Since BSG only supports request queues for which struct scsi_request
is the first member of their private request data, refuse to register
block layer queues for which the private data is smaller than struct
scsi_request.
References: commit bd1599d931ca ("scsi_transport_sas: fix BSG ioctl memory
corruption")
References: commit 82ed4db499b8 ("block: split scsi_request out of struct
request")
Signed-off-by: Bart Van Assche <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Omar Sandoval <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: [email protected]
---
block/bsg.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/block/bsg.c b/block/bsg.c
index 6fd08544d77e..5ccecc9855ac 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -750,6 +750,12 @@ static struct bsg_device *bsg_add_device(struct inode
*inode,
#ifdef BSG_DEBUG
unsigned char buf[32];
#endif
+
+ if (blk_queue_cmd_size(rq) < sizeof(struct scsi_request)) {
+ WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
+ return ERR_PTR(-EINVAL);
+ }
+
if (!blk_get_queue(rq))
return ERR_PTR(-ENXIO);
--
2.12.2
