Re: [PATCH] iscsi: fall back to sendmsg for slab pages

Vasily Averin <vvs@xxxxxxxxxxxxx> · Wed, 6 Mar 2019 14:33:25 +0300

James, Martin,
noone replied 2 weeks,
could you please pick up this patch?

According to Network guru sendpage must not be called for Slab objects.
Unfortunately this happen in real life, for example when XFS send metadata via network block device.
Some of such cases -- drbd and ceph -- already have PageSlab() check, however iscsi still lacks it.

It was triggered host to crash during internal OpenVZ tests,
fixed kernel passed this test successfully.

This patch forces iscsi_tcp_segment_map() to set up segment->data for Slab pages
and it switches iscsi_sw_tcp_xmit_segment() to use sendmsg instead of sendpage. 

Thank you,
	Vasily Averin

On 2/21/19 6:23 PM, Vasily Averin wrote:
> In "XFS over network block device" scenario XFS can create IO requests
> with slab-based XFS metadata. During processing such requests
> tcp_sendpage() can merge skb fragments with neighbour slab objects.
> 
> If receiving side is located on the same host tcp_recvmsg() can trigger
> BUG_ON in hardening check and crash the host with following message:
> 
> usercopy: kernel memory exposure attempt detected
> 		from XXXXXXXX (kmalloc-512) (1024 bytes)
> 
> This patch redirect such requests from sednpage to sendmsg path.
> The problem is similar to one described in recent commit 7e241f647dc7
> ("libceph: fall back to sendmsg for slab pages")
> 
> Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx>
> ---
>  drivers/scsi/libiscsi_tcp.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
> index 8a6b1b3f8277..66d97d3bef5a 100644
> --- a/drivers/scsi/libiscsi_tcp.c
> +++ b/drivers/scsi/libiscsi_tcp.c
> @@ -129,12 +129,17 @@ static void iscsi_tcp_segment_map(struct iscsi_segment *segment, int recv)
>  	BUG_ON(sg->length == 0);
>  
>  	/*
> +	 * We always map for the recv path.
> +	 *
>  	 * If the page count is greater than one it is ok to send
>  	 * to the network layer's zero copy send path. If not we
> -	 * have to go the slow sendmsg path. We always map for the
> -	 * recv path.
> +	 * have to go the slow sendmsg path.
> +	 *
> +	 * Same goes for slab pages: skb_can_coalesce() allows
> +	 * coalescing neighboring slab objects into a single frag which
> +	 * triggers one of hardened usercopy checks.
>  	 */
> -	if (page_count(sg_page(sg)) >= 1 && !recv)
> +	if (!recv && page_count(sg_page(sg)) >= 1 && !PageSlab(sg_page(sg)))
>  		return;
>  
>  	if (recv) {
> 