lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 22 Mar 2019 12:12:32 +0100
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,, Logan Gunthorpe <>,
        Intel SCU Linux support <>,
        Artur Paszkiewicz <>,
        "James E.J. Bottomley" <>,
        "Martin K. Petersen" <>,
        Christoph Hellwig <>, Jens Axboe <>,
        Jeff Moyer <>, Sasha Levin <>
Subject: [PATCH 4.4 014/230] scsi: isci: initialize shost fully before calling scsi_add_host()

4.4-stable review patch.  If anyone has any objections, please let me know.


[ Upstream commit cc29a1b0a3f2597ce887d339222fa85b9307706d ]

scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the
command size to allocate based on the prot_capabilities. In the isci
driver, scsi_host_set_prot() is called after scsi_add_host() so the command
size gets calculated to be smaller than it needs to be.  Eventually,
scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it
was sized correctly and a buffer overrun may occur.

However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line
size, the mistake can go unnoticed.

The bug was noticed after the struct request size was reduced by commit
9d037ad707ed ("block: remove req->timeout_list")

Which likely reduced the allocated space for the request by an entire cache
line, enough that the overflow could be hit and it caused a panic, on boot,

  RIP: 0010:t10_pi_complete+0x77/0x1c0
  Call Trace:

sd_done() would call scsi_prot_sg_count() which reads the number of
entities in 'prot_sdb', but seeing 'prot_sdb' is located after the end of
the allocated space it reads a garbage number and erroneously calls

To prevent this, the calls to scsi_host_set_prot() are moved into
isci_host_alloc() before the call to scsi_add_host(). Out of caution, also
move the similar call to scsi_host_set_guard().

Fixes: 3d2d75254915 ("[SCSI] isci: T10 DIF support")
Signed-off-by: Logan Gunthorpe <>
Cc: Intel SCU Linux support <>
Cc: Artur Paszkiewicz <>
Cc: "James E.J. Bottomley" <>
Cc: "Martin K. Petersen" <>
Cc: Christoph Hellwig <>
Cc: Jens Axboe <>
Cc: Jeff Moyer <>
Reviewed-by: Jeff Moyer <>
Reviewed-by: Jens Axboe <>
Signed-off-by: Martin K. Petersen <>
Signed-off-by: Sasha Levin <>
 drivers/scsi/isci/init.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c
index 77128d680e3bc..6f38fa1f468a7 100644
--- a/drivers/scsi/isci/init.c
+++ b/drivers/scsi/isci/init.c
@@ -595,6 +595,13 @@ static struct isci_host *isci_host_alloc(struct pci_dev *pdev, int id)
 	shost->max_lun = ~0;
 	shost->max_cmd_len = MAX_COMMAND_SIZE;
+	/* turn on DIF support */
+	scsi_host_set_prot(shost,
+	scsi_host_set_guard(shost, SHOST_DIX_GUARD_CRC);
 	err = scsi_add_host(shost, &pdev->dev);
 	if (err)
 		goto err_shost;
@@ -682,13 +689,6 @@ static int isci_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 			goto err_host_alloc;
 		pci_info->hosts[i] = h;
-		/* turn on DIF support */
-		scsi_host_set_prot(to_shost(h),
-		scsi_host_set_guard(to_shost(h), SHOST_DIX_GUARD_CRC);
 	err = isci_setup_interrupts(pdev);

Powered by blists - more mailing lists