linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: renxudong <renxudong1@huawei.com>
To: Bob Liu <bob.liu@oracle.com>,
	Zhiqiang Liu <liuzhiqiang26@huawei.com>,
	Jens Axboe <axboe@kernel.dk>, <linux-block@vger.kernel.org>,
	<jens.axboe@oracle.com>, <namhyung@gmail.com>,
	<bharrosh@panasas.com>
Cc: Mingfangsen <mingfangsen@huawei.com>, <zhengbin13@huawei.com>,
	Guiyao <guiyao@huawei.com>, <ming.lei@redhat.com>
Subject: Re: [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func
Date: Tue, 7 Jan 2020 14:51:04 +0800	[thread overview]
Message-ID: <bc469dc8-19b6-d979-c061-075e52a355b0@huawei.com> (raw)
In-Reply-To: <91b13d6f-04b5-28b0-ea1b-d99564ecc898@oracle.com>

When we issued scsi cmd, oops occurred. The call stack was as follows.
Call trace:
  __memcpy+0x110/0x180
  bio_endio+0x118/0x190
  blk_update_request+0x94/0x378
  scsi_end_request+0x48/0x2a8
  scsi_io_completion+0xa4/0x6d0
  scsi_finish_command+0xd4/0x138
  scsi_softirq_done+0x13c/0x198
  blk_done_softirq+0xc4/0x108
  __do_softirq+0x120/0x324
  run_ksoftirqd+0x44/0x60
  smpboot_thread_fn+0x1ac/0x1e8
  kthread+0x134/0x138
  ret_from_fork+0x10/0x18
  Since oops is in the process of scsi cmd done, we have not added oops 
info to the commit log.

On 2020/1/7 12:05, Bob Liu wrote:
> On 1/7/20 10:38 AM, Zhiqiang Liu wrote:
>> Friendly ping...
>>
>> On 2019/12/30 20:17, Zhiqiang Liu wrote:
>>> From: renxudong <renxudong1@huawei.com>
>>>
>>> Blk_rq_map_kern func is used to map kernel data to a request,
>>> in which kbuf par should be a valid kernel buffer. However,
>>> kbuf par is only checked whether it is null in blk_rq_map_kern func.
>>>
>>> If users pass a non kernel address to blk_rq_map_kern func in the
>>> non-aligned scenario, the invalid kbuf will be set to bio->bi_private.
>>> When the request is completed, bio_copy_kern_endio_read will be called
>>> to copy data to the kernel address in bio->bi_private. If the bi_private
>>> is not a valid kernel address, the system will oops. In this case, we
> 
> This patch looks fine to me, but curious did you trigger the real oops?
> If yes, it's better add the oops info into commit log.
> 
>>> cannot judge whether the bio structure is damaged or the kernel address is
>>> invalid.
>>>
>>> Here, we add kernel address validation by calling virt_addr_valid.
>>>
>>> Signed-off-by: renxudong <renxudong1@huawei.com>
>>> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>>> ---
>>>   block/blk-map.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/block/blk-map.c b/block/blk-map.c
>>> index 3a62e471d81b..7deb1b44d1e3 100644
>>> --- a/block/blk-map.c
>>> +++ b/block/blk-map.c
>>> @@ -229,7 +229,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
>>>
>>>   	if (len > (queue_max_hw_sectors(q) << 9))
>>>   		return -EINVAL;
>>> -	if (!len || !kbuf)
>>> +	if (!len || !virt_addr_valid(kbuf))
>>>   		return -EINVAL;
>>>
>>>   	do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
>>>
>>
> 
> 
> .
> 


  reply	other threads:[~2020-01-07  6:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-30 12:17 [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func Zhiqiang Liu
2020-01-07  2:38 ` Zhiqiang Liu
2020-01-07  4:05   ` Bob Liu
2020-01-07  6:51     ` renxudong [this message]
2020-01-08 15:07       ` Christoph Hellwig
2020-01-12  0:18         ` Bart Van Assche
2020-01-13  6:32           ` renxudong
2020-01-13  3:53         ` renxudong
2020-01-07  4:02 ` Jens Axboe
2020-01-08 13:31 ` Christoph Hellwig
2020-01-13  3:22   ` renxudong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bc469dc8-19b6-d979-c061-075e52a355b0@huawei.com \
    --to=renxudong1@huawei.com \
    --cc=axboe@kernel.dk \
    --cc=bharrosh@panasas.com \
    --cc=bob.liu@oracle.com \
    --cc=guiyao@huawei.com \
    --cc=jens.axboe@oracle.com \
    --cc=linux-block@vger.kernel.org \
    --cc=liuzhiqiang26@huawei.com \
    --cc=ming.lei@redhat.com \
    --cc=mingfangsen@huawei.com \
    --cc=namhyung@gmail.com \
    --cc=zhengbin13@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).