From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752457AbdEOXDB (ORCPT ); Mon, 15 May 2017 19:03:01 -0400 Received: from esa6.hgst.iphmx.com ([216.71.154.45]:57587 "EHLO esa6.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751087AbdEOXC7 (ORCPT ); Mon, 15 May 2017 19:02:59 -0400 X-IronPort-AV: E=Sophos;i="5.38,346,1491235200"; d="scan'208";a="18978548" From: Bart Van Assche To: "jejb@linux.vnet.ibm.com" , "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "longli@exchange.microsoft.com" , "martin.petersen@oracle.com" CC: "longli@microsoft.com" Subject: Re: [Possible Phish Fraud][PATCH] scsi: zero per-cmd driver data for each MQ I/O Thread-Topic: [Possible Phish Fraud][PATCH] scsi: zero per-cmd driver data for each MQ I/O Thread-Index: AQHSydrV/YzDi0yZNUyTZ+UIQxSAL6H2CxEA Date: Mon, 15 May 2017 23:02:56 +0000 Message-ID: <1494889376.2567.8.camel@sandisk.com> References: <1494450443-2921-1-git-send-email-longli@exchange.microsoft.com> In-Reply-To: <1494450443-2921-1-git-send-email-longli@exchange.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: linux.vnet.ibm.com; dkim=none (message not signed) header.d=none;linux.vnet.ibm.com; dmarc=none action=none header.from=sandisk.com; x-originating-ip: [63.163.107.100] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;CY1PR0401MB1533;7:Kgvlcnl9Jg4PoabNBjbqLqkJrwuie5DTsbWCsDJ1iGAapKGa11RhBuA6t+6zhx2LaXuuZTkGnglLVAP9Ry4npUKaR4sdys6hdAUQRgFuo2CrhOnjIjyTPrdzokzPD8qCNvu000HeWpxcQojXyOnzuneEYIGFP9umEPXzHYthay5bpZmnouXTS2OvxGDd+U3LHHESBHbu210yAJBZ4WRMeDZ3f/IZU5yKGXd5U4e8oukcGgFPiEyHys8YyZsSgegM3nrqU95GVSH2yeRRJHa4lauXzNfrS+XYmi6XdNj8acde6gxeRkt3oqhPbwD5WdkMg+/qBpuf8SrvpLMNGLuVnA==;20:2TWPa5KOHvRJ8Wm7TJKT2E38qNejS9B7UDTf+kShwF7TiiPHtgQYnaWH9DkFGeoUjPFPwyy1z1EJKLurhj6L+/OYGoS2Yhq/IWoEcSVAlGPeqxYYTydnirEi8JCWKS8G3EsgfhxOqNlvQw8V+2AmEajqC1reKBIr+GZ9alnSjSw= x-ms-office365-filtering-correlation-id: e4ba9b94-d9ae-4ff8-466e-08d49be686a6 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);SRVR:CY1PR0401MB1533; wdcipoutbound: EOP-TRUE x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123558100)(20161123560025)(6072148);SRVR:CY1PR0401MB1533;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0401MB1533; x-forefront-prvs: 0308EE423E x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39410400002)(39850400002)(39400400002)(39840400002)(39860400002)(39450400003)(24454002)(377424004)(2501003)(6436002)(6506006)(54356999)(50986999)(77096006)(6486002)(103116003)(4326008)(2900100001)(25786009)(76176999)(33646002)(8936002)(122556002)(102836003)(3846002)(8676002)(81166006)(6116002)(36756003)(1511001)(3660700001)(3280700002)(2906002)(66066001)(305945005)(72206003)(229853002)(2201001)(8666007)(5660300001)(6246003)(189998001)(2950100002)(7736002)(86362001)(99286003)(38730400002)(53936002)(478600001)(6512007);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR0401MB1533;H:CY1PR0401MB1536.namprd04.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-ID: <2E207506188CB24D8C60A378765D2749@namprd04.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: sandisk.com X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 23:02:56.8588 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b61c8803-16f3-4c35-9b17-6f65f441df86 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0401MB1533 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v4FN376b000597 On Wed, 2017-05-10 at 14:07 -0700, Long Li wrote: > From: Long Li > > Lower layer driver may not initialize private data before use. Zero them > out to prevent use of stale data. > > Signed-off-by: Long Li > --- > drivers/scsi/scsi_lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c > index 19125d7..a821593 100644 > --- a/drivers/scsi/scsi_lib.c > +++ b/drivers/scsi/scsi_lib.c > @@ -1850,7 +1850,7 @@ static int scsi_mq_prep_fn(struct request *req) > > /* zero out the cmd, except for the embedded scsi_request */ > memset((char *)cmd + sizeof(cmd->req), 0, > - sizeof(*cmd) - sizeof(cmd->req)); > + sizeof(*cmd) - sizeof(cmd->req) + shost->hostt->cmd_size); > > req->special = cmd; Hello Long, Sorry but this patch looks wrong to me. Since scsi_mq_prep_fn() is called after scsi_req_init(), erasing struct scsi_request from scsi_mq_prep_fn() will erase the values that were set by scsi_req_init(). That includes information like the pointer to the SCSI CDB and the CDB itself. See e.g. scsi_execute(). Did you come up with this patch after source reading or did you come up with this patch while chasing a bug? Thanks, Bart.