From: Oleksandr Natalenko <oleksandr@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: linux-scsi@vger.kernel.org, Saurav Kashyap <skashyap@marvell.com>,
Johannes Thumshirn <Johannes.Thumshirn@wdc.com>,
GR-QLogic-Storage-Upstream@marvell.com,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Jozef Bacik <jobacik@redhat.com>,
Laurence Oberman <loberman@redhat.com>,
Rob Evers <revers@redhat.com>
Subject: Re: [PATCH 0/3] scsi: qedf: sanitise uaccess
Date: Fri, 28 Jul 2023 09:05:07 +0200 [thread overview]
Message-ID: <3240893.aeNJFYEL58@redhat.com> (raw)
In-Reply-To: <20230728065819.139694-1-oleksandr@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2193 bytes --]
On pátek 28. července 2023 8:58:16 CEST Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
>
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
> [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> [<ffffffffaa7aa556>] sprintf+0x56/0x80
> [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
> [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
>
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big ones,
> and then copying it to the userspace properly.
>
> Previous submission is an RFC: [1]. There are no code changes since
> then. The RFC prefix is dropped. The Tested-by tag from Laurence is
> added.
>
> There's similar submission from Saurav [2], but we agreed I could nack
> it and proceed with my one.
>
> [1] https://lore.kernel.org/linux-scsi/20230724120241.40495-1-oleksandr@redhat.com/
> [2] https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
>
> Oleksandr Natalenko (3):
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_stop_io_on_error_cmd_read() directly
> scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
> directly
> scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
> directly
>
> drivers/scsi/qedf/qedf_dbg.h | 2 ++
> drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
> 2 files changed, 23 insertions(+), 14 deletions(-)
>
>
Oops, I forgot to add:
Reviewed-by: Laurence Oberman <loberman@redhat.com>
as per [1].
My ask to the maintainer to add it if the submission is accepted, or let me know if I should do a v2 instead.
[1] https://lore.kernel.org/linux-scsi/4f35b02968a18e636e1689c9d52729ef63a438f9.camel@redhat.com/
--
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-07-28 7:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 6:58 [PATCH 0/3] scsi: qedf: sanitise uaccess Oleksandr Natalenko
2023-07-28 6:58 ` [PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly Oleksandr Natalenko
2023-07-28 15:23 ` David Laight
2023-07-31 8:01 ` Oleksandr Natalenko
2023-07-28 6:58 ` [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Oleksandr Natalenko
2023-07-28 15:26 ` David Laight
2023-07-31 8:11 ` Oleksandr Natalenko
2023-07-28 6:58 ` [PATCH 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly Oleksandr Natalenko
2023-07-28 7:05 ` Oleksandr Natalenko [this message]
2023-07-28 7:26 ` [EXT] [PATCH 0/3] scsi: qedf: sanitise uaccess Saurav Kashyap
2023-07-28 8:37 ` Johannes Thumshirn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3240893.aeNJFYEL58@redhat.com \
--to=oleksandr@redhat.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=Johannes.Thumshirn@wdc.com \
--cc=jejb@linux.ibm.com \
--cc=jobacik@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=loberman@redhat.com \
--cc=martin.petersen@oracle.com \
--cc=revers@redhat.com \
--cc=skashyap@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.