linux/drivers/scsi
Bart Van Assche 14e3062fb1 scsi: core: Fix a scsi_show_rq() NULL pointer dereference
Avoid that scsi_show_rq() triggers a NULL pointer dereference if called
after sd_uninit_command(). Swap the NULL pointer assignment and the
mempool_free() call in sd_uninit_command() to make it less likely that
scsi_show_rq() triggers a use-after-free. Note: even with these changes
scsi_show_rq() can trigger a use-after-free but that's a lesser evil
than e.g. suppressing debug information for T10 PI Type 2 commands
completely. This patch fixes the following oops:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: scsi_format_opcode_name+0x1a/0x1c0
CPU: 1 PID: 1881 Comm: cat Not tainted 4.14.0-rc2.blk_mq_io_hang+ #516
Call Trace:
 __scsi_format_command+0x27/0xc0
 scsi_show_rq+0x5c/0xc0
 __blk_mq_debugfs_rq_show+0x116/0x130
 blk_mq_debugfs_rq_show+0xe/0x10
 seq_read+0xfe/0x3b0
 full_proxy_read+0x54/0x90
 __vfs_read+0x37/0x160
 vfs_read+0x96/0x130
 SyS_read+0x55/0xc0
 entry_SYSCALL_64_fastpath+0x1a/0xa5

[mkp: added Type 2]

Fixes: 0eebd005dd ("scsi: Implement blk_mq_ops.show_rq()")
Reported-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-12-11 21:56:48 -05:00
..
aacraid scsi: aacraid: address UBSAN warning regression 2017-11-29 00:07:20 -05:00
aic7xxx SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
aic94xx SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
arcmsr arcmsr: add const to bin_attribute structures 2017-08-10 19:40:50 -04:00
arm License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
be2iscsi SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
bfa scsi: bfa: fix type conversion warning 2017-12-07 19:57:54 -05:00
bnx2fc scsi: bnx2fc: Fix hung task messages when a cleanup response is not received during abort 2017-11-15 18:44:56 -05:00
bnx2i SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
csiostor SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
cxgbi SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
cxlflash scsi: cxlflash: Derive pid through accessors 2017-10-31 12:28:04 -04:00
device_handler scsi: scsi_dh: Return SCSI_DH_XX error code from ->attach() 2017-09-25 19:03:14 -04:00
dpt sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
esas2r scsi: esas2r: constify pci_device_id. 2017-08-24 22:28:52 -04:00
fcoe Modules updates for v4.15 2017-11-15 13:46:33 -08:00
fnic License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hisi_sas SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
ibmvscsi scsi: ibmvscsi: Convert timers to use timer_setup() 2017-11-01 11:27:06 -07:00
ibmvscsi_tgt License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
isci Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
libfc scsi: libfc: fix ELS request handling 2017-11-28 23:59:09 -05:00
libsas scsi: libsas: fix length error in sas_smp_handler() 2017-12-11 21:45:34 -05:00
lpfc scsi: lpfc: Use after free in lpfc_rq_buf_free() 2017-11-28 23:46:06 -05:00
megaraid SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
mpt3sas Modules updates for v4.15 2017-11-15 13:46:33 -08:00
mvsas scsi: sas: Convert timers to use timer_setup() 2017-11-01 11:43:47 -07:00
osd blk-map: call blk_queue_bounce from blk_rq_append_bio 2017-06-27 12:13:21 -06:00
pcmcia License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pm8001 SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
qedf Merge branch 'fixes' into misc 2017-09-07 12:12:43 -07:00
qedi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
qla2xxx SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
qla4xxx scsi: qla4xxx: Convert timers to use timer_setup() 2017-11-01 11:44:40 -07:00
smartpqi SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
snic License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sym53c8xx_2 drivers/scsi/sym53c8xx_2/sym_hipd.c: convert to use memset32 2017-09-08 18:26:48 -07:00
ufs scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg 2017-11-21 23:00:44 -05:00
.gitignore scsi: scsi_devinfo: Add scsi_devinfo_tbl.c 2017-10-25 05:40:22 -04:00
3w-9xxx.c
3w-9xxx.h
3w-sas.c
3w-sas.h
3w-xxxx.c
3w-xxxx.h
53c700_d.h_shipped
53c700.c scsi: 53c700: move bus reset to host reset 2017-08-25 17:21:11 -04:00
53c700.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
53c700.scr
a100u2w.c
a100u2w.h
a2091.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
a2091.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
a3000.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
a3000.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
a4000t.c
advansys.c scsi: advansys: fix uninitialized data access 2017-04-04 19:39:39 -04:00
aha152x.c scsi: aha152x: drop host reset 2017-08-25 17:21:11 -04:00
aha152x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
aha1542.c scsi: aha1542: constify pnp_device_id 2017-08-24 22:29:07 -04:00
aha1542.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
aha1740.c
