From: Christoph Hellwig <hch@lst.de> To: axboe@kernel.dk, mst@redhat.com, jasowang@redhat.com Cc: linux-block@vger.kernel.org, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Date: Wed, 4 Jan 2017 08:25:05 +0300 [thread overview] Message-ID: <1483507505-26797-2-git-send-email-hch@lst.de> (raw) In-Reply-To: <1483507505-26797-1-git-send-email-hch@lst.de> Most users of BLOCK_PC requests allocate the sense buffer on the stack, so to avoid DMA to the stack copy them to a field in the heap allocated virtblk_req structure. Without that any attempt at SCSI passthrough I/O, including the SG_IO ioctl from userspace will crash the kernel. Note that this includes running tools like hdparm even when the host does not have SCSI passthrough enabled. Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 5545a67..3c3b8f6 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -56,6 +56,7 @@ struct virtblk_req { struct virtio_blk_outhdr out_hdr; struct virtio_scsi_inhdr in_hdr; u8 status; + u8 sense[SCSI_SENSE_BUFFERSIZE]; struct scatterlist sg[]; }; @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, } if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); sgs[num_out + num_in++] = &sense; sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); sgs[num_out + num_in++] = &inhdr; -- 2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Christoph Hellwig <hch@lst.de> To: axboe@kernel.dk, mst@redhat.com, jasowang@redhat.com Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Date: Wed, 4 Jan 2017 08:25:05 +0300 [thread overview] Message-ID: <1483507505-26797-2-git-send-email-hch@lst.de> (raw) In-Reply-To: <1483507505-26797-1-git-send-email-hch@lst.de> Most users of BLOCK_PC requests allocate the sense buffer on the stack, so to avoid DMA to the stack copy them to a field in the heap allocated virtblk_req structure. Without that any attempt at SCSI passthrough I/O, including the SG_IO ioctl from userspace will crash the kernel. Note that this includes running tools like hdparm even when the host does not have SCSI passthrough enabled. Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 5545a67..3c3b8f6 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -56,6 +56,7 @@ struct virtblk_req { struct virtio_blk_outhdr out_hdr; struct virtio_scsi_inhdr in_hdr; u8 status; + u8 sense[SCSI_SENSE_BUFFERSIZE]; struct scatterlist sg[]; }; @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, } if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); sgs[num_out + num_in++] = &sense; sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); sgs[num_out + num_in++] = &inhdr; -- 2.1.4
next prev parent reply other threads:[~2017-01-04 5:25 UTC|newest] Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-01-04 5:25 4.10 and -stable fix for virtio_blk and virtually mapped stacks Christoph Hellwig 2017-01-04 5:25 ` Christoph Hellwig 2017-01-04 5:25 ` Christoph Hellwig [this message] 2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig 2017-01-04 7:44 ` Jason Wang 2017-01-04 7:44 ` Jason Wang 2017-01-09 13:35 ` Christoph Hellwig 2017-01-09 13:35 ` Christoph Hellwig 2017-01-09 15:56 ` Jens Axboe 2017-01-09 15:56 ` Jens Axboe 2017-01-04 15:47 ` 王金浦 2017-01-05 9:57 ` Christoph Hellwig 2017-01-05 9:57 ` Christoph Hellwig 2017-01-05 10:37 ` 王金浦 2017-01-05 10:37 ` 王金浦 2017-01-05 11:17 ` Christoph Hellwig 2017-01-05 11:17 ` Christoph Hellwig 2017-01-05 10:37 ` 王金浦 2017-01-04 15:47 ` 王金浦 2017-01-09 16:33 ` Michael S. Tsirkin 2017-01-09 16:33 ` Michael S. Tsirkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1483507505-26797-2-git-send-email-hch@lst.de \ --to=hch@lst.de \ --cc=axboe@kernel.dk \ --cc=jasowang@redhat.com \ --cc=linux-block@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mst@redhat.com \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.