From: Yu Kuai yukuai3@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5HEZ8 CVE: NA
--------------------------------
commit f60df4a0a6ad ("blk-mq: fix kabi broken in struct request") intrudoce 'struct request_wrapper' to fix kabi broken in 'struct request', it requires to allocate more size for 'struct request'. However, flush_rq is missed for such adaptation, which will lead to following slab-out-of-bounds:
================================================================== BUG: KASAN: slab-out-of-bounds in sg_init_table+0x23/0x40 Write of size 4096 at addr ffff88812249a148 by task swapper/0/1
Call Trace: dump_stack+0xbe/0xf9 ? sg_init_table+0x23/0x40 print_address_description.constprop.0+0x1e/0x220 ? _raw_spin_lock_irqsave+0x80/0xe0 ? _raw_write_unlock_irqrestore+0x20/0x20 ? blk_alloc_flush_queue+0xd3/0x1a0 ? sg_init_table+0x23/0x40 ? sg_init_table+0x23/0x40 kasan_report.cold+0x67/0x7f ? sg_init_table+0x23/0x40 check_memory_region+0x17c/0x1e0 memset+0x20/0x40 sg_init_table+0x23/0x40 virtblk_init_request+0x3d/0x50 ? virtblk_map_queues+0x40/0x40 blk_mq_realloc_hw_ctxs+0x44d/0xb50 blk_mq_init_allocated_queue+0x20f/0x980 ? blk_set_default_limits+0x1ac/0x1c0 ? blk_alloc_queue+0x3f0/0x410 blk_mq_init_queue_data+0x58/0xa0 virtblk_probe+0x51b/0xee0 ? cache_type_store+0x1a0/0x1a0 ? __sanitizer_cov_trace_switch+0x50/0x90 ? ioread8+0x89/0xa0 virtio_dev_probe+0x449/0x5d0 ? virtio_features_ok.part.0+0xb0/0xb0 really_probe+0x26d/0x8a0 driver_probe_device+0xef/0x280 device_driver_attach+0xaf/0xc0 __driver_attach+0x158/0x280 ? device_driver_attach+0xc0/0xc0 bus_for_each_dev+0x111/0x180 ? subsys_dev_iter_exit+0x20/0x20 ? bus_add_driver+0xb6/0x3e0 ? klist_node_init+0x7c/0xb0 bus_add_driver+0x336/0x3e0 driver_register+0x105/0x1a0 ? nbd_init+0x273/0x273 init+0x69/0xad do_one_initcall+0xcb/0x370 ? initcall_blacklisted+0x1b0/0x1b0 ? parameq+0x110/0x110 ? __kasan_kmalloc.constprop.0+0xc2/0xd0 ? kasan_unpoison_shadow+0x33/0x40 do_initcalls+0x223/0x265 kernel_init_freeable+0x2bb/0x302 ? rest_init+0xea/0xea kernel_init+0x13/0x1f6 ? rest_init+0xea/0xea ret_from_fork+0x22/0x30
Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc.constprop.0+0xc2/0xd0 blk_alloc_flush_queue+0xd3/0x1a0 blk_mq_realloc_hw_ctxs+0x9fa/0xb50 blk_mq_init_allocated_queue+0x20f/0x980 blk_mq_init_queue_data+0x58/0xa0 virtblk_probe+0x51b/0xee0 virtio_dev_probe+0x449/0x5d0 really_probe+0x26d/0x8a0 driver_probe_device+0xef/0x280 device_driver_attach+0xaf/0xc0 __driver_attach+0x158/0x280 bus_for_each_dev+0x111/0x180 bus_add_driver+0x336/0x3e0 driver_register+0x105/0x1a0 init+0x69/0xad do_one_initcall+0xcb/0x370 do_initcalls+0x223/0x265 kernel_init_freeable+0x2bb/0x302 kernel_init+0x13/0x1f6 ret_from_fork+0x22/0x30
Fixes: f60df4a0a6ad ("blk-mq: fix kabi broken in struct request") Signed-off-by: Yu Kuai yukuai3@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- block/blk-flush.c | 2 +- drivers/scsi/scsi_error.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/blk-flush.c b/block/blk-flush.c index 82919829bc4d..71faf07a626f 100644 --- a/block/blk-flush.c +++ b/block/blk-flush.c @@ -470,7 +470,7 @@ struct blk_flush_queue *blk_alloc_flush_queue(int node, int cmd_size, gfp_t flags) { struct blk_flush_queue *fq; - int rq_sz = sizeof(struct request); + int rq_sz = sizeof(struct request_wrapper);
fq = kzalloc_node(sizeof(*fq), flags, node); if (!fq) diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c index f11f51e2465f..bcbeadb2d0f0 100644 --- a/drivers/scsi/scsi_error.c +++ b/drivers/scsi/scsi_error.c @@ -2359,7 +2359,7 @@ scsi_ioctl_reset(struct scsi_device *dev, int __user *arg) return -EIO;
error = -EIO; - rq = kzalloc(sizeof(struct request) + sizeof(struct scsi_cmnd) + + rq = kzalloc(sizeof(struct request_wrapper) + sizeof(struct scsi_cmnd) + shost->hostt->cmd_size, GFP_KERNEL); if (!rq) goto out_put_autopm_host;