From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751216AbeAVQa4 (ORCPT <rfc822;w@1wt.eu>);
        Mon, 22 Jan 2018 11:30:56 -0500
Received: from esa6.hgst.iphmx.com ([216.71.154.45]:40412 "EHLO
        esa6.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750997AbeAVQay (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 11:30:54 -0500
X-IronPort-AV: E=Sophos;i="5.46,397,1511798400";
   d="scan'208";a="70160224"
From: Bart Van Assche <Bart.VanAssche@wdc.com>
To: "jejb@linux.vnet.ibm.com" <jejb@linux.vnet.ibm.com>,
        "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
        "dgilbert@interlog.com" <dgilbert@interlog.com>,
        "dvyukov@google.com" <dvyukov@google.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "martin.petersen@oracle.com" <martin.petersen@oracle.com>,
        "ben.hutchings@codethink.co.uk" <ben.hutchings@codethink.co.uk>
CC: "syzkaller@googlegroups.com" <syzkaller@googlegroups.com>
Subject: Re: scsi: sg: assorted memory corruptions
Thread-Topic: scsi: sg: assorted memory corruptions
Thread-Index: AQHTk3E4EP2NqvDqPkOQMjLaGP8+XqOAFcQA
Date: Mon, 22 Jan 2018 16:30:35 +0000
Message-ID: <1516638634.2545.0.camel@wdc.com>
References: <CACT4Y+b0pizvOAxtWQ-TGCRAYvHXdv79BAEaXh50W6vF8gBvkQ@mail.gmail.com>
In-Reply-To: <CACT4Y+b0pizvOAxtWQ-TGCRAYvHXdv79BAEaXh50W6vF8gBvkQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Bart.VanAssche@wdc.com;
x-originating-ip: [199.255.44.172]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;CY1PR0401MB1565;7:iZ3dcXtrwXlFIZ7vIUifUApgR1iB30CY0WdI1u34rb4hXuJdGbfqAST8x8OvlTTs+yFLmqW6BZ/YmjgvMl3RPPi3g0R7fsQH4t+qu86qja4gpwqLNTydoc9czbN2VFfEre9vFTGPfpf4bo/JEWtsv+pgDQYNge8UHUUQXY/Tcmmb72Pw6sRJC7cyu+pUEujLwjFicXDVWYp7Sk6jv8xvO/X5VsEE1KRFqfz2XQzYTorg0waW5vs5tUJ7JttssmI7;20:4GHHlm/bxGchDLz/+n3MakHuFes3YZqfgD7QI2Q6uuqJWdLp7q4bTxyWJFaodcExH8CWCI2oKW9cFQtImjJWaciq91UN+t/LDjU0hTC6dk3FJjM5byvW9alht9fOqGDbZx+GIjSam3VsQytky7MSmqZ+KOlJIrjiZ4q/UiCsd4c=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c6223562-ce51-47b4-4ef4-08d561b57708
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(48565401081)(2017052603307)(7153060)(7193020);SRVR:CY1PR0401MB1565;
x-ms-traffictypediagnostic: CY1PR0401MB1565:
wdcipoutbound: EOP-TRUE
x-microsoft-antispam-prvs: <CY1PR0401MB15652DFFADEC5FED1F910CE798EC0@CY1PR0401MB1565.namprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040501)(2401047)(5005006)(8121501046)(3231023)(2400081)(944501161)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041288)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011);SRVR:CY1PR0401MB1565;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:CY1PR0401MB1565;
x-forefront-prvs: 0560A2214D
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(366004)(346002)(376002)(396003)(39860400002)(189003)(199004)(377424004)(59450400001)(26005)(103116003)(102836004)(36756003)(478600001)(106356001)(14454004)(105586002)(3660700001)(3280700002)(229853002)(5660300001)(2501003)(4326008)(2950100002)(7736002)(305945005)(6486002)(2906002)(72206003)(6506007)(76176011)(6246003)(68736007)(99286004)(66066001)(81166006)(8936002)(3846002)(6116002)(25786009)(6436002)(2900100001)(53936002)(6512007)(8676002)(81156014)(316002)(77096007)(97736004)(86362001)(110136005)(2201001);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR0401MB1565;H:CY1PR0401MB1536.namprd04.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
x-microsoft-antispam-message-info: MI278lNzqzwlgXrOJQhUgeHtuvgYUy1R2MVklPZHsizk0nWxr9zBSa2E1gdREwTj5micDag2dPT82OUPfMwfmg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <B123958BDA32144EB508D23EB6F6918B@namprd04.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: wdc.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6223562-ce51-47b4-4ef4-08d561b57708
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2018 16:30:35.6332
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b61c8803-16f3-4c35-9b17-6f65f441df86
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0401MB1565
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id w0MGVE7t018292

On Mon, 2018-01-22 at 12:06 +0100, Dmitry Vyukov wrote:
> general protection fault: 0000 [#1] SMP KASAN

How about the untested patch below?

Thanks,

Bart.


diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index cd9b6ebd7257..04a644b39d79 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -627,6 +627,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
 	mutex_unlock(&sfp->f_mutex);
 	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sdp,
 		"sg_write:   scsi opcode=0x%02x, cmd_size=%d\n", (int) opcode, cmd_size));
+	if (cmd_size > sizeof(cmnd)) {
+		sg_remove_request(sfp, srp);
+		return -EFAULT;
+	}
 	/* Determine buffer size.  */
 	input_size = count - cmd_size;
 	mxsize = max(input_size, old_hdr.reply_len);