Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-11 Thread Ming Lei
On Mon, Dec 11, 2017 at 10:11:29PM -0500, Martin K. Petersen wrote: > > Hi Ming, > > > This patch allocates one array for T10_PI_TYPE2_PROTECTION command, > > size of each element is SD_EXT_CDB_SIZE, and the length is > > host->can_queue, then we can retrieve one command buffer runtime > > via

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-11 Thread Martin K. Petersen
Hi Ming, > This patch allocates one array for T10_PI_TYPE2_PROTECTION command, > size of each element is SD_EXT_CDB_SIZE, and the length is > host->can_queue, then we can retrieve one command buffer runtime > via rq->tag. > > So we can avoid to allocate the command buffer runtime, also the >

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-11 Thread Martin K. Petersen
Bart, > Avoid that scsi_show_rq() triggers a NULL pointer dereference if > called after sd_uninit_command(). Swap the NULL pointer assignment > and the mempool_free() call in sd_uninit_command() to make it less > likely that scsi_show_rq() triggers a use-after-free. Note: even > with these

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-08 Thread Ming Lei
Hi Martin, On Fri, Dec 08, 2017 at 04:44:55PM +0800, Ming Lei wrote: > Hi Martin, > > On Thu, Dec 07, 2017 at 09:46:21PM -0500, Martin K. Petersen wrote: > > > > Ming, > > > > > As I explained in [1], the use-after-free is inevitable no matter if > > > clearing 'SCpnt->cmnd' before

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-08 Thread Ming Lei
Hi Martin, On Thu, Dec 07, 2017 at 09:46:21PM -0500, Martin K. Petersen wrote: > > Ming, > > > As I explained in [1], the use-after-free is inevitable no matter if > > clearing 'SCpnt->cmnd' before mempool_free() in sd_uninit_command() or > > not, so we need to comment the fact that cdb may

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-07 Thread Martin K. Petersen
Ming, > As I explained in [1], the use-after-free is inevitable no matter if > clearing 'SCpnt->cmnd' before mempool_free() in sd_uninit_command() or > not, so we need to comment the fact that cdb may point to garbage > data, and this function(especially __scsi_format_command() has to > survive

Re: [PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-07 Thread Ming Lei
On Tue, Dec 05, 2017 at 04:57:51PM -0800, Bart Van Assche wrote: > Avoid that scsi_show_rq() triggers a NULL pointer dereference if > called after sd_uninit_command(). Swap the NULL pointer assignment > and the mempool_free() call in sd_uninit_command() to make it less > likely that scsi_show_rq()

[PATCH v2 1/3] scsi: Fix a scsi_show_rq() NULL pointer dereference

2017-12-05 Thread Bart Van Assche
Avoid that scsi_show_rq() triggers a NULL pointer dereference if called after sd_uninit_command(). Swap the NULL pointer assignment and the mempool_free() call in sd_uninit_command() to make it less likely that scsi_show_rq() triggers a use-after-free. Note: even with these changes scsi_show_rq()