From: "Martin K. Petersen" <martin.petersen@oracle.com>
To: Ming Lei <ming.lei@redhat.com>
Cc: Bart Van Assche <bart.vanassche@wdc.com>,
Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, linux-scsi@vger.kernel.org,
Christoph Hellwig <hch@lst.de>,
"James E . J . Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Hannes Reinecke <hare@suse.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
stable@vger.kernel.org
Subject: Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference
Date: Thu, 07 Dec 2017 21:46:21 -0500 [thread overview]
Message-ID: <yq1374muebm.fsf@oracle.com> (raw)
In-Reply-To: <20171208014528.GD21488@ming.t460p> (Ming Lei's message of "Fri, 8 Dec 2017 09:45:29 +0800")
Ming,
> As I explained in [1], the use-after-free is inevitable no matter if
> clearing 'SCpnt->cmnd' before mempool_free() in sd_uninit_command() or
> not, so we need to comment the fact that cdb may point to garbage
> data, and this function(especially __scsi_format_command() has to
> survive that, so that people won't be surprised when kasan complains
> use-after-free, and guys will be careful when they try to change the
> code in future.
Longer term we really need to get rid of the separate CDB allocation. It
was a necessary evil when I did it. And not much of a concern since I
did not expect anybody sane to use Type 2 (it's designed for use inside
disk arrays).
However, I keep hearing about people using Type 2 drives. Some vendors
source drives formatted that way and use the same SKU for arrays and
standalone servers.
So we should really look into making it possible for a queue to have a
bigger than 16-byte built-in CDB. For Type 2 devices, 32-byte reads and
writes are a prerequisite. So it would be nice to be able to switch a
queue to a larger allocation post creation (we won't know the type until
after READ CAPACITY(16) has been sent).
Last I looked at this it was not entirely trivial given how we tag
things on to the end. But that really is my preferred fix.
--
Martin K. Petersen Oracle Linux Engineering
next prev parent reply other threads:[~2017-12-08 2:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-06 0:57 [PATCH v2 0/3] Show all commands in debugfs Bart Van Assche
2017-12-06 0:57 ` [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference Bart Van Assche
2017-12-08 1:45 ` Ming Lei
2017-12-08 2:46 ` Martin K. Petersen [this message]
2017-12-08 8:44 ` Ming Lei
2017-12-08 10:44 ` Ming Lei
2017-12-12 3:11 ` Martin K. Petersen
2017-12-12 3:28 ` Ming Lei
2017-12-12 2:57 ` Martin K. Petersen
2017-12-06 0:57 ` [PATCH v2 2/3] blk-mq-debugfs: Also show requests that have not yet been started Bart Van Assche
2017-12-06 0:57 ` [PATCH v2 3/3] scsi-mq-debugfs: Show more information Bart Van Assche
2018-01-09 3:11 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq1374muebm.fsf@oracle.com \
--to=martin.petersen@oracle.com \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=jejb@linux.vnet.ibm.com \
--cc=jthumshirn@suse.de \
--cc=linux-block@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.