Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3742611pxb; Mon, 1 Nov 2021 20:08:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCRuUaEz9gwV2oPUSzYkMb6eFwbTPA4Macut+ZUdL6G8uaXilKKUzTqKioKiE1LpRNB+YC X-Received: by 2002:a05:6e02:1d9e:: with SMTP id h30mr16625306ila.138.1635822483529; Mon, 01 Nov 2021 20:08:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635822483; cv=none; d=google.com; s=arc-20160816; b=hdBE3Jv2zHQM8BQ933eS42BSyp0BqKOPDPlQKxOYZrdf1UZmE/9rK8b8o3H0Gnpstq tuJSIXHWaZb9+0iS7ztswYQLTcDqvtW0fAq9QGf1DOWTjBTG+cLj+xKiI5btJO0385M3 TM/nooVeiRWP1wvCzfy0OTk2gwt4nmU7PQUS+3MIBelb6v5pODfufNC7LYClYzHg9mR0 Ycvv3DP0afzo/55liKGxCxpp5kYqncI3+tza80FoWoQw/+O6XRzheWmWANezF12ey9oi NsJ/Em831lNIxaxPFiWmYavcBFv/9nZCZALNnVdPswjXgFq3XFNjZlyJ3d25HMc97nAQ jreA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=sRFLt+ScwC+b6JXHsh7TwBXtQ96PKTlE+P2DMsJLhhs=; b=PHgjiaITN/0F2lMzWY7+HKn6QaHE1quVvlePfjJ373bFENoJGeBicdVLiUhecDifj3 8ICM320o3kAOoMNc7cm9KUdsIDwxRI6kyZwGx2cEK8OmSxRbD7PdyGkPfC3NBgjEcRA8 JNsaHcMnUxOqf1BVY+aM/drM58T83IFAAxaQJ/QNltupbd/jV++/qwtHJeKRXTE9fE3l yGgotnDuiqAv++mkdGy4GkC0CeKRQFdjss40D8eqa5V4CtT8fe5deQoOnbQ81hY4+xua A3mCHWt0LfkuTXLOBKQmHR5Ga1SUpp0BYf08PgCfkihfD+bJWeeFLCKUsiF1f9fILWkK lQCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k10si25295303jad.4.2021.11.01.20.07.50; Mon, 01 Nov 2021 20:08:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231371AbhKBDJP (ORCPT + 99 others); Mon, 1 Nov 2021 23:09:15 -0400 Received: from mail-pl1-f177.google.com ([209.85.214.177]:41858 "EHLO mail-pl1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229526AbhKBDJP (ORCPT ); Mon, 1 Nov 2021 23:09:15 -0400 Received: by mail-pl1-f177.google.com with SMTP id k4so3967939plx.8; Mon, 01 Nov 2021 20:06:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=sRFLt+ScwC+b6JXHsh7TwBXtQ96PKTlE+P2DMsJLhhs=; b=FcCe4/f+3Xg8dmHE0Kj0NAPeHu/r1im4y5i+/AC4/t459C8MmtJtRO2jxqzp7rj2Zk eW/ydBUeoZWutoYBnBYBldo75gKO6j8Z3EOymANhWWMJNdMAZVPOj2NjPe9psX/neByk S+yORPF/WVmRjHqUBj6E0B8hRI/znhbEKziq9xwMq4XNb7YSfgDwNf1AGomDG1tV4Z2f eWKuQeJYkH3dw1tAyhqAKzUy7njWNUJW3JaBE75Uij8njgVCGF5qVC+I/YbmYL1fGg7v aWaapEIbjsXbYr7y96Y97fmBn4/b+z/GxYBusnlXzYo7ACLIRwIrf6VRhSDVoQ48bBTM SQpg== X-Gm-Message-State: AOAM533iURa9eeEG72DFzqXq8IgHNS/QBraUtzm0ywadzoEEjHLaISDH TGFhuD2AMd381Wi3w/prWes= X-Received: by 2002:a17:90b:1e0e:: with SMTP id pg14mr3354228pjb.143.1635822400637; Mon, 01 Nov 2021 20:06:40 -0700 (PDT) Received: from ?IPV6:2601:647:4000:d7:70a9:502a:2a58:d9ba? ([2601:647:4000:d7:70a9:502a:2a58:d9ba]) by smtp.gmail.com with ESMTPSA id w5sm14147382pgp.79.2021.11.01.20.06.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Nov 2021 20:06:39 -0700 (PDT) Message-ID: <17a1b72e-2c2a-8492-cb92-4dec36a6531d@acm.org> Date: Mon, 1 Nov 2021 20:06:38 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Subject: Re: [PATCH] scsi: core: initialize cmd->cmnd before it is used Content-Language: en-US To: dgilbert@interlog.com, Tadeusz Struk , linux-scsi@vger.kernel.org Cc: Christoph Hellwig , "James E . J . Bottomley" , "Martin K . Petersen" , linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+5516b30f5401d4dcbcae@syzkaller.appspotmail.com References: <20211101192417.324799-1-tadeusz.struk@linaro.org> <4cfa4049-aae5-51db-4ad2-b4c9db996525@acm.org> <0024e0e1-589c-e2cd-2468-f4af8ec1cb95@linaro.org> <8fbb619a-37b3-4890-37e0-b586bdee49d6@interlog.com> From: Bart Van Assche In-Reply-To: <8fbb619a-37b3-4890-37e0-b586bdee49d6@interlog.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/1/21 18:56, Douglas Gilbert wrote: > On 2021-11-01 4:20 p.m., Bart Van Assche wrote: >> One of the functions in the call stack in the first message of this email >> thread is sg_io(). I am not aware of any documentation that specifies >> whether >> it is valid to set cmd_len in the sg_io header to zero. My opinion is >> that >> the SG_IO implementation should either reject cmd_len == 0 or set cmd_len >> to a valid value if it is zero. > > For the sg driver in production, the v3 interface users (including > ioctl(, SG_IO,) ) have this check: > >        if ((!hp->cmdp) || (hp->cmd_len < 6) || (hp->cmd_len > sizeof > (cmnd))) { >                 sg_remove_request(sfp, srp); >                 return -EMSGSIZE; >         } Hi Doug, Thanks for having taken a look. I found the above check in sg_new_write(). To me that function seems to come from a code path that is unrelated to sg_io(), the function shown in the call stack in the email at the start of this thread. Maybe I overlooked something but I haven't found a minimum size check for hdr->cmd_len in sg_io() before the blk_execute_rq() call. Should such a check perhaps be added? Thanks, Bart.