mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-12 08:09:56 +00:00
scsi: libiscsi: fall back to sendmsg for slab pages
In "XFS over network block device" scenario XFS can create IO requests with slab-based XFS metadata. During processing such requests tcp_sendpage() can merge skb fragments with neighbour slab objects. If receiving side is located on the same host tcp_recvmsg() can trigger BUG_ON in hardening check and crash the host with following message: usercopy: kernel memory exposure attempt detected from XXXXXXXX (kmalloc-512) (1024 bytes) This patch redirect such requests from sednpage to sendmsg path. The problem is similar to one described in recent commit 7e241f647dc7 ("libceph: fall back to sendmsg for slab pages") Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Acked-by: Chris Leech <cleech@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
parent
038d710fca
commit
08b11eaccf
@ -129,12 +129,17 @@ static void iscsi_tcp_segment_map(struct iscsi_segment *segment, int recv)
|
||||
BUG_ON(sg->length == 0);
|
||||
|
||||
/*
|
||||
* We always map for the recv path.
|
||||
*
|
||||
* If the page count is greater than one it is ok to send
|
||||
* to the network layer's zero copy send path. If not we
|
||||
* have to go the slow sendmsg path. We always map for the
|
||||
* recv path.
|
||||
* have to go the slow sendmsg path.
|
||||
*
|
||||
* Same goes for slab pages: skb_can_coalesce() allows
|
||||
* coalescing neighboring slab objects into a single frag which
|
||||
* triggers one of hardened usercopy checks.
|
||||
*/
|
||||
if (page_count(sg_page(sg)) >= 1 && !recv)
|
||||
if (!recv && page_count(sg_page(sg)) >= 1 && !PageSlab(sg_page(sg)))
|
||||
return;
|
||||
|
||||
if (recv) {
|
||||
|
Loading…
x
Reference in New Issue
Block a user