qedf driver, debugfs part of it specifically, touches __user pointers directly for printing out info to userspace via sprintf(), which may cause crash like this: BUG: unable to handle kernel paging request at 00007ffd1d6b43a0 IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0 Oops: 0003 [#1] SMP Call Trace: [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0 [<ffffffffaa7aa556>] sprintf+0x56/0x80 [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf] [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170 [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0 Avoid this by preparing the info in a kernel buffer first, either allocated on stack for small printouts, or via vmalloc() for big ones, and then copying it to the userspace properly. Previous submission is an RFC: [1]. There are no code changes since then. The RFC prefix is dropped. The Tested-by tag from Laurence is added. There's similar submission from Saurav [2], but we agreed I could nack it and proceed with my one. [1] https://lore.kernel.org/linux-scsi/20230724120241.40495-1-oleksandr@xxxxxxxxxx/ [2] https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@xxxxxxxxxxx/ Oleksandr Natalenko (3): scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly drivers/scsi/qedf/qedf_dbg.h | 2 ++ drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++------------- 2 files changed, 23 insertions(+), 14 deletions(-) -- 2.41.0
