Linux kernel < 4.14.111 drivers/message/fusion/mptscsih.c kernel address dumps to user space

[Fuqian Huang <huangfq.daxian () gmail com>]

In drivers/message/fusion/mptscsih.c:1701
and drivers/message/fusion/mptscsih.c:1786,
mptscsih_abort will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_abort(struct scsi_cmnd * SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting task abort! (sc=%p)\n",
           ioc->name, SCpnt);
    ...
 out:
    printk(MYIOC_s_INFO_FMT "task abort: %s (rv=%04x) (sc=%p)\n",
        ioc->name, ((retval == SUCCESS) ? "SUCCESS" : "FAILED"), retval,
        SCpnt);
    ...
}

In drivers/message/fusion/mptscsih.c:1819
and drivers/message/fusion/mptscsih.c:1843,
mptscsih_dev_reset will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_dev_reset(struct scsi_cmnd *SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting target reset! (sc=%p)\n",
           ioc->name, SCpnt);
    ...
 out:
    printk (MYIOC_s_INFO_FMT "target reset: %s (sc=%p)\n",
        ioc->name, ((retval == 0) ? "SUCCESS" : "FAILED" ), SCpnt);
    ...
}

In drivers/message/fusion/mptscsih.c:1931
and drivers/message/fusion/mptscsih.c:1943,
mptscsih_host_reset will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_host_reset(struct scsi_cmnd *SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting host reset! (sc=%p)\n",
        ioc->name, SCpnt);
    ...
    printk(MYIOC_s_INFO_FMT "host reset: %s (sc=%p)\n",
        ioc->name, ((retval == 0) ? "SUCCESS" : "FAILED" ), SCpnt);
    ...
}