* [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat()
@ 2022-11-11 10:05 Harshit Mogalapalli
2022-11-11 17:23 ` Douglas Gilbert
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Harshit Mogalapalli @ 2022-11-11 10:05 UTC (permalink / raw)
Cc: harshit.m.mogalapalli, error27, harshit.m.mogalapalli,
James E.J. Bottomley, Martin K. Petersen, Douglas Gilbert,
linux-scsi, linux-kernel
As 'lbdof_blen' is coming from user, if the size in kzalloc()
is >= MAX_ORDER then we hit a warning.
Call trace:
sg_ioctl
sg_ioctl_common
scsi_ioctl
sg_scsi_ioctl
blk_execute_rq
blk_mq_sched_insert_request
blk_mq_run_hw_queue
__blk_mq_delay_run_hw_queue
__blk_mq_run_hw_queue
blk_mq_sched_dispatch_requests
__blk_mq_sched_dispatch_requests
blk_mq_dispatch_rq_list
scsi_queue_rq
scsi_dispatch_cmd
scsi_debug_queuecommand
schedule_resp
resp_write_scat
If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc()
will definitely fail. It creates a stack trace and messes up dmesg.
The user controls the size here so if they specify a too large size it
will fail.
Add __GFP_NOWARN in order to avoid too large allocation warning.
This is detected by static analysis using smatch.
Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
drivers/scsi/scsi_debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 697fc57bc711..273224d29ce9 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -3778,7 +3778,7 @@ static int resp_write_scat(struct scsi_cmnd *scp,
mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
return illegal_condition_result;
}
- lrdp = kzalloc(lbdof_blen, GFP_ATOMIC);
+ lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN);
if (lrdp == NULL)
return SCSI_MLQUEUE_HOST_BUSY;
if (sdebug_verbose)
--
2.38.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat()
2022-11-11 10:05 [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat() Harshit Mogalapalli
@ 2022-11-11 17:23 ` Douglas Gilbert
2022-11-12 7:13 ` Harshit Mogalapalli
2022-11-17 18:12 ` Martin K. Petersen
2022-11-26 3:27 ` Martin K. Petersen
2 siblings, 1 reply; 5+ messages in thread
From: Douglas Gilbert @ 2022-11-11 17:23 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: error27, harshit.m.mogalapalli, James E.J. Bottomley,
Martin K. Petersen, linux-scsi, linux-kernel
On 2022-11-11 05:05, Harshit Mogalapalli wrote:
> As 'lbdof_blen' is coming from user, if the size in kzalloc()
> is >= MAX_ORDER then we hit a warning.
>
> Call trace:
>
> sg_ioctl
> sg_ioctl_common
> scsi_ioctl
> sg_scsi_ioctl
> blk_execute_rq
> blk_mq_sched_insert_request
> blk_mq_run_hw_queue
> __blk_mq_delay_run_hw_queue
> __blk_mq_run_hw_queue
> blk_mq_sched_dispatch_requests
> __blk_mq_sched_dispatch_requests
> blk_mq_dispatch_rq_list
> scsi_queue_rq
> scsi_dispatch_cmd
> scsi_debug_queuecommand
> schedule_resp
> resp_write_scat
>
> If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc()
> will definitely fail. It creates a stack trace and messes up dmesg.
> The user controls the size here so if they specify a too large size it
> will fail.
>
> Add __GFP_NOWARN in order to avoid too large allocation warning.
> This is detected by static analysis using smatch.
>
> Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Thanks.
> ---
> drivers/scsi/scsi_debug.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 697fc57bc711..273224d29ce9 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -3778,7 +3778,7 @@ static int resp_write_scat(struct scsi_cmnd *scp,
> mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
> return illegal_condition_result;
> }
> - lrdp = kzalloc(lbdof_blen, GFP_ATOMIC);
> + lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN);
> if (lrdp == NULL)
> return SCSI_MLQUEUE_HOST_BUSY;
> if (sdebug_verbose)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat()
2022-11-11 17:23 ` Douglas Gilbert
@ 2022-11-12 7:13 ` Harshit Mogalapalli
0 siblings, 0 replies; 5+ messages in thread
From: Harshit Mogalapalli @ 2022-11-12 7:13 UTC (permalink / raw)
To: dgilbert
Cc: error27, harshit.m.mogalapalli, James E.J. Bottomley,
Martin K. Petersen, linux-scsi, linux-kernel
Hi Doug,
On 11/11/22 10:53 pm, Douglas Gilbert wrote:
> On 2022-11-11 05:05, Harshit Mogalapalli wrote:
>> As 'lbdof_blen' is coming from user, if the size in kzalloc()
>> is >= MAX_ORDER then we hit a warning.
