From: renxudong <renxudong1@huawei.com>
To: Bob Liu <bob.liu@oracle.com>,
Zhiqiang Liu <liuzhiqiang26@huawei.com>,
Jens Axboe <axboe@kernel.dk>, <linux-block@vger.kernel.org>,
<jens.axboe@oracle.com>, <namhyung@gmail.com>,
<bharrosh@panasas.com>
Cc: Mingfangsen <mingfangsen@huawei.com>, <zhengbin13@huawei.com>,
Guiyao <guiyao@huawei.com>, <ming.lei@redhat.com>
Subject: Re: [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func
Date: Tue, 7 Jan 2020 14:51:04 +0800 [thread overview]
Message-ID: <bc469dc8-19b6-d979-c061-075e52a355b0@huawei.com> (raw)
In-Reply-To: <91b13d6f-04b5-28b0-ea1b-d99564ecc898@oracle.com>
When we issued scsi cmd, oops occurred. The call stack was as follows.
Call trace:
__memcpy+0x110/0x180
bio_endio+0x118/0x190
blk_update_request+0x94/0x378
scsi_end_request+0x48/0x2a8
scsi_io_completion+0xa4/0x6d0
scsi_finish_command+0xd4/0x138
scsi_softirq_done+0x13c/0x198
blk_done_softirq+0xc4/0x108
__do_softirq+0x120/0x324
run_ksoftirqd+0x44/0x60
smpboot_thread_fn+0x1ac/0x1e8
kthread+0x134/0x138
ret_from_fork+0x10/0x18
Since oops is in the process of scsi cmd done, we have not added oops
info to the commit log.
On 2020/1/7 12:05, Bob Liu wrote:
> On 1/7/20 10:38 AM, Zhiqiang Liu wrote:
>> Friendly ping...
>>
>> On 2019/12/30 20:17, Zhiqiang Liu wrote:
>>> From: renxudong <renxudong1@huawei.com>
>>>
>>> Blk_rq_map_kern func is used to map kernel data to a request,
>>> in which kbuf par should be a valid kernel buffer. However,
>>> kbuf par is only checked whether it is null in blk_rq_map_kern func.
>>>
>>> If users pass a non kernel address to blk_rq_map_kern func in the
>>> non-aligned scenario, the invalid kbuf will be set to bio->bi_private.
>>> When the request is completed, bio_copy_kern_endio_read will be called
>>> to copy data to the kernel address in bio->bi_private. If the bi_private
>>> is not a valid kernel address, the system will oops. In this case, we
>
> This patch looks fine to me, but curious did you trigger the real oops?
> If yes, it's better add the oops info into commit log.
>
>>> cannot judge whether the bio structure is damaged or the kernel address is
>>> invalid.
>>>
>>> Here, we add kernel address validation by calling virt_addr_valid.
>>>
>>> Signed-off-by: renxudong <renxudong1@huawei.com>
>>> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>>> ---
>>> block/blk-map.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/block/blk-map.c b/block/blk-map.c
>>> index 3a62e471d81b..7deb1b44d1e3 100644
>>> --- a/block/blk-map.c
>>> +++ b/block/blk-map.c
>>> @@ -229,7 +229,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
>>>
>>> if (len > (queue_max_hw_sectors(q) << 9))
>>> return -EINVAL;
>>> - if (!len || !kbuf)
>>> + if (!len || !virt_addr_valid(kbuf))
>>> return -EINVAL;
>>>
>>> do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
>>>
>>
>
>
> .
>
next prev parent reply other threads:[~2020-01-07 6:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-30 12:17 [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func Zhiqiang Liu
2020-01-07 2:38 ` Zhiqiang Liu
2020-01-07 4:05 ` Bob Liu
2020-01-07 6:51 ` renxudong [this message]
2020-01-08 15:07 ` Christoph Hellwig
2020-01-12 0:18 ` Bart Van Assche
2020-01-13 6:32 ` renxudong
2020-01-13 3:53 ` renxudong
2020-01-07 4:02 ` Jens Axboe
2020-01-08 13:31 ` Christoph Hellwig
2020-01-13 3:22 ` renxudong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc469dc8-19b6-d979-c061-075e52a355b0@huawei.com \
--to=renxudong1@huawei.com \
--cc=axboe@kernel.dk \
--cc=bharrosh@panasas.com \
--cc=bob.liu@oracle.com \
--cc=guiyao@huawei.com \
--cc=jens.axboe@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=liuzhiqiang26@huawei.com \
--cc=ming.lei@redhat.com \
--cc=mingfangsen@huawei.com \
--cc=namhyung@gmail.com \
--cc=zhengbin13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).