evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/scsi
History
Xin Long 9d2534917c scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly 
commit c88f0e6b06f4092995688211a631bb436125d77b upstream.

ChunYu found a kernel crash by syzkaller:

[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[  651.627260] Call Trace:
[  651.629156]  skb_release_all+0x4f/0x60
[  651.629450]  consume_skb+0x1a5/0x600
[  651.630705]  netlink_unicast+0x505/0x720
[  651.632345]  netlink_sendmsg+0xab2/0xe70
[  651.633704]  sock_sendmsg+0xcf/0x110
[  651.633942]  ___sys_sendmsg+0x833/0x980
[  651.637117]  __sys_sendmsg+0xf3/0x240
[  651.638820]  SyS_sendmsg+0x32/0x50
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2

It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.

During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.

This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.

Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-05 09:41:44 +02:00
..
aacraid scsi: aacraid: Reorder Adapter status check 2017-03-12 06:37:26 +01:00
aic7xxx aic7xxx: Fix queue depth handling 2016-04-12 09:08:39 -07:00
aic94xx SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
arcmsr scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware 2016-11-10 16:36:35 +01:00
arm scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
be2iscsi be2iscsi: set the boot_kset pointer to NULL in case of failure 2016-04-12 09:08:39 -07:00
bfa scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
bnx2fc bnx2fc: Update version number to 2.9.6. 2015-11-09 17:32:34 -08:00
bnx2i bnx2i: Fix call trace while device reset 2015-06-02 17:15:24 -07:00
csiostor scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
cxgbi drivers/scsi/cxgbi: fix build with EXTRA_CFLAGS 2015-11-09 15:11:24 -08:00
cxlflash scsi: cxlflash: Improve EEH recovery time 2017-05-08 07:46:02 +02:00
device_handler scsi_dh: force modular build if SCSI is a module 2016-05-04 14:48:51 -07:00
dpt
esas2r scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
fcoe scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
fnic scsi: fnic: Avoid sending reset to firmware when another reset is in progress 2017-08-06 19:19:47 -07:00
ibmvscsi scsi: ibmvfc: Fix I/O hang when port is not mapped 2016-10-22 12:26:56 +02:00
isci scsi: isci: avoid array subscript warning 2017-09-02 07:06:50 +02:00
libfc libfc: Use the correct function name in kernel-doc comment. 2015-11-09 17:15:52 -08:00
libsas scsi: libsas: fix ata xfer length 2017-04-08 09:53:31 +02:00
lpfc lpfc: Fix Device discovery failures during switch reboot test. 2017-09-02 07:06:51 +02:00
megaraid scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead 2017-09-27 11:00:15 +02:00
mpt3sas mpt3sas: Don't overreach ioc->reply_post[] during initialization 2017-08-06 19:19:41 -07:00
mvsas mvsas: fix misleading indentation 2017-03-18 19:09:58 +08:00
osd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-04-14 09:50:27 -07:00
pcmcia scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
pm8001 SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
qla2xxx scsi: qla2xxx: Fix an integer overflow in sysfs code 2017-09-27 11:00:16 +02:00
qla4xxx SCSI misc on 20151113 2015-11-13 20:35:54 -08:00
snic scsi: snic: Return error code on memory allocation failure 2017-08-06 19:19:47 -07:00
sym53c8xx_2 scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ufs SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
.gitignore
3w-9xxx.c 3w-9xxx: don't unmap bounce buffered commands 2015-10-07 10:24:48 -07:00
3w-9xxx.h 3w-9xxx: fix command completion race 2015-04-27 10:10:19 -07:00
3w-sas.c 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-sas.h 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-xxxx.c 3w-xxxx: fix command completion race 2015-04-27 10:05:55 -07:00
3w-xxxx.h 3w-xxxx: fix command completion race 2015-04-27 10:05:55 -07:00
53c700.c 53c700: fix BUG on untagged commands 2016-07-27 09:47:39 -07:00
53c700.h
53c700.scr
53c700_d.h_shipped
a100u2w.c scsi: a100u2w: trivial typo in printk 2015-08-07 15:03:42 +02:00
a100u2w.h
a2091.c
a2091.h
a3000.c
a3000.h
a4000t.c
advansys.c Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
aha152x.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha152x.h
aha1542.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha1542.h aha1542: fix include guard and remove useless changelog 2015-04-09 18:08:31 -07:00
aha1740.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha1740.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
am53c974.c am53c974: Fix crash during modprobe 2015-04-17 10:13:56 -07:00
atari_NCR5380.c ncr5380: Harmonize jiffies conversion with msecs_to_jiffies 2015-03-09 10:45:26 -04:00
atari_scsi.c ncr5380: Drop owner assignment from platform_drivers 2015-03-09 07:18:14 -04:00
atp870u.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
atp870u.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
BusLogic.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
BusLogic.h
bvme6000_scsi.c
ch.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-04-14 09:50:27 -07:00
constants.c scsi: fix upper bounds check of sense key in scsi_sense_key_string() 2016-09-15 08:27:54 +02:00
dc395x.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
dc395x.h
dmx3191d.c
dpt_i2o.c x86/vm86: Clean up vm86.h includes 2015-07-31 13:31:10 +02:00
dpti.h
dtc.c
dtc.h
eata.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
eata_generic.h
eata_pio.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
eata_pio.h
esp_scsi.c scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
esp_scsi.h esp_scsi: correctly detect am53c974 2014-11-24 16:13:16 +01:00
fdomain.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
fdomain.h
FlashPoint.c FlashPoint: fix build warning 2015-11-09 16:32:14 -08:00
g_NCR5380.c ncr5380: Harmonize jiffies conversion with msecs_to_jiffies 2015-03-09 10:45:26 -04:00
g_NCR5380.h
g_NCR5380_mmio.c
gdth.c scsi: rename SERVICE_ACTION_IN to SERVICE_ACTION_IN_16 2014-11-24 20:01:40 +01:00
gdth.h
gdth_ioctl.h
gdth_proc.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
gdth_proc.h
gvp11.c
gvp11.h
hosts.c Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
hpsa.c hpsa: correct skipping masked peripherals 2016-10-28 03:01:33 -04:00
hpsa.h hpsa: add in sas transport class 2015-11-09 12:39:28 -05:00
hpsa_cmd.h hpsa: add in sas transport class 2015-11-09 12:39:28 -05:00
hptiop.c hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
hptiop.h hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
imm.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
imm.h
in2000.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
in2000.h
initio.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
initio.h
ipr.c ipr: Clear interrupt on croc/crocodile when running with LSI 2016-08-10 11:49:29 +02:00
ipr.h ipr: Driver version 2.6.3. 2015-11-09 19:32:41 -05:00
ips.c ips: remove pointless #warning 2015-06-02 17:24:54 -07:00
ips.h
iscsi_boot_sysfs.c
iscsi_tcp.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
iscsi_tcp.h
jazz_esp.c
Kconfig scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m 2017-05-14 13:32:57 +02:00
lasi700.c
libiscsi.c scsi: libiscsi: add lock around task lists to fix list corruption regression 2017-03-26 12:13:19 +02:00
libiscsi_tcp.c
mac53c94.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
mac53c94.h
mac_esp.c
mac_scsi.c ncr5380: Drop owner assignment from platform_drivers 2015-03-09 07:18:14 -04:00
Makefile mpt3sas: Single driver module which supports both SAS 2.0 & SAS 3.0 HBAs 2015-11-11 19:50:11 -05:00
megaraid.c megaraid : use dev_printk when possible 2015-08-26 07:23:04 -07:00
megaraid.h
mesh.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
mesh.h
mvme16x_scsi.c
mvme147.c
mvme147.h
mvumi.c mvumi: 64bit value for seconds_since1970 2015-11-11 20:45:23 -05:00
mvumi.h
ncr53c8xx.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ncr53c8xx.h
NCR53c406a.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
NCR5380.c ncr5380: Harmonize jiffies conversion with msecs_to_jiffies 2015-03-09 10:45:26 -04:00
NCR5380.h
NCR_D700.c
NCR_D700.h
NCR_Q720.c
NCR_Q720.h
nsp32.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
nsp32.h
nsp32_debug.c
nsp32_io.h
osst.c scsi: remove scsi_driver owner field 2014-11-24 20:01:28 +01:00
osst.h
osst_detect.h
osst_options.h
pas16.c
pas16.h
pmcraid.c SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