>>
>> Call trace:
>>
>> sg_ioctl
>> sg_ioctl_common
>> scsi_ioctl
>> sg_scsi_ioctl
>> blk_execute_rq
>> blk_mq_sched_insert_request
>> blk_mq_run_hw_queue
>> __blk_mq_delay_run_hw_queue
>> __blk_mq_run_hw_queue
>> blk_mq_sched_dispatch_requests
>> __blk_mq_sched_dispatch_requests
>> blk_mq_dispatch_rq_list
>> scsi_queue_rq
>> scsi_dispatch_cmd
>> scsi_debug_queuecommand
>> schedule_resp
>> resp_write_scat
>>
>> If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc()
>> will definitely fail. It creates a stack trace and messes up dmesg.
>> The user controls the size here so if they specify a too large size it
>> will fail.
>>
>> Add __GFP_NOWARN in order to avoid too large allocation warning.
>> This is detected by static analysis using smatch.
>>
>> Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function")
>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
>
> Acked-by: Douglas Gilbert <dgilbert@interlog.com>
>
Thank you very much for checking the patch.
We have two more similar cases in the scsi_debug.c file in resp_verify()
and resp_report_zones() functions. These are also detected using static
analysis with smatch.
I have sent out patches for those.
Thanks,
Harshit
> Thanks.
>
>> ---
>> drivers/scsi/scsi_debug.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
>> index 697fc57bc711..273224d29ce9 100644
>> --- a/drivers/scsi/scsi_debug.c
>> +++ b/drivers/scsi/scsi_debug.c
>> @@ -3778,7 +3778,7 @@ static int resp_write_scat(struct scsi_cmnd *scp,
>> mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
>> return illegal_condition_result;
>> }
>> - lrdp = kzalloc(lbdof_blen, GFP_ATOMIC);
>> + lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN);
>> if (lrdp == NULL)
>> return SCSI_MLQUEUE_HOST_BUSY;
>> if (sdebug_verbose)
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat()
2022-11-11 10:05 [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat() Harshit Mogalapalli
2022-11-11 17:23 ` Douglas Gilbert
@ 2022-11-17 18:12 ` Martin K. Petersen
2022-11-26 3:27 ` Martin K. Petersen
2 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2022-11-17 18:12 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: error27, harshit.m.mogalapalli, James E.J. Bottomley,
Martin K. Petersen, Douglas Gilbert, linux-scsi, linux-kernel
Harshit,
> As 'lbdof_blen' is coming from user, if the size in kzalloc() is >=
> MAX_ORDER then we hit a warning.
Applied to 6.2/scsi-staging, thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat()
2022-11-11 10:05 [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat() Harshit Mogalapalli
2022-11-11 17:23 ` Douglas Gilbert
2022-11-17 18:12 ` Martin K. Petersen
@ 2022-11-26 3:27 ` Martin K. Petersen
2 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2022-11-26 3:27 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: Martin K . Petersen, Douglas Gilbert, error27,
harshit.m.mogalapalli, linux-kernel, linux-scsi,
James E.J. Bottomley
On Fri, 11 Nov 2022 02:05:25 -0800, Harshit Mogalapalli wrote:
> As 'lbdof_blen' is coming from user, if the size in kzalloc()
> is >= MAX_ORDER then we hit a warning.
>
> Call trace:
>
> sg_ioctl
> sg_ioctl_common
> scsi_ioctl
> sg_scsi_ioctl
> blk_execute_rq
> blk_mq_sched_insert_request
> blk_mq_run_hw_queue
> __blk_mq_delay_run_hw_queue
> __blk_mq_run_hw_queue
> blk_mq_sched_dispatch_requests
> __blk_mq_sched_dispatch_requests
> blk_mq_dispatch_rq_list
> scsi_queue_rq
> scsi_dispatch_cmd
> scsi_debug_queuecommand
> schedule_resp
> resp_write_scat
>
> [...]
Applied to 6.2/scsi-queue, thanks!
[1/1] scsi: scsi_debug: Fix a warning in resp_write_scat()
https://git.kernel.org/mkp/scsi/c/216e179724c1
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-26 3:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-11 10:05 [PATCH] scsi: scsi_debug: Fix a warning in resp_write_scat() Harshit Mogalapalli
2022-11-11 17:23 ` Douglas Gilbert
2022-11-12 7:13 ` Harshit Mogalapalli
2022-11-17 18:12 ` Martin K. Petersen
2022-11-26 3:27 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).