Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
On Wed, Jan 04, 2017 at 08:25:05AM +0300, Christoph Hellwig wrote: > Most users of BLOCK_PC requests allocate the sense buffer on the stack, > so to avoid DMA to the stack copy them to a field in the heap allocated > virtblk_req structure. Without that any attempt at SCSI passthrough I/O, > including the SG_IO ioctl from userspace will crash the kernel. Note that > this includes running tools like hdparm even when the host does not have > SCSI passthrough enabled. > > Signed-off-by: Christoph Hellwig > --- > drivers/block/virtio_blk.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 5545a67..3c3b8f6 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -56,6 +56,7 @@ struct virtblk_req { > struct virtio_blk_outhdr out_hdr; > struct virtio_scsi_inhdr in_hdr; > u8 status; > + u8 sense[SCSI_SENSE_BUFFERSIZE]; > struct scatterlist sg[]; > }; > > @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, > } > > if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { > - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); > + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); > + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); I would prefer sizeof(vbr->sense) here to avoid duplication. Otherwise: Acked-by: Michael S. Tsirkin > sgs[num_out + num_in++] = &sense; > sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); > sgs[num_out + num_in++] = &inhdr; > -- > 2.1.4
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
On 01/09/2017 06:35 AM, Christoph Hellwig wrote: > Is someone going to pick the patch up and send it to Linus? I keep > running into all kinds of boot failures whenever I forget to cherry > pick it into my development trees.. I'll add it. -- Jens Axboe
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
Is someone going to pick the patch up and send it to Linus? I keep running into all kinds of boot failures whenever I forget to cherry pick it into my development trees..
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
On Thu, Jan 05, 2017 at 11:37:46AM +0100, 王金浦 wrote: > Thanks, so it's only relevant to kernel > 4.9, as CONFIG_VMAP_STACK > only introduced in 4.9 kernel. kernel >= 4.9, but otherwise, yes.
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
2017-01-05 10:57 GMT+01:00 Christoph Hellwig : > On Wed, Jan 04, 2017 at 04:47:03PM +0100, 王金浦 wrote: >> This sounds scary. >> Could you share how to reproduce it, this should go into stable if >> it's the case. > > Step 1: Build your kernel with CONFIG_VMAP_STACK=y > Step 2: issue a SG_IO ioctl, e.g. sg_inq /dev/vda > Thanks, so it's only relevant to kernel > 4.9, as CONFIG_VMAP_STACK only introduced in 4.9 kernel. Regards, Jinpu
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
On Wed, Jan 04, 2017 at 04:47:03PM +0100, 王金浦 wrote: > This sounds scary. > Could you share how to reproduce it, this should go into stable if > it's the case. Step 1: Build your kernel with CONFIG_VMAP_STACK=y Step 2: issue a SG_IO ioctl, e.g. sg_inq /dev/vda
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
Hi Christoph, 2017-01-04 6:25 GMT+01:00 Christoph Hellwig : > Most users of BLOCK_PC requests allocate the sense buffer on the stack, > so to avoid DMA to the stack copy them to a field in the heap allocated > virtblk_req structure. Without that any attempt at SCSI passthrough I/O, > including the SG_IO ioctl from userspace will crash the kernel. Note that > this includes running tools like hdparm even when the host does not have > SCSI passthrough enabled. This sounds scary. Could you share how to reproduce it, this should go into stable if it's the case. Thanks, Jinpu > > Signed-off-by: Christoph Hellwig > --- > drivers/block/virtio_blk.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 5545a67..3c3b8f6 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -56,6 +56,7 @@ struct virtblk_req { > struct virtio_blk_outhdr out_hdr; > struct virtio_scsi_inhdr in_hdr; > u8 status; > + u8 sense[SCSI_SENSE_BUFFERSIZE]; > struct scatterlist sg[]; > }; > > @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, > } > > if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { > - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); > + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); > + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); > sgs[num_out + num_in++] = &sense; > sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); > sgs[num_out + num_in++] = &inhdr; > -- > 2.1.4 >
Re: [PATCH] virtio_blk: avoid DMA to stack for the sense buffer
On 2017年01月04日 13:25, Christoph Hellwig wrote: Most users of BLOCK_PC requests allocate the sense buffer on the stack, so to avoid DMA to the stack copy them to a field in the heap allocated virtblk_req structure. Without that any attempt at SCSI passthrough I/O, including the SG_IO ioctl from userspace will crash the kernel. Note that this includes running tools like hdparm even when the host does not have SCSI passthrough enabled. Signed-off-by: Christoph Hellwig --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 5545a67..3c3b8f6 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -56,6 +56,7 @@ struct virtblk_req { struct virtio_blk_outhdr out_hdr; struct virtio_scsi_inhdr in_hdr; u8 status; + u8 sense[SCSI_SENSE_BUFFERSIZE]; struct scatterlist sg[]; }; @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, } if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); sgs[num_out + num_in++] = &sense; sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); sgs[num_out + num_in++] = &inhdr; Acked-by: Jason Wang
[PATCH] virtio_blk: avoid DMA to stack for the sense buffer
Most users of BLOCK_PC requests allocate the sense buffer on the stack, so to avoid DMA to the stack copy them to a field in the heap allocated virtblk_req structure. Without that any attempt at SCSI passthrough I/O, including the SG_IO ioctl from userspace will crash the kernel. Note that this includes running tools like hdparm even when the host does not have SCSI passthrough enabled. Signed-off-by: Christoph Hellwig --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 5545a67..3c3b8f6 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -56,6 +56,7 @@ struct virtblk_req { struct virtio_blk_outhdr out_hdr; struct virtio_scsi_inhdr in_hdr; u8 status; + u8 sense[SCSI_SENSE_BUFFERSIZE]; struct scatterlist sg[]; }; @@ -102,7 +103,8 @@ static int __virtblk_add_req(struct virtqueue *vq, } if (type == cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_SCSI_CMD)) { - sg_init_one(&sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + memcpy(vbr->sense, vbr->req->sense, SCSI_SENSE_BUFFERSIZE); + sg_init_one(&sense, vbr->sense, SCSI_SENSE_BUFFERSIZE); sgs[num_out + num_in++] = &sense; sg_init_one(&inhdr, &vbr->in_hdr, sizeof(vbr->in_hdr)); sgs[num_out + num_in++] = &inhdr; -- 2.1.4