[PATCH V2] ublk: use unchecked copy helpers for bio page data

public inbox for linux-block@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH V2] ublk: use unchecked copy helpers for bio page data
@ 2026-04-01  1:24 Ming Lei
  2026-04-01 15:15 ` Caleb Sander Mateos
  2026-04-01 15:19 ` Jens Axboe
  0 siblings, 2 replies; 4+ messages in thread
From: Ming Lei @ 2026-04-01  1:24 UTC (permalink / raw)
  To: Jens Axboe, linux-block; +Cc: Caleb Sander Mateos, Ming Lei

Bio pages may originate from slab caches that lack a usercopy region
(e.g. jbd2 frozen metadata buffers allocated via jbd2_alloc()).
When CONFIG_HARDENED_USERCOPY is enabled, copy_to_iter() calls
check_copy_size() which rejects these slab pages, triggering a
kernel BUG in usercopy_abort().

This is a false positive: the data is ordinary block I/O content —
the same data the loop/nbd driver writes to its backing file via
vfs_iter_write().  The bvec length is always trusted, so the size
check in check_copy_size() is not needed either.

Switch to _copy_to_iter()/_copy_from_iter() which skip the
check_copy_size() wrapper while the underlying copy_to_user()
remains unchanged.

Fixes: 2299ceec364e ("ublk: use copy_{to,from}_iter() for user copy")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
V2:
	- update commit log (Caleb Sander Mateos)

 drivers/block/ublk_drv.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2e475bdc54dd..3e329906ae19 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1322,10 +1322,18 @@ static bool ublk_copy_user_bvec(const struct bio_vec *bv, unsigned *offset,
 
 	len = bv->bv_len - *offset;
 	bv_buf = kmap_local_page(bv->bv_page) + bv->bv_offset + *offset;
+	/*
+	 * Bio pages may originate from slab caches without a usercopy region
+	 * (e.g. jbd2 frozen metadata buffers).  This is the same data that
+	 * the loop driver writes to its backing file — no exposure risk.
+	 * The bvec length is always trusted, so the size check in
+	 * check_copy_size() is not needed either.  Use the unchecked
+	 * helpers to avoid false positives on slab pages.
+	 */
 	if (dir == ITER_DEST)
-		copied = copy_to_iter(bv_buf, len, uiter);
+		copied = _copy_to_iter(bv_buf, len, uiter);
 	else
-		copied = copy_from_iter(bv_buf, len, uiter);
+		copied = _copy_from_iter(bv_buf, len, uiter);
 
 	kunmap_local(bv_buf);
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH V2] ublk: use unchecked copy helpers for bio page data
  2026-04-01  1:24 [PATCH V2] ublk: use unchecked copy helpers for bio page data Ming Lei
@ 2026-04-01 15:15 ` Caleb Sander Mateos
  2026-04-01 15:19 ` Jens Axboe
  1 sibling, 0 replies; 4+ messages in thread
From: Caleb Sander Mateos @ 2026-04-01 15:15 UTC (permalink / raw)
  To: Ming Lei; +Cc: Jens Axboe, linux-block

On Tue, Mar 31, 2026 at 6:24 PM Ming Lei <ming.lei@redhat.com> wrote:
>
> Bio pages may originate from slab caches that lack a usercopy region
> (e.g. jbd2 frozen metadata buffers allocated via jbd2_alloc()).
> When CONFIG_HARDENED_USERCOPY is enabled, copy_to_iter() calls
> check_copy_size() which rejects these slab pages, triggering a
> kernel BUG in usercopy_abort().
>
> This is a false positive: the data is ordinary block I/O content —
> the same data the loop/nbd driver writes to its backing file via
> vfs_iter_write().  The bvec length is always trusted, so the size
> check in check_copy_size() is not needed either.
>
> Switch to _copy_to_iter()/_copy_from_iter() which skip the
> check_copy_size() wrapper while the underlying copy_to_user()
> remains unchanged.
>
> Fixes: 2299ceec364e ("ublk: use copy_{to,from}_iter() for user copy")
> Signed-off-by: Ming Lei <ming.lei@redhat.com>

