Friendly ping... On 2019/12/30 20:17, Zhiqiang Liu wrote: > From: renxudong <renxudong1@xxxxxxxxxx> > > Blk_rq_map_kern func is used to map kernel data to a request, > in which kbuf par should be a valid kernel buffer. However, > kbuf par is only checked whether it is null in blk_rq_map_kern func. > > If users pass a non kernel address to blk_rq_map_kern func in the > non-aligned scenario, the invalid kbuf will be set to bio->bi_private. > When the request is completed, bio_copy_kern_endio_read will be called > to copy data to the kernel address in bio->bi_private. If the bi_private > is not a valid kernel address, the system will oops. In this case, we > cannot judge whether the bio structure is damaged or the kernel address is > invalid. > > Here, we add kernel address validation by calling virt_addr_valid. > > Signed-off-by: renxudong <renxudong1@xxxxxxxxxx> > Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx> > --- > block/blk-map.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/block/blk-map.c b/block/blk-map.c > index 3a62e471d81b..7deb1b44d1e3 100644 > --- a/block/blk-map.c > +++ b/block/blk-map.c > @@ -229,7 +229,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, > > if (len > (queue_max_hw_sectors(q) << 9)) > return -EINVAL; > - if (!len || !kbuf) > + if (!len || !virt_addr_valid(kbuf)) > return -EINVAL; > > do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf); >
