public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
       [not found] <20211115165343.579890274@linuxfoundation.org>
@ 2021-11-15 16:55 ` Greg Kroah-Hartman
  2021-11-15 17:58   ` Bart Van Assche
  0 siblings, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 16:55 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Christoph Hellwig,
	James E.J. Bottomley, Martin K. Petersen, linux-scsi,
	syzbot+5516b30f5401d4dcbcae, Tadeusz Struk

From: Tadeusz Struk <tadeusz.struk@linaro.org>

commit 703535e6ae1e94c89a9c1396b4c7b6b41160ef0c upstream.

No need to deduce command size in scsi_setup_scsi_cmnd() anymore as
appropriate checks have been added to scsi_fill_sghdr_rq() function and the
cmd_len should never be zero here.  The code to do that wasn't correct
anyway, as it used uninitialized cmd->cmnd, which caused a null-ptr-deref
if the command size was zero as in the trace below. Fix this by removing
the unneeded code.

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1822 Comm: repro Not tainted 5.15.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
Call Trace:
 blk_mq_dispatch_rq_list+0x7c7/0x12d0
 __blk_mq_sched_dispatch_requests+0x244/0x380
 blk_mq_sched_dispatch_requests+0xf0/0x160
 __blk_mq_run_hw_queue+0xe8/0x160
 __blk_mq_delay_run_hw_queue+0x252/0x5d0
 blk_mq_run_hw_queue+0x1dd/0x3b0
 blk_mq_sched_insert_request+0x1ff/0x3e0
 blk_execute_rq_nowait+0x173/0x1e0
 blk_execute_rq+0x15c/0x540
 sg_io+0x97c/0x1370
 scsi_ioctl+0xe16/0x28e0
 sd_ioctl+0x134/0x170
 blkdev_ioctl+0x362/0x6e0
 block_ioctl+0xb0/0xf0
 vfs_ioctl+0xa7/0xf0
 do_syscall_64+0x3d/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
---[ end trace 8b086e334adef6d2 ]---
Kernel panic - not syncing: Fatal exception

Link: https://lore.kernel.org/r/20211103170659.22151-2-tadeusz.struk@linaro.org
Fixes: 2ceda20f0a99 ("scsi: core: Move command size detection out of the fast path")
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James E.J. Bottomley <jejb@linux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Cc: <stable@vger.kernel.org> # 5.15, 5.14, 5.10
Reported-by: syzbot+5516b30f5401d4dcbcae@syzkaller.appspotmail.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_lib.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1193,8 +1193,6 @@ static blk_status_t scsi_setup_scsi_cmnd
 	}
 
 	cmd->cmd_len = scsi_req(req)->cmd_len;
-	if (cmd->cmd_len == 0)
-		cmd->cmd_len = scsi_command_size(cmd->cmnd);
 	cmd->cmnd = scsi_req(req)->cmd;
 	cmd->transfersize = blk_rq_bytes(req);
 	cmd->allowed = scsi_req(req)->retries;



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
  2021-11-15 16:55 ` [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() Greg Kroah-Hartman
@ 2021-11-15 17:58   ` Bart Van Assche
  2021-11-15 18:11     ` Greg Kroah-Hartman
  2021-11-15 18:32     ` Tadeusz Struk
  0 siblings, 2 replies; 4+ messages in thread
From: Bart Van Assche @ 2021-11-15 17:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Christoph Hellwig, James E.J. Bottomley,
	Martin K. Petersen, linux-scsi, syzbot+5516b30f5401d4dcbcae,
	Tadeusz Struk

On 11/15/21 8:55 AM, Greg Kroah-Hartman wrote:
> From: Tadeusz Struk <tadeusz.struk@linaro.org>
> 
> commit 703535e6ae1e94c89a9c1396b4c7b6b41160ef0c upstream.

Hi Greg,

Thanks for having queued this patch for the 5.10 stable branch.

Do you plan to also include commit 20aaef52eb08 ("scsi: scsi_ioctl: 
Validate command size")? That patch prevents that the bug in the commit 
mentioned above can be triggered.

Thanks,

Bart.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
  2021-11-15 17:58   ` Bart Van Assche
@ 2021-11-15 18:11     ` Greg Kroah-Hartman
  2021-11-15 18:32     ` Tadeusz Struk
  1 sibling, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-15 18:11 UTC (permalink / raw)
  To: Bart Van Assche
  Cc: linux-kernel, stable, Christoph Hellwig, James E.J. Bottomley,
	Martin K. Petersen, linux-scsi, syzbot+5516b30f5401d4dcbcae,
	Tadeusz Struk

On Mon, Nov 15, 2021 at 09:58:19AM -0800, Bart Van Assche wrote:
> On 11/15/21 8:55 AM, Greg Kroah-Hartman wrote:
> > From: Tadeusz Struk <tadeusz.struk@linaro.org>
> > 
> > commit 703535e6ae1e94c89a9c1396b4c7b6b41160ef0c upstream.
> 
> Hi Greg,
> 
> Thanks for having queued this patch for the 5.10 stable branch.
> 
> Do you plan to also include commit 20aaef52eb08 ("scsi: scsi_ioctl: Validate
> command size")? That patch prevents that the bug in the commit mentioned
> above can be triggered.

It did not apply to 5.10.y and 5.14.y and a "FAILED:" email was sent out
asking for a backport of it.

If you can provide that, great, I'll be glad to take it.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
  2021-11-15 17:58   ` Bart Van Assche
  2021-11-15 18:11     ` Greg Kroah-Hartman
@ 2021-11-15 18:32     ` Tadeusz Struk
  1 sibling, 0 replies; 4+ messages in thread
From: Tadeusz Struk @ 2021-11-15 18:32 UTC (permalink / raw)
  To: Bart Van Assche, Greg Kroah-Hartman, linux-kernel
  Cc: stable, Christoph Hellwig, James E.J. Bottomley,
	Martin K. Petersen, linux-scsi, syzbot+5516b30f5401d4dcbcae

On 11/15/21 09:58, Bart Van Assche wrote:
> Hi Greg,
> 
> Thanks for having queued this patch for the 5.10 stable branch.
> 
> Do you plan to also include commit 20aaef52eb08 ("scsi: scsi_ioctl: Validate 
> command size")? That patch prevents that the bug in the commit mentioned above 
> can be triggered.
> 
> Thanks,

Hi Brad,
The "scsi_ioctl: Validate command size" patch is not needed for either 5.10 nor
5.14 as the it is set directly from COMMAND_SIZE(opcode). See:

https://elixir.bootlin.com/linux/v5.14.18/source/block/scsi_ioctl.c#L445
https://elixir.bootlin.com/linux/v5.10.79/source/block/scsi_ioctl.c#L447

-- 
Thanks,
Tadeusz

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-16  2:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20211115165343.579890274@linuxfoundation.org>
2021-11-15 16:55 ` [PATCH 5.10 011/575] scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() Greg Kroah-Hartman
2021-11-15 17:58   ` Bart Van Assche
2021-11-15 18:11     ` Greg Kroah-Hartman
2021-11-15 18:32     ` Tadeusz Struk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox