From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Christian A. Ehrhardt" <lk@c--e.de>,
syzbot+a532b03fdfee2c137666@syzkaller.appspotmail.com,
syzbot+63dec323ac56c28e644f@syzkaller.appspotmail.com,
Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>,
Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 6.7 10/23] block: Fix WARNING in _copy_from_iter
Date: Fri, 2 Feb 2024 13:39:06 -0500 [thread overview]
Message-ID: <20240202183926.540467-10-sashal@kernel.org> (raw)
In-Reply-To: <20240202183926.540467-1-sashal@kernel.org>
From: "Christian A. Ehrhardt" <lk@c--e.de>
[ Upstream commit 13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 ]
Syzkaller reports a warning in _copy_from_iter because an
iov_iter is supposedly used in the wrong direction. The reason
is that syzcaller managed to generate a request with
a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs
the kernel to copy user buffers into the kernel, read into
the copied buffers and then copy the data back to user space.
Thus the iovec is used in both directions.
Detect this situation in the block layer and construct a new
iterator with the correct direction for the copy-in.
Reported-by: syzbot+a532b03fdfee2c137666@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/0000000000009b92c10604d7a5e9@google.com/t/
Reported-by: syzbot+63dec323ac56c28e644f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/0000000000003faaa105f6e7c658@google.com/T/
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240121202634.275068-1-lk@c--e.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-map.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/block/blk-map.c b/block/blk-map.c
index 8584babf3ea0..71210cdb3442 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -205,12 +205,19 @@ static int bio_copy_user_iov(struct request *rq, struct rq_map_data *map_data,
/*
* success
*/
- if ((iov_iter_rw(iter) == WRITE &&
- (!map_data || !map_data->null_mapped)) ||
- (map_data && map_data->from_user)) {
+ if (iov_iter_rw(iter) == WRITE &&
+ (!map_data || !map_data->null_mapped)) {
ret = bio_copy_from_iter(bio, iter);
if (ret)
goto cleanup;
+ } else if (map_data && map_data->from_user) {
+ struct iov_iter iter2 = *iter;
+
+ /* This is the copy-in part of SG_DXFER_TO_FROM_DEV. */
+ iter2.data_source = ITER_SOURCE;
+ ret = bio_copy_from_iter(bio, &iter2);
+ if (ret)
+ goto cleanup;
} else {
if (bmd->is_our_pages)
zero_fill_bio(bio);
--
2.43.0
next prev parent reply other threads:[~2024-02-02 18:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-02 18:38 [PATCH AUTOSEL 6.7 01/23] wifi: cfg80211: fix missing interfaces when dumping Sasha Levin
2024-02-02 18:38 ` [PATCH AUTOSEL 6.7 02/23] wifi: mac80211: fix race condition on enabling fast-xmit Sasha Levin
2024-02-02 18:38 ` [PATCH AUTOSEL 6.7 03/23] fbdev: savage: Error out if pixclock equals zero Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 04/23] fbdev: sis: " Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 05/23] dpll: fix broken error path in dpll_pin_alloc(..) Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 06/23] platform/mellanox: mlxbf-tmfifo: Drop Tx network packet when Tx TmFIFO is full Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 07/23] spi: intel-pci: Add support for Arrow Lake SPI serial flash Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 08/23] x86/cpu: Add model number for Intel Clearwater Forest processor Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 09/23] spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected Sasha Levin
2024-02-02 18:39 ` Sasha Levin [this message]
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 11/23] smb: Work around Clang __bdos() type confusion Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 12/23] cifs: cifs_pick_channel should try selecting active channels Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 13/23] cifs: translate network errors on send to -ECONNABORTED Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 14/23] cifs: helper function to check replayable error codes Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 15/23] ahci: asm1166: correct count of reported ports Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 16/23] aoe: avoid potential deadlock at set_capacity Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 17/23] spi: cs42l43: Handle error from devm_pm_runtime_enable Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 18/23] exec: Distinguish in_execve from in_exec Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 19/23] ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers Sasha Levin
2024-02-22 14:58 ` Niklas Cassel
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 20/23] ARM: dts: Fix TPM schema violations Sasha Levin
2024-02-02 19:20 ` Lukas Wunner
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 21/23] drm/amd/display: Disable ips before dc interrupt setting Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 22/23] MIPS: reserve exception vector space ONLY ONCE Sasha Levin
2024-02-02 18:39 ` [PATCH AUTOSEL 6.7 23/23] platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240202183926.540467-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lk@c--e.de \
--cc=stable@vger.kernel.org \
--cc=syzbot+63dec323ac56c28e644f@syzkaller.appspotmail.com \
--cc=syzbot+a532b03fdfee2c137666@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox