Since BSG only supports request queues for which struct scsi_request is the first member of their private request data, refuse to register block layer queues for which the private data is smaller than struct scsi_request.
References: commit bd1599d931ca ("scsi_transport_sas: fix BSG ioctl memory corruption") References: commit 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Bart Van Assche <bart.vanass...@sandisk.com> Cc: Christoph Hellwig <h...@lst.de> Cc: Omar Sandoval <osan...@fb.com> Cc: Hannes Reinecke <h...@suse.com> Cc: linux-block@vger.kernel.org --- block/bsg.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/block/bsg.c b/block/bsg.c index 6fd08544d77e..5ccecc9855ac 100644 --- a/block/bsg.c +++ b/block/bsg.c @@ -750,6 +750,12 @@ static struct bsg_device *bsg_add_device(struct inode *inode, #ifdef BSG_DEBUG unsigned char buf[32]; #endif + + if (blk_queue_cmd_size(rq) < sizeof(struct scsi_request)) { + WARN_ONCE(true, "Attempt to register a non-SCSI queue\n"); + return ERR_PTR(-EINVAL); + } + if (!blk_get_queue(rq)) return ERR_PTR(-ENXIO); -- 2.12.2