Acked-by: Caleb Sander Mateos <csander@purestorage.com>

> ---
> V2:
>         - update commit log (Caleb Sander Mateos)
>
>  drivers/block/ublk_drv.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> index 2e475bdc54dd..3e329906ae19 100644
> --- a/drivers/block/ublk_drv.c
> +++ b/drivers/block/ublk_drv.c
> @@ -1322,10 +1322,18 @@ static bool ublk_copy_user_bvec(const struct bio_vec *bv, unsigned *offset,
>
>         len = bv->bv_len - *offset;
>         bv_buf = kmap_local_page(bv->bv_page) + bv->bv_offset + *offset;
> +       /*
> +        * Bio pages may originate from slab caches without a usercopy region
> +        * (e.g. jbd2 frozen metadata buffers).  This is the same data that
> +        * the loop driver writes to its backing file — no exposure risk.
> +        * The bvec length is always trusted, so the size check in
> +        * check_copy_size() is not needed either.  Use the unchecked
> +        * helpers to avoid false positives on slab pages.
> +        */
>         if (dir == ITER_DEST)
> -               copied = copy_to_iter(bv_buf, len, uiter);
> +               copied = _copy_to_iter(bv_buf, len, uiter);
>         else
> -               copied = copy_from_iter(bv_buf, len, uiter);
> +               copied = _copy_from_iter(bv_buf, len, uiter);
>
>         kunmap_local(bv_buf);
>
> --
> 2.53.0
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH V2] ublk: use unchecked copy helpers for bio page data
  2026-04-01  1:24 [PATCH V2] ublk: use unchecked copy helpers for bio page data Ming Lei
  2026-04-01 15:15 ` Caleb Sander Mateos
@ 2026-04-01 15:19 ` Jens Axboe
  2026-04-01 15:36   ` Ming Lei
  1 sibling, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2026-04-01 15:19 UTC (permalink / raw)
  To: Ming Lei, linux-block; +Cc: Caleb Sander Mateos

On 3/31/26 7:24 PM, Ming Lei wrote:
> Bio pages may originate from slab caches that lack a usercopy region
> (e.g. jbd2 frozen metadata buffers allocated via jbd2_alloc()).
> When CONFIG_HARDENED_USERCOPY is enabled, copy_to_iter() calls
> check_copy_size() which rejects these slab pages, triggering a
> kernel BUG in usercopy_abort().
> 
> This is a false positive: the data is ordinary block I/O content ?
> the same data the loop/nbd driver writes to its backing file via
> vfs_iter_write().  The bvec length is always trusted, so the size
> check in check_copy_size() is not needed either.
> 
> Switch to _copy_to_iter()/_copy_from_iter() which skip the
> check_copy_size() wrapper while the underlying copy_to_user()
> remains unchanged.
> 
> Fixes: 2299ceec364e ("ublk: use copy_{to,from}_iter() for user copy")
> Signed-off-by: Ming Lei <ming.lei@redhat.com>
> ---
> V2:
> 	- update commit log (Caleb Sander Mateos)
> 
>  drivers/block/ublk_drv.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> index 2e475bdc54dd..3e329906ae19 100644
> --- a/drivers/block/ublk_drv.c
> +++ b/drivers/block/ublk_drv.c
> @@ -1322,10 +1322,18 @@ static bool ublk_copy_user_bvec(const struct bio_vec *bv, unsigned *offset,
>  
>  	len = bv->bv_len - *offset;
>  	bv_buf = kmap_local_page(bv->bv_page) + bv->bv_offset + *offset;
> +	/*
> +	 * Bio pages may originate from slab caches without a usercopy region
> +	 * (e.g. jbd2 frozen metadata buffers).  This is the same data that
> +	 * the loop driver writes to its backing file ? no exposure risk.
> +	 * The bvec length is always trusted, so the size check in
> +	 * check_copy_size() is not needed either.  Use the unchecked
> +	 * helpers to avoid false positives on slab pages.
> +	 */
>  	if (dir == ITER_DEST)
> -		copied = copy_to_iter(bv_buf, len, uiter);
> +		copied = _copy_to_iter(bv_buf, len, uiter);
>  	else
> -		copied = copy_from_iter(bv_buf, len, uiter);
> +		copied = _copy_from_iter(bv_buf, len, uiter);
>  
>  	kunmap_local(bv_buf);

Is this just a jbd2 issue? Because we can just get the slab marked
appropriately to not trigger these warnings.