aha1740.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
am53c974.c
atari_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
atp870u.c
atp870u.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
BusLogic.c scsi: BusLogic: fix incorrect spelling of adatper_reset_req 2017-04-21 10:31:33 -04:00
BusLogic.h scsi: BusLogic: fix incorrect spelling of adatper_reset_req 2017-04-21 10:31:33 -04:00
bvme6000_scsi.c
ch.c scsi: ch: add refcounting 2017-08-24 22:29:06 -04:00
constants.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dc395x.c scsi: dc395x: Convert timers to use timer_setup() 2017-10-27 02:22:00 -07:00
dc395x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dmx3191d.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
dpt_i2o.c scsi: dpt_i2o: remove redundant null check on array device 2017-08-10 19:55:35 -04:00
dpti.h
eata_generic.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
eata_pio.c
eata_pio.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
eata.c scsi: eata: remove 'arg_done' from eata2x_eh_host_reset() 2017-08-25 17:21:12 -04:00
esp_scsi.c scsi: esp_scsi: Always clear msg_out_len after MESSAGE OUT phase 2017-08-10 19:55:35 -04:00
esp_scsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fdomain.c scsi: fdomain: move bus reset to host reset 2017-08-25 17:21:10 -04:00
fdomain.h scsi: fdomain: move bus reset to host reset 2017-08-25 17:21:10 -04:00
FlashPoint.c
g_NCR5380.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
gdth_ioctl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gdth_proc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gdth_proc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gdth.c scsi: gdth: Convert timers to use timer_setup() 2017-10-27 02:22:00 -07:00
gdth.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gvp11.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
gvp11.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hosts.c scsi: Remove Scsi_Host.uspace_req_q 2017-09-05 08:18:42 -04:00
hpsa_cmd.h scsi: hpsa: update discovery polling 2017-10-25 04:55:18 -04:00
hpsa.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
hpsa.h scsi: hpsa: add support for legacy boards 2017-08-24 22:28:55 -04:00
hptiop.c scsi: hptiop: Simplify reset handling 2017-08-25 17:21:10 -04:00
hptiop.h
imm.c scsi: imm: drop duplicate bus_reset handler 2017-08-25 17:21:11 -04:00
imm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
initio.c
initio.h
ipr.c scsi: ipr: Convert timers to use timer_setup() 2017-11-01 11:27:07 -07:00
ipr.h scsi: ipr: Fix scsi-mq lockdep issue 2017-08-08 11:49:51 -04:00
ips.c sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
ips.h sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
iscsi_boot_sysfs.c
iscsi_tcp.c scsi: iscsi_tcp: Remove a set-but-not-used variable 2017-08-25 17:08:08 -04:00
iscsi_tcp.h
jazz_esp.c
Kconfig Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-11-15 10:14:11 -08:00
lasi700.c parisc/scsi/lasi700: Fix section mismatches 2017-08-22 16:34:36 +02:00
libiscsi_tcp.c
libiscsi.c Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
mac53c94.c scsi: Convert to using %pOF instead of full_name 2017-08-07 14:04:02 -04:00
mac53c94.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mac_esp.c scsi: mac_esp: Fix PIO transfers for MESSAGE IN phase 2017-08-10 19:55:34 -04:00
mac_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
Makefile SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
megaraid.c scsi: megaraid: fix format-overflow warning 2017-08-07 14:04:01 -04:00
megaraid.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mesh.c
mesh.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mvme16x_scsi.c
mvme147.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mvme147.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mvumi.c scsi: mvumi: remove code handling zero scsi_sg_count(scmd) case 2017-04-24 18:16:49 -04:00
mvumi.h
ncr53c8xx.c
ncr53c8xx.h
NCR53c406a.c
NCR5380.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
NCR5380.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
NCR_D700.c
NCR_D700.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
NCR_Q720.c dma-coherent: remove the DMA_MEMORY_MAP and DMA_MEMORY_IO flags 2017-09-01 11:59:17 +02:00
NCR_Q720.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nsp32_debug.c
nsp32_io.h
nsp32.c scsi: nsp32: fix logic bug in error handling 2017-10-16 22:38:44 -04:00
nsp32.h
osst_detect.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
osst_options.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
osst.c scsi: osst: silence underflow warning in osst_verify_frame() 2017-08-24 22:29:01 -04:00
osst.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pmcraid.c scsi: pmcraid: Convert timers to use timer_setup() 2017-11-01 11:27:09 -07:00
pmcraid.h scsi: pmcraid: Replace PCI pool old API 2017-08-07 14:04:01 -04:00
ppa.c scsi: ppa: drop duplicate bus_reset handler 2017-08-25 17:21:11 -04:00
ppa.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ps3rom.c
qla1280.c timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack() 2017-10-05 15:01:17 +02:00
qla1280.h timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack() 2017-10-05 15:01:17 +02:00
qlogicfas408.c scsi: qlogicfas: move bus_reset to host_reset 2017-08-25 17:21:11 -04:00
qlogicfas408.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
qlogicfas.c scsi: qlogicfas: move bus_reset to host_reset 2017-08-25 17:21:11 -04:00
qlogicpti.c scsi: qlogicpti: fixup qlogicpti_reset() definition 2017-08-28 22:15:46 -04:00
qlogicpti.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid_class.c
script_asm.pl
scsi_common.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_debug.c scsi: scsi_debug: write_same: fix error report 2017-10-31 12:28:05 -04:00
scsi_debugfs.c scsi: core: Fix a scsi_show_rq() NULL pointer dereference 2017-12-11 21:56:48 -05:00
scsi_debugfs.h scsi: Implement blk_mq_ops.show_rq() 2017-04-26 15:09:04 -06:00
scsi_devinfo.c scsi: scsi_devinfo: cleanly zero-pad devinfo strings 2017-12-04 21:58:35 -05:00
scsi_dh.c scsi: scsi_dh: suppress errors from unsupported devices 2017-09-25 19:03:22 -04:00
scsi_error.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_ioctl.c scsi: Suppress gcc 7 fall-through warnings reported with W=1 2017-08-25 17:08:07 -04:00
scsi_lib_dma.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_lib.c scsi: core: run queue if SCSI device queue isn't ready and queue is idle 2017-12-07 19:52:55 -05:00
scsi_logging.c
scsi_logging.h SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_module.c
scsi_netlink.c netlink: extended ACK reporting 2017-04-13 13:58:20 -04:00
scsi_pm.c
scsi_priv.h scsi: Use 'blist_flags_t' for scsi_devinfo flags 2017-11-16 17:43:27 -05:00
scsi_proc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_sas_internal.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_scan.c scsi: Use 'blist_flags_t' for scsi_devinfo flags 2017-11-16 17:43:27 -05:00
scsi_sysctl.c
scsi_sysfs.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_trace.c
scsi_transport_api.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_transport_fc.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_transport_iscsi.c SCSI misc on 20171114 2017-11-14 16:23:44 -08:00
scsi_transport_sas.c scsi: scsi_transport_sas: check reply payload length instead of bidi request 2017-10-16 23:40:51 -04:00
scsi_transport_spi.c
scsi_transport_srp.c Revert "scsi: make 'state' device attribute pollable" 2017-11-07 09:04:32 -08:00
scsi_typedefs.h
scsi.c Merge branch 'fixes' into misc 2017-09-07 12:12:43 -07:00
scsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsicam.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sd_dif.c
sd_zbc.c scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics() 2017-10-16 23:54:33 -04:00
sd.c scsi: core: Fix a scsi_show_rq() NULL pointer dereference 2017-12-11 21:56:48 -05:00
sd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sense_codes.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ses.c Merge branch 'fixes' into misc 2017-09-07 12:12:43 -07:00
sg.c Merge branch 'for-4.15/block' of git://git.kernel.dk/linux-block 2017-11-14 15:32:19 -08:00
sgiwd93.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
sim710.c
sni_53c710.c scsi: remove incorrect __exit markups 2017-03-15 19:27:46 -04:00
sr_ioctl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sr_vendor.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sr.c scsi: sd: sr: Convert two assignments into warning statements 2017-08-25 17:08:08 -04:00
sr.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
st_options.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
st.c scsi: st: fix blk_get_queue usage 2017-08-08 11:49:51 -04:00
st.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stex.c scsi: stex: make S6flag static 2017-04-26 18:32:29 -04:00
storvsc_drv.c scsi: storvsc: Avoid excessive host scan on controller change 2017-11-06 22:38:29 -05:00
sun3_scsi_vme.c
sun3_scsi.c scsi: NCR5380: Move bus reset to host reset 2017-08-25 17:21:11 -04:00
sun3x_esp.c
sun_esp.c scsi: sun_esp: fix device reference leaks 2017-06-27 21:46:55 -04:00
sym53c416.c
sym53c416.h
virtio_scsi.c scsi: virtio: virtio_scsi: Set can_queue to the length of the virtqueue. 2017-08-24 22:28:51 -04:00
vmw_pvscsi.c scsi: vmw_pvscsi: handle the return value from pci_alloc_irq_vectors correctly 2017-03-06 22:27:33 -05:00
vmw_pvscsi.h
wd33c93.c scsi: drop bus reset for wd33c93-compatible boards 2017-08-25 17:21:10 -04:00
wd33c93.h
wd719x.c
wd719x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-scsifront.c scsi: xen-scsifront: Remove code that zeroes driver-private command data 2017-06-12 21:02:04 -04:00
zalon.c parisc/scsi/zalon: Fix section mismatches 2017-08-22 16:34:36 +02:00
zorro7xx.c