* 4.10 and -stable fix for virtio_blk and virtually mapped stacks
@ 2017-01-04 5:25 Christoph Hellwig
2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig
0 siblings, 1 reply; 10+ messages in thread
From: Christoph Hellwig @ 2017-01-04 5:25 UTC (permalink / raw)
To: axboe, mst, jasowang; +Cc: linux-block, virtualization, linux-kernel
Without this fix attempts to do scsi passthrough on virtio_blk will crash
the system on virtually mapped stacks, which is something happening during
boot with many distros.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 5:25 4.10 and -stable fix for virtio_blk and virtually mapped stacks Christoph Hellwig
@ 2017-01-04 5:25 ` Christoph Hellwig
2017-01-04 7:44 ` Jason Wang
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Christoph Hellwig @ 2017-01-04 5:25 UTC (permalink / raw)
To: axboe, mst, jasowang; +Cc: linux-block, virtualization, linux-kernel
Most users of BLOCK_PC requests allocate the sense buffer on the stack,
so to avoid DMA to the stack copy them to a field in the heap allocated
virtblk_req structure. Without that any attempt at SCSI passthrough I/O,
including the SG_IO ioctl from userspace will crash the kernel. Note that
this includes running tools like hdparm even when the host does not have
SCSI passthrough enabled.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
drivers/block/virtio_blk.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index 5545a67..3c3b8f6 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -56,6 +56,7 @@ struct virtblk_req {
struct virtio_blk_outhdr out_hdr;
struct virtio_scsi_inhdr in_hdr;
u8 status;
+ u8 sense[SCSI_SENSE_BUFFERSIZE];
struct scatterlist sg[];
};
@@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq,
}
if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) {
- sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
+ memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
+ sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE);
sgs[num_out + num_in++] = &sense;
sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr));
sgs[num_out + num_in++] = &inhdr;
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig
@ 2017-01-04 7:44 ` Jason Wang
2017-01-09 13:35 ` Christoph Hellwig
2017-01-04 15:47 ` 王金浦
2017-01-09 16:33 ` Michael S. Tsirkin
2 siblings, 1 reply; 10+ messages in thread
From: Jason Wang @ 2017-01-04 7:44 UTC (permalink / raw)
To: Christoph Hellwig, axboe, mst; +Cc: linux-block, virtualization, linux-kernel
On 2017年01月04日 13:25, Christoph Hellwig wrote:
> Most users of BLOCK_PC requests allocate the sense buffer on the stack,
> so to avoid DMA to the stack copy them to a field in the heap allocated
> virtblk_req structure. Without that any attempt at SCSI passthrough I/O,
> including the SG_IO ioctl from userspace will crash the kernel. Note that
> this includes running tools like hdparm even when the host does not have
> SCSI passthrough enabled.
>
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> ---
> drivers/block/virtio_blk.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> index 5545a67..3c3b8f6 100644
> --- a/drivers/block/virtio_blk.c
> +++ b/drivers/block/virtio_blk.c
> @@ -56,6 +56,7 @@ struct virtblk_req {
> struct virtio_blk_outhdr out_hdr;
> struct virtio_scsi_inhdr in_hdr;
> u8 status;
> + u8 sense[SCSI_SENSE_BUFFERSIZE];
> struct scatterlist sg[];
> };
>
> @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq,
> }
>
> if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) {
> - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE);
> sgs[num_out + num_in++] = &sense;
> sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr));
> sgs[num_out + num_in++] = &inhdr;
Acked-by: Jason Wang <jasowang@redhat.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig
2017-01-04 7:44 ` Jason Wang
@ 2017-01-04 15:47 ` 王金浦
2017-01-05 9:57 ` Christoph Hellwig
2017-01-09 16:33 ` Michael S. Tsirkin
2 siblings, 1 reply; 10+ messages in thread
From: 王金浦 @ 2017-01-04 15:47 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Jens Axboe, mst, jasowang, linux-block, virtualization, LKML
Hi Christoph,
2017-01-04 6:25 GMT+01:00 Christoph Hellwig <hch@lst.de>:
> Most users of BLOCK_PC requests allocate the sense buffer on the stack,
> so to avoid DMA to the stack copy them to a field in the heap allocated
> virtblk_req structure. Without that any attempt at SCSI passthrough I/O,
> including the SG_IO ioctl from userspace will crash the kernel. Note that
> this includes running tools like hdparm even when the host does not have
> SCSI passthrough enabled.
This sounds scary.
Could you share how to reproduce it, this should go into stable if
it's the case.
Thanks,
Jinpu
>
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> ---
> drivers/block/virtio_blk.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> index 5545a67..3c3b8f6 100644
> --- a/drivers/block/virtio_blk.c
> +++ b/drivers/block/virtio_blk.c
> @@ -56,6 +56,7 @@ struct virtblk_req {
> struct virtio_blk_outhdr out_hdr;
> struct virtio_scsi_inhdr in_hdr;
> u8 status;
> + u8 sense[SCSI_SENSE_BUFFERSIZE];
> struct scatterlist sg[];
> };
>
> @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq,
> }
>
> if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) {
> - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE);
> sgs[num_out + num_in++] = &sense;
> sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr));
> sgs[num_out + num_in++] = &inhdr;
> --
> 2.1.4
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 15:47 ` 王金浦
@ 2017-01-05 9:57 ` Christoph Hellwig
2017-01-05 10:37 ` 王金浦
0 siblings, 1 reply; 10+ messages in thread
From: Christoph Hellwig @ 2017-01-05 9:57 UTC (permalink / raw)
To: 王金浦
Cc: Christoph Hellwig, Jens Axboe, mst, jasowang, linux-block,
virtualization, LKML
On Wed, Jan 04, 2017 at 04:47:03PM +0100, 王金浦 wrote:
> This sounds scary.
