From: Boaz Harrosh <bharrosh@panasas.com>
To: Jens Axboe <jens.axboe@oracle.com>
Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>,
linux-scsi <linux-scsi@vger.kernel.org>,
open-osd mailing-list <osd-dev@open-osd.org>
Subject: Re: [PATCH] bsg: Fix sense buffer bug in SG_IO
Date: Thu, 29 Jan 2009 13:36:20 +0200 [thread overview]
Message-ID: <498194B4.6040202@panasas.com> (raw)
In-Reply-To: <20090120130941.GI30821@kernel.dk>
Jens Axboe wrote:
> On Tue, Jan 20 2009, Boaz Harrosh wrote:
>> When submitting requests via SG_IO, which does a sync io, a
>> bsg_command is not allocated, so an in-Kernel sense_buffer was not
>> set. However when calling blk_execute_rq() with no sense buffer
>> one is provided from the stack. Now bsg at blk_complete_sgv4_hdr_rq()
>> would check if rq->sense_len and a sense was requested by sg_io_v4
>> the rq->sense was copy_user() back, but by now it is already mangled
>> stack memory.
>>
>> I have fixed that by forcing a sense_buffer when calling bsg_map_hdr().
>> The bsg_command->sense is provided in the write/read path like before,
>> and on-the-stack buffer is provided when doing SG_IO.
>>
>> I have also fixed a dprintk message to print rq->errors in hex because
>> of the scsi bit-field use of this member. For other block devices it
>> does not matter anyway.
>>
>> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
>
> Acked-by: Jens Axboe <jens.axboe@oracle.com>
>
Jens hi.
Do we need to push this for 2.6.29-rcx. As this is a theoretical
security problem, copying and returning to user-mode a mangled
Kernel stack? Also we might need to push this to stable?
Thanks
Boaz
next prev parent reply other threads:[~2009-01-29 11:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-20 13:06 [PATCH] bsg: Fix sense buffer bug in SG_IO Boaz Harrosh
2009-01-20 13:09 ` Jens Axboe
2009-01-29 11:36 ` Boaz Harrosh [this message]
2009-01-20 23:10 ` FUJITA Tomonori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=498194B4.6040202@panasas.com \
--to=bharrosh@panasas.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=jens.axboe@oracle.com \
--cc=linux-scsi@vger.kernel.org \
--cc=osd-dev@open-osd.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.