linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Laurence Oberman <loberman@redhat.com>
To: Oleksandr Natalenko <oleksandr@redhat.com>, linux-kernel@vger.kernel.org
Cc: linux-scsi@vger.kernel.org, Saurav Kashyap <skashyap@marvell.com>,
	Javed Hasan <jhasan@marvell.com>,
	GR-QLogic-Storage-Upstream@marvell.com,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Jozef Bacik <jobacik@redhat.com>, Rob Evers <revers@redhat.com>
Subject: Re: [RFC PATCH 0/3] scsi: qedf: sanitise uaccess
Date: Mon, 24 Jul 2023 12:27:55 -0400	[thread overview]
Message-ID: <4f35b02968a18e636e1689c9d52729ef63a438f9.camel@redhat.com> (raw)
In-Reply-To: <dd7c6170def7159b558b79d34520c3d5290e36b9.camel@redhat.com>

On Mon, 2023-07-24 at 09:03 -0400, Laurence Oberman wrote:
> On Mon, 2023-07-24 at 14:02 +0200, Oleksandr Natalenko wrote:
> > qedf driver, debugfs part of it specifically, touches __user
> > pointers
> > directly for printing out info to userspace via sprintf(), which
> > may
> > cause crash like this:
> > 
> > BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> > IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> > Oops: 0003 [#1] SMP
> > Call Trace:
> >  [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> >  [<ffffffffaa7aa556>] sprintf+0x56/0x80
> >  [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90
> > [qedf]
> >  [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> >  [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
> > 
> > Avoid this by preparing the info in a kernel buffer first, either
> > allocated on stack for small printouts, or via vmalloc() for big
> > ones,
> > and then copying it to the userspace properly.
> > 
> > I'm not sure how big the vmalloc()'ed buffer should be, and also
> > whether
> > vmalloc()'ing it directly in the _read() function is a good idea,
> > hence
> > RFC prefix.
> > 
> > The qedf_dbg_stop_io_on_error_cmd_read()-related patch is actually
> > tested,
> > the rest is compile-tested only.
> > 
> > Oleksandr Natalenko (3):
> >   scsi: qedf: do not touch __user pointer in
> >     qedf_dbg_stop_io_on_error_cmd_read() directly
> >   scsi: qedf: do not touch __user pointer in
> > qedf_dbg_debug_cmd_read()
> >     directly
> >   scsi: qedf: do not touch __user pointer in
> > qedf_dbg_fp_int_cmd_read()
> >     directly
> > 
> >  drivers/scsi/qedf/qedf_dbg.h     |  2 ++
> >  drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++---------
> > --
> > --
> >  2 files changed, 23 insertions(+), 14 deletions(-)
> > 
> > --
> > 2.41.0
> > 
> 
> I will test the series, the one patch was already tested.
> This was reproduced in our LAB
> Will report back after testing
> 
> Regards
> Laurence

For the series:  Against 6.5.0-rc3
Makes sense to me and tested.

Reviewed-by: Laurence Oberman <loberman@redhat.com>
Tested-by: Laurence Oberman <loberman@redhat.com>


[root@segstorage5 host2]# ls
clear_stats  debug  driver_stats  fp_int  io_trace  offload_stats 
stop_io_on_error
[root@segstorage5 host2]# cat stop_io_on_error
false
[root@segstorage5 host2]# cat debug
debug mask = 0x2
[root@segstorage5 host2]# cat fp_int

Fastpath I/O completions

#0: 792
#1: 1242
#2: 1151
#3: 978
#4: 775
#5: 855
#6: 899
#7: 643
#8: 801
#9: 1013
#10: 956
#11: 678
#12: 703
#13: 817
#14: 932
#15: 614


      reply	other threads:[~2023-07-24 16:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-24 12:02 [RFC PATCH 0/3] scsi: qedf: sanitise uaccess Oleksandr Natalenko
2023-07-24 12:02 ` [RFC PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly Oleksandr Natalenko
2023-07-24 12:02 ` [RFC PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Oleksandr Natalenko
2023-07-24 12:02 ` [RFC PATCH 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly Oleksandr Natalenko
2023-07-24 13:03 ` [RFC PATCH 0/3] scsi: qedf: sanitise uaccess Laurence Oberman
2023-07-24 16:27   ` Laurence Oberman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4f35b02968a18e636e1689c9d52729ef63a438f9.camel@redhat.com \
    --to=loberman@redhat.com \
    --cc=GR-QLogic-Storage-Upstream@marvell.com \
    --cc=jejb@linux.ibm.com \
    --cc=jhasan@marvell.com \
    --cc=jobacik@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=oleksandr@redhat.com \
    --cc=revers@redhat.com \
    --cc=skashyap@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).