> Could you share how to reproduce it, this should go into stable if
> it's the case.
Step 1: Build your kernel with CONFIG_VMAP_STACK=y
Step 2: issue a SG_IO ioctl, e.g. sg_inq /dev/vda
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-05 9:57 ` Christoph Hellwig
@ 2017-01-05 10:37 ` 王金浦
2017-01-05 11:17 ` Christoph Hellwig
0 siblings, 1 reply; 10+ messages in thread
From: 王金浦 @ 2017-01-05 10:37 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Jens Axboe, mst, jasowang, linux-block, virtualization, LKML
2017-01-05 10:57 GMT+01:00 Christoph Hellwig <hch@lst.de>:
> On Wed, Jan 04, 2017 at 04:47:03PM +0100, 王金浦 wrote:
>> This sounds scary.
>> Could you share how to reproduce it, this should go into stable if
>> it's the case.
>
> Step 1: Build your kernel with CONFIG_VMAP_STACK=y
> Step 2: issue a SG_IO ioctl, e.g. sg_inq /dev/vda
>
Thanks, so it's only relevant to kernel > 4.9, as CONFIG_VMAP_STACK
only introduced in 4.9 kernel.
Regards,
Jinpu
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-05 10:37 ` 王金浦
@ 2017-01-05 11:17 ` Christoph Hellwig
0 siblings, 0 replies; 10+ messages in thread
From: Christoph Hellwig @ 2017-01-05 11:17 UTC (permalink / raw)
To: 王金浦
Cc: Christoph Hellwig, Jens Axboe, mst, jasowang, linux-block,
virtualization, LKML
On Thu, Jan 05, 2017 at 11:37:46AM +0100, 王金浦 wrote:
> Thanks, so it's only relevant to kernel > 4.9, as CONFIG_VMAP_STACK
> only introduced in 4.9 kernel.
kernel >= 4.9, but otherwise, yes.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 7:44 ` Jason Wang
@ 2017-01-09 13:35 ` Christoph Hellwig
2017-01-09 15:56 ` Jens Axboe
0 siblings, 1 reply; 10+ messages in thread
From: Christoph Hellwig @ 2017-01-09 13:35 UTC (permalink / raw)
To: Jason Wang
Cc: Christoph Hellwig, axboe, mst, linux-block, virtualization, linux-kernel
Is someone going to pick the patch up and send it to Linus? I keep
running into all kinds of boot failures whenever I forget to cherry
pick it into my development trees..
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-09 13:35 ` Christoph Hellwig
@ 2017-01-09 15:56 ` Jens Axboe
0 siblings, 0 replies; 10+ messages in thread
From: Jens Axboe @ 2017-01-09 15:56 UTC (permalink / raw)
To: Christoph Hellwig, Jason Wang
Cc: mst, linux-block, virtualization, linux-kernel
On 01/09/2017 06:35 AM, Christoph Hellwig wrote:
> Is someone going to pick the patch up and send it to Linus? I keep
> running into all kinds of boot failures whenever I forget to cherry
> pick it into my development trees..
I'll add it.
--
Jens Axboe
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig
2017-01-04 7:44 ` Jason Wang
2017-01-04 15:47 ` 王金浦
@ 2017-01-09 16:33 ` Michael S. Tsirkin
2 siblings, 0 replies; 10+ messages in thread
From: Michael S. Tsirkin @ 2017-01-09 16:33 UTC (permalink / raw)
To: Christoph Hellwig
Cc: axboe, jasowang, linux-block, virtualization, linux-kernel
On Wed, Jan 04, 2017 at 08:25:05AM +0300, Christoph Hellwig wrote:
> Most users of BLOCK_PC requests allocate the sense buffer on the stack,
> so to avoid DMA to the stack copy them to a field in the heap allocated
> virtblk_req structure. Without that any attempt at SCSI passthrough I/O,
> including the SG_IO ioctl from userspace will crash the kernel. Note that
> this includes running tools like hdparm even when the host does not have
> SCSI passthrough enabled.
>
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> ---
> drivers/block/virtio_blk.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> index 5545a67..3c3b8f6 100644
> --- a/drivers/block/virtio_blk.c
> +++ b/drivers/block/virtio_blk.c
> @@ -56,6 +56,7 @@ struct virtblk_req {
> struct virtio_blk_outhdr out_hdr;
> struct virtio_scsi_inhdr in_hdr;
> u8 status;
> + u8 sense[SCSI_SENSE_BUFFERSIZE];
> struct scatterlist sg[];
> };
>
> @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq,
> }
>
> if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) {
> - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE);
> + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE);
I would prefer sizeof(vbr->sense) here to avoid duplication.
Otherwise:
Acked-by: Michael S. Tsirkin <mst@redhat.com>
> sgs[num_out + num_in++] = &sense;
> sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr));
> sgs[num_out + num_in++] = &inhdr;
> --
> 2.1.4
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-01-09 16:33 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-04 5:25 4.10 and -stable fix for virtio_blk and virtually mapped stacks Christoph Hellwig
2017-01-04 5:25 ` [PATCH] virtio_blk: avoid DMA to stack for the sense buffer Christoph Hellwig
2017-01-04 7:44 ` Jason Wang
2017-01-09 13:35 ` Christoph Hellwig
2017-01-09 15:56 ` Jens Axboe
2017-01-04 15:47 ` 王金浦
2017-01-05 9:57 ` Christoph Hellwig
2017-01-05 10:37 ` 王金浦
2017-01-05 11:17 ` Christoph Hellwig
2017-01-09 16:33 ` Michael S. Tsirkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).