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH V2] ublk: use unchecked copy helpers for bio page data
  2026-04-01 15:19 ` Jens Axboe
@ 2026-04-01 15:36   ` Ming Lei
  0 siblings, 0 replies; 4+ messages in thread
From: Ming Lei @ 2026-04-01 15:36 UTC (permalink / raw)
  To: Jens Axboe; +Cc: linux-block, Caleb Sander Mateos

On Wed, Apr 01, 2026 at 09:19:23AM -0600, Jens Axboe wrote:
> On 3/31/26 7:24 PM, Ming Lei wrote:
> > Bio pages may originate from slab caches that lack a usercopy region
> > (e.g. jbd2 frozen metadata buffers allocated via jbd2_alloc()).
> > When CONFIG_HARDENED_USERCOPY is enabled, copy_to_iter() calls
> > check_copy_size() which rejects these slab pages, triggering a
> > kernel BUG in usercopy_abort().
> > 
> > This is a false positive: the data is ordinary block I/O content ?
> > the same data the loop/nbd driver writes to its backing file via
> > vfs_iter_write().  The bvec length is always trusted, so the size
> > check in check_copy_size() is not needed either.
> > 
> > Switch to _copy_to_iter()/_copy_from_iter() which skip the
> > check_copy_size() wrapper while the underlying copy_to_user()
> > remains unchanged.
> > 
> > Fixes: 2299ceec364e ("ublk: use copy_{to,from}_iter() for user copy")
> > Signed-off-by: Ming Lei <ming.lei@redhat.com>
> > ---
> > V2:
> > 	- update commit log (Caleb Sander Mateos)
> > 
> >  drivers/block/ublk_drv.c | 12 ++++++++++--
> >  1 file changed, 10 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> > index 2e475bdc54dd..3e329906ae19 100644
> > --- a/drivers/block/ublk_drv.c
> > +++ b/drivers/block/ublk_drv.c
> > @@ -1322,10 +1322,18 @@ static bool ublk_copy_user_bvec(const struct bio_vec *bv, unsigned *offset,
> >  
> >  	len = bv->bv_len - *offset;
> >  	bv_buf = kmap_local_page(bv->bv_page) + bv->bv_offset + *offset;
> > +	/*
> > +	 * Bio pages may originate from slab caches without a usercopy region
> > +	 * (e.g. jbd2 frozen metadata buffers).  This is the same data that
> > +	 * the loop driver writes to its backing file ? no exposure risk.
> > +	 * The bvec length is always trusted, so the size check in
> > +	 * check_copy_size() is not needed either.  Use the unchecked
> > +	 * helpers to avoid false positives on slab pages.
> > +	 */
> >  	if (dir == ITER_DEST)
> > -		copied = copy_to_iter(bv_buf, len, uiter);
> > +		copied = _copy_to_iter(bv_buf, len, uiter);
> >  	else
> > -		copied = copy_from_iter(bv_buf, len, uiter);
> > +		copied = _copy_from_iter(bv_buf, len, uiter);
> >  
> >  	kunmap_local(bv_buf);
> 
> Is this just a jbd2 issue? Because we can just get the slab marked
> appropriately to not trigger these warnings.

If the ublk block device is permitted to mount FS, it is inevitable to expose
the meta to ublk userspace daemon, same with loop, or other block device.

Any bio pages backed by slab without a usercopy need to bypass the size check,
which isn't necessary too.


thanks,
Ming


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-01 15:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-01  1:24 [PATCH V2] ublk: use unchecked copy helpers for bio page data Ming Lei
2026-04-01 15:15 ` Caleb Sander Mateos
2026-04-01 15:19 ` Jens Axboe
2026-04-01 15:36   ` Ming Lei

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox