scsi: bsg: copy uring_cmd payload to prevent double-fetch from shared SQE by blktests-ci[bot] · Pull Request #895 · linux-blktests/linux-block

blktests-ci · 2026-05-27T12:02:52Z

Pull request for series with
subject: scsi: bsg: copy uring_cmd payload to prevent double-fetch from shared SQE
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1101589

blktests-ci · 2026-05-27T12:02:54Z

Upstream branch: e8c2f9f
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-05-27T16:51:26Z

Upstream branch: e8c2f9f
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-05-28T13:31:13Z

Upstream branch: eb3f4b7
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-05-29T11:19:22Z

Upstream branch: 8fde5d1
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-01T09:03:28Z

Upstream branch: e43ffb6
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-03T13:59:54Z

Upstream branch: ba3e43a
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-05T10:16:13Z

Upstream branch: ddd664b
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-07T15:25:47Z

Upstream branch: 979c294
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-10T14:10:17Z

Upstream branch: acb7500
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-11T09:42:38Z

Upstream branch: 9716c08
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-12T23:08:21Z

Upstream branch: 2a2974b
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-13T02:05:37Z

Upstream branch: 062871f
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci · 2026-06-17T15:13:50Z

Upstream branch: 66affa3
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

… SQE scsi_bsg_uring_cmd() and scsi_bsg_map_user_buffer() read bsg_uring_cmd fields directly from the shared mmap'd io_uring submission ring via io_uring_sqe128_cmd(). On the inline execution path, io_uring has not yet copied the SQE to kernel memory, so a concurrent userspace thread can modify fields between reads. cmd->request_len is read for the bounds check, for the cmd_len assignment, and for the copy_from_user length. A racing thread can change request_len between the bounds check (passes with <= 32) and copy_from_user (uses the enlarged value), overflowing the 32-byte scmd->cmnd[] buffer into subsequent struct scsi_cmnd fields. scsi_bsg_map_user_buffer() independently re-derives its cmd pointer from the same shared SQE, re-reading dout_xfer_len, din_xfer_len, dout_xferp, and din_xferp, enabling direction confusion and buffer length races. Copy struct bsg_uring_cmd to a stack-local variable before use in both functions. The pointer variable 'cmd' is redirected to the local copy so the rest of each function is unchanged. Tested with KASAN on QEMU (virtio-scsi, 2 vCPUs). Without this fix, a two-thread race produces: BUG: KASAN: wild-memory-access in scsi_queue_rq+0x4a3/0x58a0 Write of size 96 at addr dead000000001000 by task poc/67 Call Trace: kasan_report+0xce/0x100 __asan_memset+0x23/0x50 scsi_queue_rq+0x4a3/0x58a0 scsi_bsg_uring_cmd+0x942/0x1570 io_uring_cmd+0x2f6/0x950 io_issue_sqe+0xe5/0x22d0 Fixes: 7b6d325 ("scsi: bsg: add io_uring passthrough handler") Cc: stable@vger.kernel.org Signed-off-by: Rahul Chandelkar <rc@rexion.ai> Reviewed-by: Bart Van Assche <bvanassche@acm.org>

blktests-ci · 2026-06-24T01:54:15Z

Upstream branch: bade58e
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101589
version: 1

blktests-ci Bot added new V1 linus-master labels May 27, 2026

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 927534d to c75e599 Compare May 27, 2026 16:51

blktests-ci Bot force-pushed the linus-master_base branch from 86d8d37 to 9805659 Compare May 28, 2026 13:24

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from c75e599 to bc692df Compare May 28, 2026 13:31

blktests-ci Bot force-pushed the linus-master_base branch from 9805659 to 3f4a345 Compare May 29, 2026 11:12

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from bc692df to 445da35 Compare May 29, 2026 11:19

blktests-ci Bot force-pushed the linus-master_base branch from 3f4a345 to c6dc343 Compare June 1, 2026 08:57

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 445da35 to e1dac9f Compare June 1, 2026 09:03

blktests-ci Bot force-pushed the linus-master_base branch from c6dc343 to fc36596 Compare June 3, 2026 13:56

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from e1dac9f to 0b93bb9 Compare June 3, 2026 13:59

blktests-ci Bot force-pushed the linus-master_base branch from fc36596 to 7bed9c3 Compare June 5, 2026 09:48

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 0b93bb9 to 6a57555 Compare June 5, 2026 10:16

blktests-ci Bot force-pushed the linus-master_base branch from 7bed9c3 to a7bb5c5 Compare June 7, 2026 14:54

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 6a57555 to ad06c61 Compare June 7, 2026 15:25

blktests-ci Bot force-pushed the linus-master_base branch from a7bb5c5 to 5e41a3b Compare June 10, 2026 13:31

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from ad06c61 to f380f37 Compare June 10, 2026 14:10

blktests-ci Bot force-pushed the linus-master_base branch from 5e41a3b to c3a084b Compare June 10, 2026 20:26

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from f380f37 to fce8c9b Compare June 11, 2026 09:42

blktests-ci Bot force-pushed the linus-master_base branch from c3a084b to 5f78e5d Compare June 12, 2026 22:27

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from fce8c9b to 12df0a3 Compare June 12, 2026 23:08

blktests-ci Bot force-pushed the linus-master_base branch from 5f78e5d to e48f9db Compare June 13, 2026 01:19

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 12df0a3 to 8f0f501 Compare June 13, 2026 02:05

blktests-ci Bot force-pushed the linus-master_base branch 2 times, most recently from 199644a to e6d9eb8 Compare June 17, 2026 12:02

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 8f0f501 to 9df46ef Compare June 17, 2026 15:13

blktests-ci Bot force-pushed the linus-master_base branch from e6d9eb8 to 7d8604f Compare June 24, 2026 01:11

blktests-ci Bot force-pushed the series/1101589=>linus-master branch from 9df46ef to 6104a0d Compare June 24, 2026 01:54

Uh oh!

Conversation

blktests-ci Bot commented May 27, 2026

Uh oh!

blktests-ci Bot commented May 27, 2026

Uh oh!

blktests-ci Bot commented May 27, 2026

Uh oh!

blktests-ci Bot commented May 28, 2026

Uh oh!

blktests-ci Bot commented May 29, 2026

Uh oh!

blktests-ci Bot commented Jun 1, 2026

Uh oh!

blktests-ci Bot commented Jun 3, 2026

Uh oh!

blktests-ci Bot commented Jun 5, 2026

Uh oh!

blktests-ci Bot commented Jun 7, 2026

Uh oh!

blktests-ci Bot commented Jun 10, 2026

Uh oh!

blktests-ci Bot commented Jun 11, 2026

Uh oh!

blktests-ci Bot commented Jun 12, 2026

Uh oh!

blktests-ci Bot commented Jun 13, 2026

Uh oh!

blktests-ci Bot commented Jun 17, 2026

Uh oh!

blktests-ci Bot commented Jun 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants