* [PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr
@ 2019-10-17 6:19 zhengbin
2019-10-17 6:19 ` [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl zhengbin
2019-10-17 6:19 ` [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
0 siblings, 2 replies; 8+ messages in thread
From: zhengbin @ 2019-10-17 6:19 UTC (permalink / raw)
To: bvanassche, jejb, martin.petersen, linux-scsi; +Cc: yi.zhang, zhengbin13
v1->v2: modify the comments suggested by Bart
v2->v3: fix bug in sr_do_ioctl
v3->v4: let "fix bug in sr_do_ioctl" be a separate patch
zhengbin (2):
sr: need to check whether sshdr is valid in sr_do_ioctl
scsi: core: fix uninit-value access of variable sshdr
drivers/scsi/scsi_lib.c | 7 +++++++
drivers/scsi/sr_ioctl.c | 5 +++++
2 files changed, 12 insertions(+)
--
2.7.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl
2019-10-17 6:19 [PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
@ 2019-10-17 6:19 ` zhengbin
2019-10-18 2:12 ` Martin K. Petersen
2019-10-17 6:19 ` [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
1 sibling, 1 reply; 8+ messages in thread
From: zhengbin @ 2019-10-17 6:19 UTC (permalink / raw)
To: bvanassche, jejb, martin.petersen, linux-scsi; +Cc: yi.zhang, zhengbin13
Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
we need to check whether sshdr is valid.
Signed-off-by: zhengbin <zhengbin13@huawei.com>
---
drivers/scsi/sr_ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index ffcf902..335cfdd 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -206,6 +206,11 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
/* Minimal error checking. Ignore cases we know about, and report the rest. */
if (driver_byte(result) != 0) {
+ if (!scsi_sense_valid(sshdr)) {
+ err = -EIO;
+ goto out;
+ }
+
switch (sshdr->sense_key) {
case UNIT_ATTENTION:
SDev->changed = 1;
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr
2019-10-17 6:19 [PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
2019-10-17 6:19 ` [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl zhengbin
@ 2019-10-17 6:19 ` zhengbin
2019-10-18 2:40 ` Martin K. Petersen
1 sibling, 1 reply; 8+ messages in thread
From: zhengbin @ 2019-10-17 6:19 UTC (permalink / raw)
To: bvanassche, jejb, martin.petersen, linux-scsi; +Cc: yi.zhang, zhengbin13
kmsan report a warning in 5.1-rc4:
BUG: KMSAN: uninit-value in sr_get_events drivers/scsi/sr.c:207 [inline]
BUG: KMSAN: uninit-value in sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243
CPU: 1 PID: 13858 Comm: syz-executor.0 Tainted: G B 5.1.0-rc4+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:619
__msan_warning+0x7a/0xf0 mm/kmsan/kmsan_instr.c:310
sr_get_events drivers/scsi/sr.c:207 [inline]
sr_check_events+0x2cf/0x1090 drivers/scsi/sr.c:243
The reason is as follows:
sr_get_events
struct scsi_sense_hdr sshdr; -->uninit
scsi_execute_req -->If fail, will not set sshdr
scsi_sense_valid(&sshdr) -->access sshdr
We can init sshdr in sr_get_events, but there have many callers of
scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
the simpler way is init sshdr in __scsi_execute.
Signed-off-by: zhengbin <zhengbin13@huawei.com>
---
drivers/scsi/scsi_lib.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 5447738..d5e29c5 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -255,6 +255,13 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
struct scsi_request *rq;
int ret = DRIVER_ERROR << 24;
+ /*
+ * Zero-initialize sshdr for those callers that check the *sshdr
+ * contents even if no sense data is available.
+ */
+ if (sshdr)
+ memset(sshdr, 0, sizeof(struct scsi_sense_hdr));
+
req = blk_get_request(sdev->request_queue,
data_direction == DMA_TO_DEVICE ?
REQ_OP_SCSI_OUT : REQ_OP_SCSI_IN, BLK_MQ_REQ_PREEMPT);
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl
2019-10-17 6:19 ` [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl zhengbin
@ 2019-10-18 2:12 ` Martin K. Petersen
2019-10-18 2:38 ` Martin K. Petersen
0 siblings, 1 reply; 8+ messages in thread
From: Martin K. Petersen @ 2019-10-18 2:12 UTC (permalink / raw)
To: zhengbin; +Cc: bvanassche, jejb, martin.petersen, linux-scsi, yi.zhang
zhengbin,
> Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
> we need to check whether sshdr is valid.
