From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Laura Abbott <labbott@redhat.com>,
Mike Christie <mchristi@redhat.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 048/109] scsi: iscsi: target: Dont use stack buffer for scatterlist
Date: Tue, 16 Oct 2018 19:05:16 +0200 [thread overview]
Message-ID: <20181016170527.573268692@linuxfoundation.org> (raw)
In-Reply-To: <20181016170524.530541524@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laura Abbott <labbott@redhat.com>
[ Upstream commit 679fcae46c8b2352bba3485d521da070cfbe68e6 ]
Fedora got a bug report of a crash with iSCSI:
kernel BUG at include/linux/scatterlist.h:143!
...
RIP: 0010:iscsit_do_crypto_hash_buf+0x154/0x180 [iscsi_target_mod]
...
Call Trace:
? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
iscsit_get_rx_pdu+0x4cd/0xa90 [iscsi_target_mod]
? native_sched_clock+0x3e/0xa0
? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
iscsi_target_rx_thread+0x81/0xf0 [iscsi_target_mod]
kthread+0x120/0x140
? kthread_create_worker_on_cpu+0x70/0x70
ret_from_fork+0x3a/0x50
This is a BUG_ON for using a stack buffer with a scatterlist. There
are two cases that trigger this bug. Switch to using a dynamically
allocated buffer for one case and do not assign a NULL buffer in
another case.
Signed-off-by: Laura Abbott <labbott@redhat.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1421,7 +1421,8 @@ static void iscsit_do_crypto_hash_buf(
sg_init_table(sg, ARRAY_SIZE(sg));
sg_set_buf(sg, buf, payload_length);
- sg_set_buf(sg + 1, pad_bytes, padding);
+ if (padding)
+ sg_set_buf(sg + 1, pad_bytes, padding);
ahash_request_set_crypt(hash, sg, data_crc, payload_length + padding);
@@ -3942,10 +3943,14 @@ static bool iscsi_target_check_conn_stat
static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
{
int ret;
- u8 buffer[ISCSI_HDR_LEN], opcode;
+ u8 *buffer, opcode;
u32 checksum = 0, digest = 0;
struct kvec iov;
+ buffer = kcalloc(ISCSI_HDR_LEN, sizeof(*buffer), GFP_KERNEL);
+ if (!buffer)
+ return;
+
while (!kthread_should_stop()) {
/*
* Ensure that both TX and RX per connection kthreads
@@ -3953,7 +3958,6 @@ static void iscsit_get_rx_pdu(struct isc
*/
iscsit_thread_check_cpumask(conn, current, 0);
- memset(buffer, 0, ISCSI_HDR_LEN);
memset(&iov, 0, sizeof(struct kvec));
iov.iov_base = buffer;
@@ -3962,7 +3966,7 @@ static void iscsit_get_rx_pdu(struct isc
ret = rx_data(conn, &iov, 1, ISCSI_HDR_LEN);
if (ret != ISCSI_HDR_LEN) {
iscsit_rx_thread_wait_for_tcp(conn);
- return;
+ break;
}
if (conn->conn_ops->HeaderDigest) {
@@ -3972,7 +3976,7 @@ static void iscsit_get_rx_pdu(struct isc
ret = rx_data(conn, &iov, 1, ISCSI_CRC_LEN);
if (ret != ISCSI_CRC_LEN) {
iscsit_rx_thread_wait_for_tcp(conn);
- return;
+ break;
}
iscsit_do_crypto_hash_buf(conn->conn_rx_hash,
@@ -3996,7 +4000,7 @@ static void iscsit_get_rx_pdu(struct isc
}
if (conn->conn_state == TARG_CONN_STATE_IN_LOGOUT)
- return;
+ break;
opcode = buffer[0] & ISCSI_OPCODE_MASK;
@@ -4007,13 +4011,15 @@ static void iscsit_get_rx_pdu(struct isc
" while in Discovery Session, rejecting.\n", opcode);
iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
buffer);
- return;
+ break;
}
ret = iscsi_target_rx_opcode(conn, buffer);
if (ret < 0)
- return;
+ break;
}
+
+ kfree(buffer);
}
int iscsi_target_rx_thread(void *arg)
next prev parent reply other threads:[~2018-10-16 17:19 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 17:04 [PATCH 4.14 000/109] 4.14.77-stable review Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 001/109] bnxt_en: Fix TX timeout during netpoll Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 002/109] bnxt_en: free hwrm resources, if driver probe fails Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 003/109] bonding: avoid possible dead-lock Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 004/109] ip6_tunnel: be careful when accessing the inner header Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 005/109] ip_tunnel: " Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 006/109] ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 007/109] ipv6: take rcu lock in rawv6_send_hdrinc() Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 008/109] net: dsa: bcm_sf2: Call setup during switch resume Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 009/109] net: hns: fix for unmapping problem when SMMU is on Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 010/109] net: ipv4: update fnhe_pmtu when first hops MTU changes Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 011/109] net/ipv6: Display all addresses in output of /proc/net/if_inet6 Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 012/109] netlabel: check for IPV4MASK in addrinfo_get Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 013/109] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 014/109] net: mvpp2: fix a txq_done race condition Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 015/109] net: sched: Add policy validation for tc attributes Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 016/109] net: systemport: Fix wake-up interrupt race during resume Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 017/109] net/usb: cancel pending work when unbinding