From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
To: Jens Axboe <axboe@kernel.dk>, <linux-block@vger.kernel.org>,
<jens.axboe@oracle.com>, <namhyung@gmail.com>,
<bharrosh@panasas.com>, renxudong <renxudong1@huawei.com>
Cc: Mingfangsen <mingfangsen@huawei.com>, <zhengbin13@huawei.com>,
Guiyao <guiyao@huawei.com>
Subject: [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func
Date: Mon, 30 Dec 2019 20:17:41 +0800 [thread overview]
Message-ID: <239c8928-aea0-abe9-a75d-dc3f1b573ec5@huawei.com> (raw)
From: renxudong <renxudong1@huawei.com>
Blk_rq_map_kern func is used to map kernel data to a request,
in which kbuf par should be a valid kernel buffer. However,
kbuf par is only checked whether it is null in blk_rq_map_kern func.
If users pass a non kernel address to blk_rq_map_kern func in the
non-aligned scenario, the invalid kbuf will be set to bio->bi_private.
When the request is completed, bio_copy_kern_endio_read will be called
to copy data to the kernel address in bio->bi_private. If the bi_private
is not a valid kernel address, the system will oops. In this case, we
cannot judge whether the bio structure is damaged or the kernel address is
invalid.
Here, we add kernel address validation by calling virt_addr_valid.
Signed-off-by: renxudong <renxudong1@huawei.com>
Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
---
block/blk-map.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-map.c b/block/blk-map.c
index 3a62e471d81b..7deb1b44d1e3 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -229,7 +229,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
if (len > (queue_max_hw_sectors(q) << 9))
return -EINVAL;
- if (!len || !kbuf)
+ if (!len || !virt_addr_valid(kbuf))
return -EINVAL;
do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
--
2.24.0.windows.2
next reply other threads:[~2019-12-30 12:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-30 12:17 Zhiqiang Liu [this message]
2020-01-07 2:38 ` [PATCH] blk-map: add kernel address validation in blk_rq_map_kern func Zhiqiang Liu
2020-01-07 4:05 ` Bob Liu
2020-01-07 6:51 ` renxudong
2020-01-08 15:07 ` Christoph Hellwig
2020-01-12 0:18 ` Bart Van Assche
2020-01-13 6:32 ` renxudong
2020-01-13 3:53 ` renxudong
2020-01-07 4:02 ` Jens Axboe
2020-01-08 13:31 ` Christoph Hellwig
2020-01-13 3:22 ` renxudong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=239c8928-aea0-abe9-a75d-dc3f1b573ec5@huawei.com \
--to=liuzhiqiang26@huawei.com \
--cc=axboe@kernel.dk \
--cc=bharrosh@panasas.com \
--cc=guiyao@huawei.com \
--cc=jens.axboe@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=mingfangsen@huawei.com \
--cc=namhyung@gmail.com \
--cc=renxudong1@huawei.com \
--cc=zhengbin13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.