pmcraid.h
ppa.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
ppa.h
ps3rom.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qla1280.c qla1280: Don't allocate 512kb of host tags 2016-05-18 17:06:52 -07:00
qla1280.h
qlogicfas.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qlogicfas408.c
qlogicfas408.h
qlogicpti.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qlogicpti.h
raid_class.c
script_asm.pl
scsi.c scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
scsi.h
scsi_common.c scsi_common: do not clobber fixed sense information 2016-04-12 09:09:05 -07:00
scsi_debug.c scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded 2016-11-10 16:36:35 +01:00
scsi_devinfo.c SCSI: fix new bug in scsi_dev_info_list string matching 2016-08-10 11:49:29 +02:00
scsi_dh.c scsi: use 'scsi_device_from_queue()' for scsi_dh 2017-03-12 06:37:26 +01:00
scsi_error.c scsi: fix race between simultaneous decrements of ->host_failed 2016-07-27 09:47:39 -07:00
scsi_ioctl.c
scsi_lib.c scsi: use 'scsi_device_from_queue()' for scsi_dh 2017-03-12 06:37:26 +01:00
scsi_lib_dma.c
scsi_logging.c scsi_logging: return void for dev_printk() functions 2015-02-04 08:00:24 -08:00
scsi_logging.h
scsi_module.c
scsi_netlink.c
scsi_pm.c Revert "SCSI: Fix NULL pointer dereference in runtime PM" 2015-12-10 12:24:44 -05:00
scsi_priv.h scsi_dh: fix use-after-free when removing scsi device 2015-10-27 11:22:37 +09:00
scsi_proc.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
scsi_sas_internal.h
scsi_scan.c scsi: Fix use-after-free 2016-10-28 03:01:31 -04:00
scsi_sysctl.c
scsi_sysfs.c scsi: avoid a permanent stop of the scsi device's request queue 2017-01-09 08:07:48 +01:00
scsi_trace.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
scsi_transport_api.h
scsi_transport_fc.c scsi_transport_fc: Add support for 25Gbit speed 2015-04-10 07:40:32 -07:00
scsi_transport_iscsi.c scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly 2017-10-05 09:41:44 +02:00
scsi_transport_sas.c scsi_transport_sas: Remove check for SAS expander when querying bay/enclosure IDs. 2015-09-06 11:13:41 -07:00
scsi_transport_spi.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
scsi_transport_srp.c IB/srp: Avoid using uninitialized variable 2015-07-14 13:20:09 -04:00
scsi_typedefs.h
scsicam.c
sd.c scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type 2017-07-05 14:37:16 +02:00
sd.h sd: Fix rw_max for devices that report an optimal xfer size 2016-10-28 03:01:33 -04:00
sd_dif.c block: Consolidate static integrity profile properties 2015-10-21 14:42:38 -06:00
ses.c ses: fix additional element traversal bug 2015-12-11 11:05:57 -08:00
sg.c scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE 2017-09-27 11:00:16 +02:00
sgiwd93.c
sim710.c
sni_53c710.c
sr.c scsi: sr: Sanity check returned mode data 2017-04-21 09:30:05 +02:00
sr.h
sr_ioctl.c sr: reduce debug noise in sr_do_ioctl 2015-01-20 19:43:24 +01:00
sr_vendor.c
st.c Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
st.h st: implement tape statistics 2015-06-02 08:03:25 -07:00
st_options.h
stex.c stex: Remove use of struct timeval 2015-11-09 17:42:19 -08:00
storvsc_drv.c scsi: storvsc: fix memory leak on ring buffer busy 2017-09-27 11:00:15 +02:00
sun3_scsi.c ncr5380: Drop owner assignment from platform_drivers 2015-03-09 07:18:14 -04:00
sun3_scsi.h
sun3_scsi_vme.c
sun3x_esp.c arch, drivers: don't include <asm/io.h> directly, use <linux/io.h> instead 2015-08-10 23:07:05 -04:00
sun_esp.c
sym53c416.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
sym53c416.h
t128.c
t128.h
u14-34f.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ultrastor.c
ultrastor.h
virtio_scsi.c scsi: virtio_scsi: Reject commands when virtqueue is broken 2017-07-05 14:37:19 +02:00
vmw_pvscsi.c vmw_pscsi: simplify ->change_queue_depth 2014-11-24 14:45:28 +01:00
vmw_pvscsi.h
wd33c93.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
wd33c93.h
wd719x.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
wd719x.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
wd7000.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
xen-scsifront.c xen: Use correctly the Xen memory terminologies 2015-09-08 18:03:49 +01:00
zalon.c
zorro7xx.c