Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1040617AbdDUOPV (ORCPT <rfc822;w@1wt.eu>);
        Fri, 21 Apr 2017 10:15:21 -0400
Received: from mail-io0-f175.google.com ([209.85.223.175]:33151 "EHLO
        mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1161197AbdDUOPN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Apr 2017 10:15:13 -0400
Subject: Re: mtip32xx: add a status field to struct mtip_cmd
To: Colin Ian King <colin.king@canonical.com>,
        Christoph Hellwig <hch@lst.de>,
        Johannes Thumshirn <jthumshirn@suse.de>
References: <933d95b1-ee6c-eb74-9197-32852e7f7728@canonical.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
From: Jens Axboe <axboe@kernel.dk>
Message-ID: <f617c365-4459-6a8c-61a9-7494f8d4166b@kernel.dk>
Date: Fri, 21 Apr 2017 08:14:03 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <933d95b1-ee6c-eb74-9197-32852e7f7728@canonical.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1310
Lines: 38

On 04/21/2017 08:06 AM, Colin Ian King wrote:
> Hi,
> 
> CoverityScan found an issue with the following part of the patch:
> 
> -       if (likely(!reserv))
> -               blk_mq_complete_request(rq, -ENODEV);
> -       else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
> +       if (likely(!reserv)) {
> +               cmd->status = -ENODEV;
> +               blk_mq_complete_request(rq, 0);
> +       } else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
> 
> 
From: Jens Axboe <axboe@fb.com>
Subject: [PATCH] mtip32xx: fix dereference of stack garbage

We need to get the command payload from the request before
we attempt to dereference it.

Fixes: 4dda4735c581 ("mtip32xx: add a status field to struct mtip_cmd")
Signed-off-by: Jens Axboe <axboe@fb.com>

diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 66a6bd83faae..54c8736038de 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -4108,6 +4108,7 @@ static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
 	struct mtip_cmd *cmd;
 
 	if (likely(!reserv)) {
+		cmd = blk_mq_rq_to_pdu(rq);
 		cmd->status = -ENODEV;
 		blk_mq_complete_request(rq);
 	} else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {

-- 
Jens Axboe