From patchwork Tue Dec 19 10:03:54 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mike Christie <mchristi@redhat.com>
X-Patchwork-Id: 10122921
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E1ED36019C for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 19 Dec 2017 10:04:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D205A2905F
	for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 19 Dec 2017 10:04:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C6EA3290FB; Tue, 19 Dec 2017 10:04:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F0BB290EE
	for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 19 Dec 2017 10:04:24 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934699AbdLSKEX (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Tue, 19 Dec 2017 05:04:23 -0500
Received: from mx1.redhat.com ([209.132.183.28]:1366 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S934653AbdLSKEB (ORCPT <rfc822;target-devel@vger.kernel.org>);
	Tue, 19 Dec 2017 05:04:01 -0500
Received: from smtp.corp.redhat.com
	(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C42F5C059741;
	Tue, 19 Dec 2017 10:04:01 +0000 (UTC)
Received: from rh2.redhat.com (ovpn-120-112.rdu2.redhat.com [10.10.120.112])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 23C1A17D06;
	Tue, 19 Dec 2017 10:04:01 +0000 (UTC)
From: Mike Christie <mchristi@redhat.com>
To: target-devel@vger.kernel.org, nab@linux-iscsi.org
Cc: Mike Christie <mchristi@redhat.com>
Subject: [PATCH 1/5] tcmu: prevent corruption when invalid data page
	requested
Date: Tue, 19 Dec 2017 04:03:54 -0600
Message-Id: <1513677838-6675-2-git-send-email-mchristi@redhat.com>
In-Reply-To: <1513677838-6675-1-git-send-email-mchristi@redhat.com>
References: <1513677838-6675-1-git-send-email-mchristi@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.32]);
	Tue, 19 Dec 2017 10:04:01 +0000 (UTC)
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

We will always have a page mapped for cmd data if it is
valid command. If the mapping does not exist then something
bad happened in userspace and it should not proceed. This
has us return VM_FAULT_SIGBUS when this happens instead of
returning a freshly allocated paged. The latter can cause
corruption because userspace might write the pages data
overwriting valid data or return it to the initiator.

Signed-off-by: Mike Christie <mchristi@redhat.com>
---
 drivers/target/target_core_user.c | 43 ++++++---------------------------------
 1 file changed, 6 insertions(+), 37 deletions(-)

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index bac08bc..a746fed 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1342,7 +1342,6 @@ static int tcmu_find_mem_index(struct vm_area_struct *vma)
 static struct page *tcmu_try_get_block_page(struct tcmu_dev *udev, uint32_t dbi)
 {
 	struct page *page;
-	int ret;
 
 	mutex_lock(&udev->cmdr_lock);
 	page = tcmu_get_block_page(udev, dbi);
@@ -1352,42 +1351,12 @@ static struct page *tcmu_try_get_block_page(struct tcmu_dev *udev, uint32_t dbi)
 	}
 
 	/*
-	 * Normally it shouldn't be here:
-	 * Only when the userspace has touched the blocks which
-	 * are out of the tcmu_cmd's data iov[], and will return
-	 * one zeroed page.
+	 * Userspace messed up and passed in a address not in the
+	 * data iov passed to it.
 	 */
-	pr_warn("Block(%u) out of cmd's iov[] has been touched!\n", dbi);
-	pr_warn("Mostly it will be a bug of userspace, please have a check!\n");
-
-	if (dbi >= udev->dbi_thresh) {
-		/* Extern the udev->dbi_thresh to dbi + 1 */
-		udev->dbi_thresh = dbi + 1;
-		udev->dbi_max = dbi;
-	}
-
-	page = radix_tree_lookup(&udev->data_blocks, dbi);
-	if (!page) {
-		page = alloc_page(GFP_KERNEL | __GFP_ZERO);
-		if (!page) {
-			mutex_unlock(&udev->cmdr_lock);
-			return NULL;
-		}
-
-		ret = radix_tree_insert(&udev->data_blocks, dbi, page);
-		if (ret) {
-			mutex_unlock(&udev->cmdr_lock);
-			__free_page(page);
-			return NULL;
-		}
-
-		/*
-		 * Since this case is rare in page fault routine, here we
-		 * will allow the global_db_count >= tcmu_global_max_blocks
-		 * to reduce possible page fault call trace.
-		 */
-		atomic_inc(&global_db_count);
-	}
+	pr_err("Invalid addr to data block mapping  (dbi %u) on device %s\n",
+	       dbi, udev->name);
+	page = NULL;
 	mutex_unlock(&udev->cmdr_lock);
 
 	return page;
@@ -1422,7 +1391,7 @@ static int tcmu_vma_fault(struct vm_fault *vmf)
 		dbi = (offset - udev->data_off) / DATA_BLOCK_SIZE;
 		page = tcmu_try_get_block_page(udev, dbi);
 		if (!page)
-			return VM_FAULT_NOPAGE;
+			return VM_FAULT_SIGBUS;
 	}
 
 	get_page(page);