qedf driver, debugfs part of it specifically, touches __user pointers
directly for printing out info to userspace via sprintf(), which may
cause crash like this:
BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
Oops: 0003 [#1] SMP
Call Trace:
[<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
[<ffffffffaa7aa556>] sprintf+0x56/0x80
[<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
[<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
[<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
Avoid this by preparing the info in a kernel buffer first, either
allocated on stack for small printouts, or via vmalloc() for big ones,
and then copying it to the userspace properly.
Changes since v1 [1]:
* use scnprintf() for on-stack buffers too
* adjust an on-stack buffer size in qedf_dbg_debug_cmd_read() to be a
multiple of 8, and also size it properly
* accumulate acks and reviews
[1] https://lore.kernel.org/lkml/[email protected]/
Oleksandr Natalenko (3):
scsi: qedf: do not touch __user pointer in
qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
directly
scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
directly
drivers/scsi/qedf/qedf_dbg.h | 2 ++
drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
2 files changed, 23 insertions(+), 14 deletions(-)
--
2.41.0
The qedf_dbg_debug_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.
Avoid doing that by using a small on-stack buffer for scnprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.
Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/[email protected]/
Link: https://lore.kernel.org/linux-scsi/[email protected]/
Cc: Saurav Kashyap <[email protected]>
Cc: Rob Evers <[email protected]>
Cc: Johannes Thumshirn <[email protected]>
Cc: David Laight <[email protected]>
Cc: Jozef Bacik <[email protected]>
Cc: Laurence Oberman <[email protected]>
Cc: "James E.J. Bottomley" <[email protected]>
Cc: "Martin K. Petersen" <[email protected]>
Cc: [email protected]
Cc: [email protected]
Reviewed-by: Laurence Oberman <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Tested-by: Laurence Oberman <[email protected]>
Acked-by: Saurav Kashyap <[email protected]>
Signed-off-by: Oleksandr Natalenko <[email protected]>
---
drivers/scsi/qedf/qedf_debugfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index 3eb4334ac6a32..1c5716540e465 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count,
loff_t *ppos)
{
int cnt;
+ char cbuf[32];
struct qedf_dbg_ctx *qedf_dbg =
(struct qedf_dbg_ctx *)filp->private_data;
QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug);
- cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug);
+ cnt = scnprintf(cbuf, sizeof(cbuf), "debug mask = 0x%x\n", qedf_debug);
- cnt = min_t(int, count, cnt - *ppos);
- *ppos += cnt;
- return cnt;
+ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
}
static ssize_t
--
2.41.0
The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.
Avoid doing that by using a small on-stack buffer for scnprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.
Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/[email protected]/
Link: https://lore.kernel.org/linux-scsi/[email protected]/
Cc: Saurav Kashyap <[email protected]>
Cc: Rob Evers <[email protected]>
Cc: Johannes Thumshirn <[email protected]>
Cc: David Laight <[email protected]>
Cc: Jozef Bacik <[email protected]>
Cc: Laurence Oberman <[email protected]>
Cc: "James E.J. Bottomley" <[email protected]>
Cc: "Martin K. Petersen" <[email protected]>
Cc: [email protected]
Cc: [email protected]
Reviewed-by: Laurence Oberman <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Tested-by: Laurence Oberman <[email protected]>
Acked-by: Saurav Kashyap <[email protected]>
Signed-off-by: Oleksandr Natalenko <[email protected]>
---
drivers/scsi/qedf/qedf_debugfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index a3ed681c8ce3f..3eb4334ac6a32 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
size_t count, loff_t *ppos)
{
int cnt;
+ char cbuf[7];
struct qedf_dbg_ctx *qedf_dbg =
(struct qedf_dbg_ctx *)filp->private_data;
struct qedf_ctx *qedf = container_of(qedf_dbg,
struct qedf_ctx, dbg_ctx);
QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
- cnt = sprintf(buffer, "%s\n",
+ cnt = scnprintf(cbuf, sizeof(cbuf), "%s\n",
qedf->stop_io_on_error ? "true" : "false");
- cnt = min_t(int, count, cnt - *ppos);
- *ppos += cnt;
- return cnt;
+ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
}
static ssize_t
--
2.41.0
The qedf_dbg_fp_int_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.
Avoid doing that by vmalloc()'ating a buffer for scnprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.
Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/[email protected]/
Link: https://lore.kernel.org/linux-scsi/[email protected]/
Cc: Saurav Kashyap <[email protected]>
Cc: Rob Evers <[email protected]>
Cc: Johannes Thumshirn <[email protected]>
Cc: David Laight <[email protected]>
Cc: Jozef Bacik <[email protected]>
Cc: Laurence Oberman <[email protected]>
Cc: "James E.J. Bottomley" <[email protected]>
Cc: "Martin K. Petersen" <[email protected]>
Cc: [email protected]
Cc: [email protected]
Reviewed-by: Laurence Oberman <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Tested-by: Laurence Oberman <[email protected]>
Acked-by: Saurav Kashyap <[email protected]>
Signed-off-by: Oleksandr Natalenko <[email protected]>
---
drivers/scsi/qedf/qedf_dbg.h | 2 ++
drivers/scsi/qedf/qedf_debugfs.c | 21 +++++++++++++++------
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h
index f4d81127239eb..5ec2b817c694a 100644
--- a/drivers/scsi/qedf/qedf_dbg.h
+++ b/drivers/scsi/qedf/qedf_dbg.h
@@ -59,6 +59,8 @@ extern uint qedf_debug;
#define QEDF_LOG_NOTICE 0x40000000 /* Notice logs */
#define QEDF_LOG_WARN 0x80000000 /* Warning logs */
+#define QEDF_DEBUGFS_LOG_LEN (2 * PAGE_SIZE)
+
/* Debug context structure */
struct qedf_dbg_ctx {
unsigned int host_no;
diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index 1c5716540e465..451fd236bfd05 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -8,6 +8,7 @@
#include <linux/uaccess.h>
#include <linux/debugfs.h>
#include <linux/module.h>
+#include <linux/vmalloc.h>
#include "qedf.h"
#include "qedf_dbg.h"
@@ -98,7 +99,9 @@ static ssize_t
qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count,
loff_t *ppos)
{
+ ssize_t ret;
size_t cnt = 0;
+ char *cbuf;
int id;
struct qedf_fastpath *fp = NULL;
struct qedf_dbg_ctx *qedf_dbg =
@@ -108,19 +111,25 @@ qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count,
QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
- cnt = sprintf(buffer, "\nFastpath I/O completions\n\n");
+ cbuf = vmalloc(QEDF_DEBUGFS_LOG_LEN);
+ if (!cbuf)
+ return 0;
+
+ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, "\nFastpath I/O completions\n\n");
for (id = 0; id < qedf->num_queues; id++) {
fp = &(qedf->fp_array[id]);
if (fp->sb_id == QEDF_SB_ID_NULL)
continue;
- cnt += sprintf((buffer + cnt), "#%d: %lu\n", id,
- fp->completions);
+ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt,
+ "#%d: %lu\n", id, fp->completions);
}
- cnt = min_t(int, count, cnt - *ppos);
- *ppos += cnt;
- return cnt;
+ ret = simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
+
+ vfree(cbuf);
+
+ return ret;
}
static ssize_t
--
2.41.0
Oleksandr,
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
Applied to 6.6/scsi-staging, thanks!
--
Martin K. Petersen Oracle Linux Engineering
On Mon, 2023-07-31 at 10:40 +0200, Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
>
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
> [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> [<ffffffffaa7aa556>] sprintf+0x56/0x80
> [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90
> [qedf]
> [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
>
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big
> ones,
> and then copying it to the userspace properly.
>
> Changes since v1 [1]:
>
> * use scnprintf() for on-stack buffers too
> * adjust an on-stack buffer size in qedf_dbg_debug_cmd_read() to be
> a
> multiple of 8, and also size it properly
> * accumulate acks and reviews
>
> [1]
> https://lore.kernel.org/lkml/[email protected]/
>
> Oleksandr Natalenko (3):
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_stop_io_on_error_cmd_read() directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_debug_cmd_read()
> directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_fp_int_cmd_read()
> directly
>
> drivers/scsi/qedf/qedf_dbg.h | 2 ++
> drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-----------
> --
> 2 files changed, 23 insertions(+), 14 deletions(-)
>
In case it's needed
For the series v2 against 6.5-rc3
Reviewed-by: Laurence Oberman <[email protected]>
Tested-by: Laurence Oberman <[email protected]>
Test notes
Linux segstorage5 6.5.0-rc3+
[root@segstorage5 qedf]# cd host2
[root@segstorage5 host2]# ls
clear_stats debug driver_stats fp_int io_trace offload_stats
stop_io_on_error
[root@segstorage5 host2]# cat stop_io_on_error
false
[root@segstorage5 host2]# cat fp_int
Fastpath I/O completions
#0: 844
#1: 990
#2: 1036
#3: 1116
#4: 953
#5: 822
#6: 882
#7: 1073
#8: 1030
#9: 992
#10: 789
#11: 705
#12: 490
#13: 532
#14: 646
#15: 705
[root@segstorage5 host2]# cat debug
debug mask = 0x2
On pondělí 31. července 2023 20:43:34 CEST Martin K. Petersen wrote:
>
> Oleksandr,
>
> > qedf driver, debugfs part of it specifically, touches __user pointers
> > directly for printing out info to userspace via sprintf(), which may
> > cause crash like this:
>
> Applied to 6.6/scsi-staging, thanks!
Thank you all.
--
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer
On Mon, 31 Jul 2023 10:40:31 +0200, Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
>
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
> [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> [<ffffffffaa7aa556>] sprintf+0x56/0x80
> [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
> [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
>
> [...]
Applied to 6.6/scsi-queue, thanks!
[1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
https://git.kernel.org/mkp/scsi/c/7d3d20dee4f6
[2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
https://git.kernel.org/mkp/scsi/c/31b5991a9a91
[3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
https://git.kernel.org/mkp/scsi/c/25dbc20deab5
--
Martin K. Petersen Oracle Linux Engineering