scsi: bsg: read io_uring command fields once by blktests-ci[bot] · Pull Request #900 · linux-blktests/linux-block

scsi_bsg_uring_cmd() reads struct bsg_uring_cmd fields directly from the shared mmap'd io_uring SQE. On the inline execution path, io_uring may still point at userspace-visible SQE storage, so a concurrent userspace thread can change fields between validation and use. request_len is checked against the size of scmd->cmnd, then used again for scmd->cmd_len and copy_from_user(). If userspace changes request_len after the bounds check, the later copy can overflow the 32-byte scmd->cmnd buffer. Transfer fields are also read again by scsi_bsg_map_user_buffer(), leaving direction, address and length open to the same race. Use READ_ONCE() to load each bsg_uring_cmd field needed by scsi_bsg_uring_cmd() into a local variable, then use those locals for both validation and execution. Pass the stable transfer direction, address and length into scsi_bsg_map_user_buffer() so the helper no longer re-derives them from the SQE. This fixes the double-fetch without copying the whole io_uring command payload. Tested with KASAN on QEMU (virtio-scsi, 2 vCPUs). Without this fix, a two-thread race produces: BUG: KASAN: wild-memory-access in scsi_queue_rq+0x4a3/0x58a0 Write of size 96 at addr dead000000001000 by task poc/67 Call Trace: kasan_report+0xce/0x100 __asan_memset+0x23/0x50 scsi_queue_rq+0x4a3/0x58a0 scsi_bsg_uring_cmd+0x942/0x1570 io_uring_cmd+0x2f6/0x950 io_issue_sqe+0xe5/0x22d0 Link: https://lore.kernel.org/all/20260527105931.3950913-1-rc@rexion.ai/T/#u Fixes: 7b6d325 ("scsi: bsg: add io_uring passthrough handler") Cc: stable@vger.kernel.org Signed-off-by: Rahul Chandelkar <rc@rexion.ai> Reviewed-by: Yang Xiuwei <yangxiuwei@kylinos.cn>

blktests-ci · 2026-06-24T01:53:45Z

Upstream branch: bade58e
series: https://patchwork.kernel.org/project/linux-block/list/?series=1101822
version: 2

blktests-ci Bot added new V2 linus-master labels May 27, 2026

blktests-ci Bot force-pushed the linus-master_base branch from 86d8d37 to 9805659 Compare May 28, 2026 13:24

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from cb18062 to 9381633 Compare May 28, 2026 14:15

blktests-ci Bot force-pushed the linus-master_base branch from 9805659 to 3f4a345 Compare May 29, 2026 11:12

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 9381633 to 8a30051 Compare May 29, 2026 11:42

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 8a30051 to 236abeb Compare May 30, 2026 18:34

blktests-ci Bot force-pushed the linus-master_base branch from 3f4a345 to c6dc343 Compare June 1, 2026 08:57

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 236abeb to 4b30617 Compare June 1, 2026 09:29

blktests-ci Bot force-pushed the linus-master_base branch from c6dc343 to fc36596 Compare June 3, 2026 13:56

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 4b30617 to 61cd5e0 Compare June 3, 2026 14:26

blktests-ci Bot force-pushed the linus-master_base branch from fc36596 to 7bed9c3 Compare June 5, 2026 09:48

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 61cd5e0 to 9af867b Compare June 5, 2026 10:14

blktests-ci Bot force-pushed the linus-master_base branch from 7bed9c3 to a7bb5c5 Compare June 7, 2026 14:54

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 9af867b to b08b4e6 Compare June 7, 2026 15:24

blktests-ci Bot force-pushed the linus-master_base branch from a7bb5c5 to 5e41a3b Compare June 10, 2026 13:31

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from b08b4e6 to c7513b5 Compare June 10, 2026 14:08

blktests-ci Bot force-pushed the linus-master_base branch from 5e41a3b to c3a084b Compare June 10, 2026 20:26

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from c7513b5 to c4d96e1 Compare June 11, 2026 09:40

blktests-ci Bot force-pushed the linus-master_base branch from c3a084b to 5f78e5d Compare June 12, 2026 22:27

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from c4d96e1 to 7c223d8 Compare June 12, 2026 23:06

blktests-ci Bot force-pushed the linus-master_base branch from 5f78e5d to e48f9db Compare June 13, 2026 01:19

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 7c223d8 to 02ce86f Compare June 13, 2026 02:03

blktests-ci Bot force-pushed the linus-master_base branch 2 times, most recently from 199644a to e6d9eb8 Compare June 17, 2026 12:02

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 02ce86f to 5f93a24 Compare June 17, 2026 14:36

blktests-ci Bot force-pushed the linus-master_base branch from e6d9eb8 to 7d8604f Compare June 24, 2026 01:11

blktests-ci Bot force-pushed the series/1101822=>linus-master branch from 5f93a24 to e2e7041 Compare June 24, 2026 01:53

Conversation

blktests-ci Bot commented May 27, 2026

Uh oh!

blktests-ci Bot commented May 27, 2026

Uh oh!

blktests-ci Bot commented May 28, 2026

Uh oh!

blktests-ci Bot commented May 29, 2026

Uh oh!

blktests-ci Bot commented May 30, 2026

Uh oh!

blktests-ci Bot commented Jun 1, 2026

Uh oh!

blktests-ci Bot commented Jun 3, 2026

Uh oh!

blktests-ci Bot commented Jun 5, 2026

Uh oh!

blktests-ci Bot commented Jun 7, 2026

Uh oh!

blktests-ci Bot commented Jun 10, 2026

Uh oh!

blktests-ci Bot commented Jun 11, 2026

Uh oh!

blktests-ci Bot commented Jun 12, 2026

Uh oh!

blktests-ci Bot commented Jun 13, 2026

Uh oh!

blktests-ci Bot commented Jun 17, 2026

Uh oh!

blktests-ci Bot commented Jun 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants