init(). That includes
information like the pointer to the SCSI CDB and the CDB itself. See e.g.
scsi_execute().
Did you come up with this patch after source reading or did you come up
with this patch while chasing a bug?
Thanks,
Bart.
next prev parent reply other threads:[~2017-05-15 23:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-10 21:07 [PATCH] scsi: zero per-cmd driver data for each MQ I/O Long Li
2017-05-15 22:48 ` Long Li
2017-05-15 23:20 ` KY Srinivasan
2017-05-15 23:02 ` Bart Van Assche [this message]
2017-05-18 6:55 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1494889376.2567.8.camel@sandisk.com \
--to=bart.vanassche@sandisk.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=longli@exchange.microsoft.com \
--cc=longli@microsoft.com \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.