From db3304911eaff8ed0473dde51eebf68dc50495f2 Mon Sep 17 00:00:00 2001 From: Vasily Averin Date: Wed, 27 Mar 2019 22:32:11 +0800 Subject: [PATCH] scsi: libiscsi: fall back to sendmsg for slab pages mainline inclusion from mainline-5.1-rc1 commit 08b11eaccfcf86a3bac6755625d933ac15ccc27a category: bugfix bugzilla: 12854 CVE: NA ------------------------------------------------- In "XFS over network block device" scenario XFS can create IO requests with slab-based XFS metadata. During processing such requests tcp_sendpage() can merge skb fragments with neighbour slab objects. If receiving side is located on the same host tcp_recvmsg() can trigger BUG_ON in hardening check and crash the host with following message: usercopy: kernel memory exposure attempt detected from XXXXXXXX (kmalloc-512) (1024 bytes) This patch redirect such requests from sednpage to sendmsg path. The problem is similar to one described in recent commit 7e241f647dc7 ("libceph: fall back to sendmsg for slab pages") Signed-off-by: Vasily Averin Acked-by: Chris Leech Signed-off-by: Martin K. Petersen Signed-off-by: zheng liang Reviewed-by: Jason Yan Signed-off-by: Yang Yingliang --- drivers/scsi/libiscsi_tcp.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c index 4fcb9e65be57..b88ea3ebd096 100644 --- a/drivers/scsi/libiscsi_tcp.c +++ b/drivers/scsi/libiscsi_tcp.c @@ -125,12 +125,17 @@ static void iscsi_tcp_segment_map(struct iscsi_segment *segment, int recv) BUG_ON(sg->length == 0); /* + * We always map for the recv path. + * * If the page count is greater than one it is ok to send * to the network layer's zero copy send path. If not we - * have to go the slow sendmsg path. We always map for the - * recv path. + * have to go the slow sendmsg path. + * + * Same goes for slab pages: skb_can_coalesce() allows + * coalescing neighboring slab objects into a single frag which + * triggers one of hardened usercopy checks. */ - if (page_count(sg_page(sg)) >= 1 && !recv) + if (!recv && page_count(sg_page(sg)) >= 1 && !PageSlab(sg_page(sg))) return; if (recv) { -- GitLab