From: renxudong <renxudong1@xxxxxxxxxx> Blk_rq_map_kern func is used to map kernel data to a request, in which kbuf par should be a valid kernel buffer. However, kbuf par is only checked whether it is null in blk_rq_map_kern func. If users pass a non kernel address to blk_rq_map_kern func in the non-aligned scenario, the invalid kbuf will be set to bio->bi_private. When the request is completed, bio_copy_kern_endio_read will be called to copy data to the kernel address in bio->bi_private. If the bi_private is not a valid kernel address, the system will oops. In this case, we cannot judge whether the bio structure is damaged or the kernel address is invalid. Here, we add kernel address validation by calling virt_addr_valid. Signed-off-by: renxudong <renxudong1@xxxxxxxxxx> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx> --- block/blk-map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk-map.c b/block/blk-map.c index 3a62e471d81b..7deb1b44d1e3 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -229,7 +229,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, if (len > (queue_max_hw_sectors(q) << 9)) return -EINVAL; - if (!len || !kbuf) + if (!len || !virt_addr_valid(kbuf)) return -EINVAL; do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf); -- 2.24.0.windows.2
