From: Ming Lei <ming.lei@redhat.com>
To: Caleb Sander Mateos <csander@purestorage.com>
Cc: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org
Subject: Re: [PATCH] ublk: use unchecked copy helpers for bio page data
Date: Sun, 29 Mar 2026 22:44:23 +0800 [thread overview]
Message-ID: <ack6x5tm2pc4hslL@fedora> (raw)
In-Reply-To: <CADUfDZo2pbwTsp_uJcTG+GYyBFmoU-5UPYu6dvAguRfgB_QWCA@mail.gmail.com>
On Sat, Mar 28, 2026 at 10:40:31AM -0700, Caleb Sander Mateos wrote:
> On Sat, Mar 28, 2026 at 6:43 AM Ming Lei <ming.lei@redhat.com> wrote:
> >
> > Bio pages may originate from slab caches that lack SLAB_USERCOPY
>
> What is SLAB_USERCOPY? The only references to it I can find are in
> comments in commit aa981a665d587 ("lkdtm: add usercopy tests").
>
Oops, I should have included the panic log here:
[ 41.604744] usercopy: Kernel memory exposure attempt detected from SLUB object 'jbd2_1k' (offset 0, size 1024)!
[ 41.607063] ------------[ cut here ]------------
[ 41.607290] kernel BUG at mm/usercopy.c:102!
[ 41.607502] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 41.607794] CPU: 0 UID: 0 PID: 2020 Comm: kublk Not tainted 7.0.0-rc3_next+ #616 PREEMPT(full)
[ 41.608261] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-8.fc42 06/10/2025
[ 41.608722] RIP: 0010:usercopy_abort+0x7a/0x7c
[ 41.608995] Code: 48 c7 c6 ab 55 2c 8b eb 0e 48 c7 c7 b0 92 2e 8b 48 c7 c6 b9 87 2b 8b 52 48 89 fa 48 c7 c7 30 73 1f 8b 50 41 52 e8 66 25 fe ff <0f> 0b 48 89 d9 49 89 e8 44 89 f2 31 f6 48 29 c1 48 c7 c7 00 56 2c
[ 41.609985] RSP: 0018:ffffd3dcca79fae0 EFLAGS: 00010246
[ 41.610286] RAX: 0000000000000063 RBX: ffff8d87ec655000 RCX: 0000000000000000
[ 41.610707] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8d87b5c1d440
[ 41.611111] RBP: 0000000000000400 R08: 0000000000000000 R09: 00000000fffeffff
[ 41.611556] R10: ffffffff8bc8c040 R11: ffffd3dcca79f968 R12: ffff8d87ec655400
[ 41.611913] R13: 0000000000000000 R14: 0000000000000001 R15: ffff8d85c400b000
[ 41.612375] FS: 00007f2ef3f066c0(0000) GS:ffff8d8828a82000(0000) knlGS:0000000000000000
[ 41.612832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.613186] CR2: 00007f2efc137000 CR3: 000000032c7f2006 CR4: 0000000000772ef0
[ 41.613623] PKRU: 55555554
[ 41.613811] Call Trace:
[ 41.613973] <TASK>
[ 41.614108] __check_heap_object+0xb8/0xd0
[ 41.614345] __check_object_size+0x1b8/0x250
[ 41.614639] ublk_copy_user_bvec.isra.0+0x65/0xf0 [ublk_drv]
[ 41.614981] ublk_copy_user_pages.isra.0+0xc5/0x130 [ublk_drv]
[ 41.615360] ublk_start_io+0xff/0x160 [ublk_drv]
[ 41.615669] ublk_dispatch_req+0x99/0x240 [ublk_drv]
[ 41.615969] ublk_cmd_list_tw_cb+0x2d/0x40 [ublk_drv]
[ 41.616248] __io_run_local_work_loop+0x7c/0x80
[ 41.616449] __io_run_local_work+0x159/0x230
[ 41.616634] io_run_local_work+0x31/0x50
[ 41.616977] io_cqring_wait+0x28e/0x680
[ 41.617292] ? __io_issue_sqe+0x3b/0x1b0
[ 41.617607] ? __pfx_io_wake_function+0x10/0x10
[ 41.617894] __do_sys_io_uring_enter+0x601/0x8b0
[ 41.618183] do_syscall_64+0x11c/0x15d0
[ 41.618443] ? switch_fpu_return+0x56/0xf0
[ 41.618719] ? do_syscall_64+0x2d6/0x15d0
[ 41.618994] ? do_syscall_64+0x11c/0x15d0
[ 41.619262] ? do_syscall_64+0x11c/0x15d0
[ 41.619525] ? clear_bhb_loop+0x30/0x80
[ 41.619785] ? clear_bhb_loop+0x30/0x80
[ 41.620049] ? clear_bhb_loop+0x30/0x80
[ 41.620302] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 41.620598] RIP: 0033:0x7f2f045876fc
[ 41.620853] Code: 0f b6 c0 48 8b 79 20 8b 3f 83 e7 01 44 0f 45 d0 41 83 ca 01 8b b9 cc 00 00 00 45 31 c0 41 b9 08 00 00 00 b8 aa 01 00 00 0f 05 <c3> 0f 1f 00 89 30 eb 9b 0f 1f 40 00 41 f6 c2 04 74 32 44 89 d0 41
[ 41.621710] RSP: 002b:00007f2ef3f05c38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[ 41.622112] RAX: ffffffffffffffda RBX: 00007f2ef3f05cc0 RCX: 00007f2f045876fc
[ 41.622493] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000000
[ 41.622901] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000008
[ 41.623281] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000002
[ 41.623649] R13: 0000000000000001 R14: 00007f2f0410c558 R15: 00000000000a6042
[ 41.624015] </TASK>
[ 41.624239] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi target_core_pscsi target_core_file target_core_iblock iscsi_target_mod target_core_mod isofs nfsd auth_rpcgss nfs_acl lockd grace nfs_localio sunrpc vfat fat intel_rapl_msr intel_rapl_common kvm_intel kvm ppdev virtio_gpu virtio_net parport_pc parport net_failover i2c_i801 rapl i2c_smbus failover virtio_dma_buf bochs joydev vfio_pci vfio_pci_core vfio_iommu_type1 vfio irqbypass ublk_drv configs loop zram nvme uas nvme_core usb_storage virtio_scsi ghash_clmulni_intel virtio_blk nvme_keyring nvme_auth serio_raw scsi_dh_rdac scsi_dh_emc scsi_dh_alua fuse dm_multipath qemu_fw_cfg
[ 41.626838] Dumping ftrace buffer:
[ 41.627085] (ftrace buffer empty)
[ 41.627354] ---[ end trace 0000000000000000 ]---
Thanks,
Ming
next prev parent reply other threads:[~2026-03-29 14:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-28 13:42 [PATCH] ublk: use unchecked copy helpers for bio page data Ming Lei
2026-03-28 17:40 ` Caleb Sander Mateos
2026-03-29 14:44 ` Ming Lei [this message]
2026-03-31 17:15 ` Caleb Sander Mateos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ack6x5tm2pc4hslL@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.