On Wed, 2019-01-23 at 11:06 -0800, Bart Van Assche wrote: > Some time ago blk_execute_rq() was modified such that it no longer > allocates a sense buffer. Make sg_io() allocate and use a sense buffer. > This patch avoids that the following bug is triggered when running the > libiscsi tests against the scsi_debug driver: > > usercopy: Kernel memory exposure attempt detected from null address (offset > 0, size 18)! > ------------[ cut here ]------------ > kernel BUG at mm/usercopy.c:102! > CPU: 5 PID: 693 Comm: iscsi-test-cu Not tainted 5.0.0-rc3-dbg+ #3 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 > 04/01/2014 > RIP: 0010:usercopy_abort+0x7a/0x7c > Call Trace: > __check_object_size.cold.1+0x37/0x3d > sg_io+0x5a2/0x700 > scsi_cmd_ioctl+0x4d4/0x540 > scsi_cmd_blk_ioctl+0x7b/0x8b > sd_ioctl+0xba/0x150 > blkdev_ioctl+0x6e1/0xea0 > block_ioctl+0x79/0x90 > do_vfs_ioctl+0x12b/0x9b0 > ksys_ioctl+0x41/0x80 > __x64_sys_ioctl+0x43/0x50 > do_syscall_64+0x71/0x210 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Cc: Christoph Hellwig <[email protected]> > Cc: Martin K. Petersen <[email protected]> > Cc: Douglas Gilbert <[email protected]> > Cc: <[email protected]> # v4.11+ > Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") > Signed-off-by: Bart Van Assche <[email protected]> > --- > block/scsi_ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c > index 533f4aee8567..066929ec0d61 100644 > --- a/block/scsi_ioctl.c > +++ b/block/scsi_ioctl.c > @@ -299,6 +299,7 @@ static int sg_io(struct request_queue *q, struct gendisk > *bd_disk, > struct request *rq; > struct scsi_request *req; > struct bio *bio; > + u8 sense[SCSI_SENSE_BUFFERSIZE]; > > if (hdr->interface_id != 'S') > return -EINVAL; > @@ -361,6 +362,7 @@ static int sg_io(struct request_queue *q, struct gendisk > *bd_disk, > > bio = rq->bio; > req->retries = 0; > + req->sense = sense; > > start_time = jiffies;
Please ignore this patch - I just realized that this is not the right way to fix the reported issue. Bart.
