On 11/30/2018 5:44 AM, Michael S. Tsirkin wrote:

On Thu, Nov 01, 2018 at 04:06:19PM -0700, Linus Torvalds wrote:

quoted

On Thu, Nov 1, 2018 at 4:00 PM Kees Cook [off-list ref] wrote:

quoted

+       memset(&rsp, 0, sizeof(rsp));
+       rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED;
+       resp = vq->iov[out].iov_base;
+       ret = __copy_to_user(resp, &rsp, sizeof(rsp));

Is it actually safe to trust that iov_base has passed an earlier
access_ok() check here? Why not just use copy_to_user() instead?

Good point.

We really should have removed those double-underscore things ages ago.

Also, apart from the address, what about the size? Wouldn't it be
better to use copy_to_iter() rather than implement it badly by hand?

                Linus

Bijan can you respond please?
Are you going to look into this and convert code to copy_to_iter?
I don't think we should release Linux like this, so if you don't
have the time I'd rather revert for now and you can look
into reposting for the next release.

Thanks,

Sure, will do.  Can I send an individual patch for the fix to 
vhost_scsi_send_tmf_reject()?

Thanks.

--bijan