-
由 Laibin Qiu 提交于
hulk inclusion category: bugfix bugzilla: 179896 https://gitee.com/openeuler/kernel/issues/I4DDEL --------------------------- In passthrough path. If the command size for ioctl request from userspace is 0. The original process will get cmd_len from cmd->cmnd, but It has not been assigned at this time. So it will trigger a NULL pointer BUG. ------------[ cut here ]------------ BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page RIP: 0010:scsi_queue_rq+0xcb2/0x12b0 Call Trace: blk_mq_dispatch_rq_list+0x541/0xe90 __blk_mq_sched_dispatch_requests+0x1fe/0x2b0 blk_mq_sched_dispatch_requests+0xbf/0x130 __blk_mq_run_hw_queue+0x15b/0x230 __blk_mq_delay_run_hw_queue+0x18f/0x320 blk_mq_run_hw_queue+0x252/0x280 blk_mq_sched_insert_request+0x228/0x260 blk_execute_rq+0x111/0x160 sg_io+0x51a/0x740 scsi_cmd_ioctl+0x533/0x910 scsi_cmd_blk_ioctl+0xa1/0xb0 cdrom_ioctl+0x3f/0x2510 sr_block_ioctl+0x142/0x180 blkdev_ioctl+0x398/0x450 block_ioctl+0x6d/0x80 __se_sys_ioctl+0xd1/0x140 __x64_sys_ioctl+0x3f/0x50 do_syscall_64+0x37/0x50 entry_SYSCALL_64_after_hwframe+0x44/0xa9 We can trigger front BUG by ioctl blow. ------------[ cut here ]------------ sg_io_hdr_t *addr; addr = malloc(sizeof(sg_io_hdr_t)); memset(addr, 0, sizeof(sg_io_hdr_t)); addr->interface_id = 'S'; fd = open(/dev/sr0, O_RDONLY); // open a CD_ROM dev ioctl(fd, SG_IO, addr); // all zero sg_io_hdr_t will trigger this bug Fixes: 2ceda20f ("scsi: core: Move command size detection out of the fast path") Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NChen Jun <chenjun102@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
b71bbf1d