smsc75xx Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 018/109] qlcnic: fix Tx descriptor corruption on 82xx devices Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 019/109] qmi_wwan: Added support for Gemaltos Cinterion ALASxx WWAN interface Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 020/109] rtnetlink: fix rtnl_fdb_dump() for ndmsg header Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 021/109] rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 022/109] sctp: update dst pmtu with the correct daddr Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 023/109] team: Forbid enslaving team device to itself Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 024/109] tipc: fix flow control accounting for implicit connect Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 025/109] udp: Unbreak modules that rely on external __skb_recv_udp() availability Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 026/109] net: stmmac: Fixup the tail addr setting in xmit path Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 027/109] net/packet: fix packet drop as of virtio gso Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 028/109] net: dsa: bcm_sf2: Fix unbind ordering Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 029/109] net/mlx5e: Set vlan masks for all offloaded TC rules Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 030/109] net: aquantia: memory corruption on jumbo frames Greg Kroah-Hartman
2018-10-16 17:04 ` [PATCH 4.14 031/109] net/mlx5: E-Switch, Fix out of bound access when setting vport rate Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 032/109] bonding: pass link-local packets to bonding master also Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 033/109] bonding: fix warning message Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 034/109] nfp: avoid soft lockups under control message storm Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 035/109] bnxt_en: dont try to offload VLAN modify action Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 036/109] net-ethtool: ETHTOOL_GUFO did not and should not require CAP_NET_ADMIN Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 037/109] tcp/dccp: fix lockdep issue when SYN is backlogged Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 038/109] inet: make sure to grab rcu_read_lock before using ireq->ireq_opt Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 039/109] ASoC: rt5514: Fix the issue of the delay volume applied again Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 040/109] ASoC: wm8804: Add ACPI support Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 041/109] ASoC: sigmadsp: safeload should not have lower byte limit Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 042/109] selftests/efivarfs: add required kernel configs Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 043/109] selftests: memory-hotplug: add required configs Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 044/109] ASoC: rsnd: adg: care clock-frequency size Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 045/109] ASoC: rsnd: dont fallback to PIO mode when -EPROBE_DEFER Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 046/109] Bluetooth: hci_ldisc: Free rw_semaphore on close Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 047/109] mfd: omap-usb-host: Fix dts probe of children Greg Kroah-Hartman
2018-10-16 17:05 ` Greg Kroah-Hartman [this message]
2018-10-16 17:05 ` [PATCH 4.14 049/109] scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 050/109] sound: enable interrupt after dma buffer initialization Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 051/109] sound: dont call skl_init_chip() to reset intel skl soc Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 052/109] hv_netvsc: fix schedule in RCU context Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 053/109] stmmac: fix valid numbers of unicast filter entries Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 054/109] net: macb: disable scatter-gather for macb on sama5d3 Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 055/109] ARM: dts: at91: add new compatibility string " Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 056/109] PCI: hv: support reporting serial number as slot information Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 057/109] clk: x86: add "ether_clk" alias for Bay Trail / Cherry Trail Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 058/109] clk: x86: Stop marking clocks as CLK_IS_CRITICAL Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 059/109] x86/kvm/lapic: always disable MMIO interface in x2APIC mode Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 060/109] drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 061/109] mm/vmstat.c: fix outdated vmstat_text Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 062/109] MIPS: VDSO: Always map near top of user memory Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 063/109] mach64: detect the dot clock divider correctly on sparc Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 064/109] percpu: stop leaking bitmap metadata blocks Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 065/109] perf script python: Fix export-to-postgresql.py