scsi: libiscsi: fall back to sendmsg for slab pages

mainline inclusion
from mainline-5.1-rc1
commit 08b11eac
category: bugfix
bugzilla: 12854
CVE: NA

-------------------------------------------------

In "XFS over network block device" scenario XFS can create IO requests with
slab-based XFS metadata. During processing such requests tcp_sendpage() can
merge skb fragments with neighbour slab objects.

If receiving side is located on the same host tcp_recvmsg() can trigger
BUG_ON in hardening check and crash the host with following message:

usercopy: kernel memory exposure attempt detected
		from XXXXXXXX (kmalloc-512) (1024 bytes)

This patch redirect such requests from sednpage to sendmsg path.  The
problem is similar to one described in recent commit 7e241f64
("libceph: fall back to sendmsg for slab pages")
Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
Acked-by: NChris Leech <cleech@redhat.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Nzheng liang <zhengliang6@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/scsi/libiscsi_tcp.c

@@ -125,12 +125,17 @@ static void iscsi_tcp_segment_map(struct iscsi_segment *segment, int recv)
 	BUG_ON(sg->length == 0);
 
 	/*
+	 * We always map for the recv path.
+	 *
 	 * If the page count is greater than one it is ok to send
 	 * to the network layer's zero copy send path. If not we
-	 * have to go the slow sendmsg path. We always map for the
-	 * recv path.
+	 * have to go the slow sendmsg path.
+	 *
+	 * Same goes for slab pages: skb_can_coalesce() allows
+	 * coalescing neighboring slab objects into a single frag which
+	 * triggers one of hardened usercopy checks.
 	 */
-	if (page_count(sg_page(sg)) >= 1 && !recv)
+	if (!recv && page_count(sg_page(sg)) >= 1 && !PageSlab(sg_page(sg)))
 		return;
 
 	if (recv) {