Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bd1599d9 authored by Omar Sandoval's avatar Omar Sandoval Committed by Jens Axboe
Browse files

scsi_transport_sas: fix BSG ioctl memory corruption 



The end_device and sas_host devices support BSG ioctls, but the
request_queue allocated for them isn't set up to allocate the struct
scsi_request payload. This leads to memory corruption in the call to
scsi_req_init() in bsg_map_hdr(), since it will memset past the end of
the allocated request. Fix it by setting ->cmd_size on the allocated
request_queue.

Fixes: 82ed4db4 ("block: split scsi_request out of struct request")
Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
Acked-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent cccd9fb9

drivers/scsi/scsi_transport_sas.c

+16 −8
Original line number Diff line number Diff line
@@ -227,27 +227,31 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy) 
		return 0;

	}



	q = blk_alloc_queue(GFP_KERNEL);

	if (!q)

		return -ENOMEM;

	q->cmd_size = sizeof(struct scsi_request);



	if (rphy) {

		q = blk_init_queue(sas_non_host_smp_request, NULL);

		q->request_fn = sas_non_host_smp_request;

		dev = &rphy->dev;

		name = dev_name(dev);

		release = NULL;

	} else {

		q = blk_init_queue(sas_host_smp_request, NULL);

		q->request_fn = sas_host_smp_request;

		dev = &shost->shost_gendev;

		snprintf(namebuf, sizeof(namebuf),

			 "sas_host%d", shost->host_no);

		name = namebuf;

		release = sas_host_release;

	}

	if (!q)

		return -ENOMEM;

	error = blk_init_allocated_queue(q);

	if (error)

		goto out_cleanup_queue;



	error = bsg_register_queue(q, dev, name, release);

	if (error) {

		blk_cleanup_queue(q);

		return -ENOMEM;

	}

	if (error)

		goto out_cleanup_queue;



	if (rphy)

		rphy->q = q;
@@ -261,6 +265,10 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy) 


	queue_flag_set_unlocked(QUEUE_FLAG_BIDI, q);

	return 0;



out_cleanup_queue:

	blk_cleanup_queue(q);

	return error;

}



static void sas_bsg_remove(struct Scsi_Host *shost, struct sas_rphy *rphy)