occasional failure Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 066/109] perf script python: Fix export-to-sqlite.py sample columns Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 067/109] s390/cio: Fix how vfio-ccw checks pinned pages Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 068/109] dm cache: destroy migration_cache if cache target registration failed Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 069/109] dm: fix report zone remapping to account for partition offset Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 070/109] dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 071/109] dm linear: fix linear_end_io conditional definition Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 072/109] cgroup: Fix dom_cgrp propagation when enabling threaded mode Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 073/109] mmc: block: avoid multiblock reads for the last sector in SPI mode Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 074/109] pinctrl: mcp23s08: fix irq and irqchip setup order Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 075/109] arm64: perf: Reject stand-alone CHAIN events for PMUv3 Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 076/109] mm/thp: fix call to mmu_notifier in set_pmd_migration_entry() v2 Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 077/109] mm: Preserve _PAGE_DEVMAP across mprotect() calls Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 078/109] i2c: i2c-scmi: fix for i2c_smbus_write_block_data Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 079/109] xhci: Dont print a warning when setting link state for disabled ports Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 080/109] mm: introduce NR_INDIRECTLY_RECLAIMABLE_BYTES Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 081/109] mm: treat indirectly reclaimable memory as available in MemAvailable Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 082/109] dcache: account external names as indirectly reclaimable memory Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 083/109] mm: treat indirectly reclaimable memory as free in overcommit logic Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 084/109] mm: dont show nr_indirectly_reclaimable in /proc/vmstat Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 085/109] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 086/109] ARM: bugs: prepare processor bug infrastructure Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 087/109] ARM: bugs: hook processor bug checking into SMP and suspend paths Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 088/109] ARM: bugs: add support for per-processor bug checking Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 089/109] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 090/109] ARM: spectre-v2: harden branch predictor on context switches Greg Kroah-Hartman
2018-10-16 17:05 ` [PATCH 4.14 091/109] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 092/109] ARM: spectre-v2: harden user aborts in kernel space Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 093/109] ARM: spectre-v2: add firmware based hardening Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 094/109] ARM: spectre-v2: warn about incorrect context switching functions Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 095/109] ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17 Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 096/109] ARM: KVM: invalidate icache on guest exit for Cortex-A15 Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 097/109] ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 098/109] ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 099/109] ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1 Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 100/109] ARM: spectre-v1: add speculation barrier (csdb) macros Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 101/109] ARM: spectre-v1: add array_index_mask_nospec() implementation Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 102/109] ARM: spectre-v1: fix syscall entry Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 103/109] ARM: signal: copy registers using __copy_from_user() Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 104/109] ARM: vfp: use __copy_from_user() when restoring VFP state Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 105/109] ARM: oabi-compat: copy semops using __copy_from_user() Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 106/109] ARM: use __inttype() in get_user() Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 107/109] ARM: spectre-v1: use get_user() for __get_user() Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 108/109] ARM: spectre-v1: mitigate user accesses Greg Kroah-Hartman
2018-10-16 17:06 ` [PATCH 4.14 109/109] perf tools: Fix snprint warnings for gcc 8 Greg Kroah-Hartman
2018-10-17 3:56 ` [PATCH 4.14 000/109] 4.14.77-stable review Dan Rue
2018-10-17 7:51 ` Greg Kroah-Hartman
2018-10-17 18:41 ` Shuah Khan
2018-10-17 19:20 ` Guenter Roeck
2018-10-18 6:43 ` Jon Hunter
2018-10-18 7:12 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181016170527.573268692@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox