Commit a7c9fa7f authored Apr 16, 2026 by Ming Lei Committed by Jens Axboe Apr 17, 2026

ublk: use unchecked copy helpers for bio page data



Bio pages may originate from slab caches that lack a usercopy region
(e.g. jbd2 frozen metadata buffers allocated via jbd2_alloc()).
When CONFIG_HARDENED_USERCOPY is enabled, copy_to_iter() calls
check_copy_size() which rejects these slab pages, triggering a
kernel BUG in usercopy_abort().

This is a false positive: the data is ordinary block I/O content —
the same data the loop driver writes to its backing file via
vfs_iter_write().  The bvec length is always trusted, so the size
check in check_copy_size() is not needed either.

Switch to _copy_to_iter()/_copy_from_iter() which skip the
check_copy_size() wrapper while the underlying copy_to_user()
remains unchanged.

Acked-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: 2299ceec ("ublk: use copy_{to,from}_iter() for user copy")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://patch.msgid.link/20260415230246.808176-1-tom.leiming@gmail.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 2f501546

drivers/block/ublk_drv.c

+10 −2

Original line number	Diff line number	Diff line
		@@ -1319,10 +1319,18 @@ static bool ublk_copy_user_bvec(const struct bio_vec bv, unsigned offset,

		len = bv->bv_len - *offset;
		bv_buf = kmap_local_page(bv->bv_page) + bv->bv_offset + *offset;
		/*
		* Bio pages may originate from slab caches without a usercopy region
		* (e.g. jbd2 frozen metadata buffers). This is the same data that
		* the loop driver writes to its backing file — no exposure risk.
		* The bvec length is always trusted, so the size check in
		* check_copy_size() is not needed either. Use the unchecked
		* helpers to avoid false positives on slab pages.
		*/
		if (dir == ITER_DEST)
		copied = copy_to_iter(bv_buf, len, uiter);
		copied = _copy_to_iter(bv_buf, len, uiter);
		else
		copied = copy_from_iter(bv_buf, len, uiter);
		copied = _copy_from_iter(bv_buf, len, uiter);

		kunmap_local(bv_buf);