Applied to 5.4/scsi-fixes, thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl
2019-10-18 2:12 ` Martin K. Petersen
@ 2019-10-18 2:38 ` Martin K. Petersen
0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-10-18 2:38 UTC (permalink / raw)
To: zhengbin; +Cc: bvanassche, jejb, linux-scsi, yi.zhang
zhengbin,
>> Like other callers of scsi_execute(send_trespass_cmd, hp_sw_tur...),
>> we need to check whether sshdr is valid.
>
> Applied to 5.4/scsi-fixes, thanks!
Actually, after looking at this again, the function is making the
assumption that if driver_byte(result) != 0, then the sense is
present. It really should check both driver_byte(result) == DRIVER_SENSE
and scsi_sense_valid(sshdr) before poking at the sense data.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr
2019-10-17 6:19 ` [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
@ 2019-10-18 2:40 ` Martin K. Petersen
2019-10-18 2:46 ` zhengbin (A)
0 siblings, 1 reply; 8+ messages in thread
From: Martin K. Petersen @ 2019-10-18 2:40 UTC (permalink / raw)
To: zhengbin; +Cc: bvanassche, jejb, martin.petersen, linux-scsi, yi.zhang
zhengbin,
> We can init sshdr in sr_get_events, but there have many callers of
> scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
> the simpler way is init sshdr in __scsi_execute.
There aren't that many callers. I'd prefer to make sure that everybody
is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like
we're generally OK, but please verify.
Thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr
2019-10-18 2:40 ` Martin K. Petersen
@ 2019-10-18 2:46 ` zhengbin (A)
2019-10-18 2:50 ` Martin K. Petersen
0 siblings, 1 reply; 8+ messages in thread
From: zhengbin (A) @ 2019-10-18 2:46 UTC (permalink / raw)
To: Martin K. Petersen; +Cc: bvanassche, jejb, linux-scsi, yi.zhang
On 2019/10/18 10:40, Martin K. Petersen wrote:
> zhengbin,
>
>> We can init sshdr in sr_get_events, but there have many callers of
>> scsi_execute, scsi_execute_req, we have to troubleshoot all callers,
>> the simpler way is init sshdr in __scsi_execute.
> There aren't that many callers. I'd prefer to make sure that everybody
> is handling DRIVER_SENSE and scsi_sense_valid() correctly. Looks like
> we're generally OK, but please verify.
OK, I have troubleshoot callers, there are similar bug(scsi_report_opcode, cache_type_store, scsi_test_unit_ready, scsi_report_lun_scan, sd_spinup_disk, read_capacity_16,
read_capacity_10, sr_get_events, alua_rtpg, alua_stpg, send_trespass_cmd, hp_sw_tur, hp_sw_start_stop, send_mode_select, sd_sync_cache, sd_start_stop_device, sr_do_ioctl).
I modify these in a patch? or every .c a patch, use a patchset?
>
> Thanks!
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr
2019-10-18 2:46 ` zhengbin (A)
@ 2019-10-18 2:50 ` Martin K. Petersen
0 siblings, 0 replies; 8+ messages in thread
From: Martin K. Petersen @ 2019-10-18 2:50 UTC (permalink / raw)
To: zhengbin (A); +Cc: Martin K. Petersen, bvanassche, jejb, linux-scsi, yi.zhang
zhengbin,
> I modify these in a patch? or every .c a patch, use a patchset?
A patchset consisting of one patch per file, please.
Thank you!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-10-18 9:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-17 6:19 [PATCH v4 0/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
2019-10-17 6:19 ` [PATCH v4 1/2] sr: need to check whether sshdr is valid in sr_do_ioctl zhengbin
2019-10-18 2:12 ` Martin K. Petersen
2019-10-18 2:38 ` Martin K. Petersen
2019-10-17 6:19 ` [PATCH v4 2/2] scsi: core: fix uninit-value access of variable sshdr zhengbin
2019-10-18 2:40 ` Martin K. Petersen
2019-10-18 2:46 ` zhengbin (A)
2019-10-18 2:50 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.