On Thu, Feb 21, 2019 at 06:23:17PM +0300, Vasily Averin wrote:
> In "XFS over network block device" scenario XFS can create IO requests
> with slab-based XFS metadata. During processing such requests
> tcp_sendpage() can merge skb fragments with neighbour slab objects.
> 
> If receiving side is located on the same host tcp_recvmsg() can trigger
> BUG_ON in hardening check and crash the host with following message:
> 
> usercopy: kernel memory exposure attempt detected
>               from XXXXXXXX (kmalloc-512) (1024 bytes)
> 
> This patch redirect such requests from sednpage to sendmsg path.
> The problem is similar to one described in recent commit 7e241f647dc7
> ("libceph: fall back to sendmsg for slab pages")
> 
> Signed-off-by: Vasily Averin <v...@virtuozzo.com>

This seems reasonable to me, I'm relying on Vasily's testing for now but
it seems right.

Acked-by: Chris Leech <cle...@redhat.com>

> ---
>  drivers/scsi/libiscsi_tcp.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
> index 8a6b1b3f8277..66d97d3bef5a 100644
> --- a/drivers/scsi/libiscsi_tcp.c
> +++ b/drivers/scsi/libiscsi_tcp.c
> @@ -129,12 +129,17 @@ static void iscsi_tcp_segment_map(struct iscsi_segment 
> *segment, int recv)
>       BUG_ON(sg->length == 0);
>  
>       /*
> +      * We always map for the recv path.
> +      *
>        * If the page count is greater than one it is ok to send
>        * to the network layer's zero copy send path. If not we
> -      * have to go the slow sendmsg path. We always map for the
> -      * recv path.
> +      * have to go the slow sendmsg path.
> +      *
> +      * Same goes for slab pages: skb_can_coalesce() allows
> +      * coalescing neighboring slab objects into a single frag which
> +      * triggers one of hardened usercopy checks.
>        */
> -     if (page_count(sg_page(sg)) >= 1 && !recv)
> +     if (!recv && page_count(sg_page(sg)) >= 1 && !PageSlab(sg_page(sg)))
>               return;
>  
>       if (recv) {
> -- 
> 2.17.1


-- 
You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to open-iscsi+unsubscr...@googlegroups.com.
To post to this group, send email to open-iscsi@googlegroups.com.
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.

Reply via email to