Received: by 10.223.176.5 with SMTP id f5csp1400314wra; Sun, 4 Feb 2018 03:13:08 -0800 (PST) X-Google-Smtp-Source: AH8x225JwdOyOnXgzj3KEOTv4sBwRFvsVaXG4//1dAouVvCbPkYwStTuNzAXu1a7/hIaZRld6P7Q X-Received: by 10.99.114.71 with SMTP id c7mr4685183pgn.283.1517742787938; Sun, 04 Feb 2018 03:13:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517742787; cv=none; d=google.com; s=arc-20160816; b=ynLC+JbKZJaqzFGVTYANvIvChSqWZ8X5HyLQ3h4iQbL8iAtvOr9v36LD1JtDnmtWtv 87il2HRYBtQX3DIDAN+v6YBfteY6tfTsGy5sX21dUvxCSuiupI2raFSVYR7zqk2EBXkj jo4R9LAOl3VmYCiGkciQ4HUlbaB0Dy3J0YGY7sZE2zA+XSVRSMw2vsm9rySK3Pgt3GmM MMMIN+SNeKWPdbcQyqurDW4zXyxgvVESTGf1qAvo5QjqwxuR+es2wi8uc9vWuy3fNP9U sGGPgrPORi22XP0IWek4Kko1Jgg6XWfBa296qFsxR2Lhd0czK1ExIqL7fQ5PEU0Ojacq bhcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=XEYeRvTt1gaLyBcmiKzz4maYKJ0hMJ4Eq/iNsEdtpus=; b=drDGcoaUJxdg8UgrwdQgArD0dx+i2EDBOUdYFuyIYJr0x7esw2Qjz30VQlqbRaLvf6 jlGwn5vpf4X7rixIw0zpSGHH8tbBlrop9Dq3Ynsn/E2+vs5IFPh8D3uG2Kf5duLRTGi3 ml9qQLwWijyKhQLS1uKh/VT7dJ8k6Aeor2N0ud6XvN9LJANdT+BgsGba3AEmm4avs7Js MDvcOcD3g9olzB/ylCuKXC+mA/jBPL+geICou9MS1//k0qvRubBX55Xpl/mFULqvwBIW gU41xcMvEqoJ7+93ejADFfe0ORR64FZriYhnEbHcKzqsffwTx2fCSt7LW6QE4zGM/UO5 yMYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kdrormN8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y16si5058694pfl.374.2018.02.04.03.12.53; Sun, 04 Feb 2018 03:13:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kdrormN8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751872AbeBDLLc (ORCPT + 99 others); Sun, 4 Feb 2018 06:11:32 -0500 Received: from mail-pl0-f67.google.com ([209.85.160.67]:40730 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752043AbeBDLLU (ORCPT ); Sun, 4 Feb 2018 06:11:20 -0500 Received: by mail-pl0-f67.google.com with SMTP id g18so9789644plo.7 for ; Sun, 04 Feb 2018 03:11:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XEYeRvTt1gaLyBcmiKzz4maYKJ0hMJ4Eq/iNsEdtpus=; b=kdrormN8x71NpPegoHj/XdiBDc+mHCwPHWuJms4eC4fCGRBb2Pgv8t7cd9ghKe/onH d9OJLYBDnOSN1J26r7RIFJZgLDig8QSHCJb01Kd0IOTRtkAwIvK23CwxVc7bkhgvUqfy oO1EknmO3KN/6NZd9f2qZ6Js+12Xj+2TU5b0K8XCuGGd6rJKUCI/4t0VfKJC6i6z1DWT sGhHK03I+mjF4eY7RrUa4Yufp9uuFFN/q3yQEwhsHii55oc5hi6FW6j+dySq7FyCQmmm S3YN4edZQldAvqdMTiKxwKiMtN4fvBHNrl3oNrfoWTNiyb/YSMTtmK47bSCx4B0g3jTz NJMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XEYeRvTt1gaLyBcmiKzz4maYKJ0hMJ4Eq/iNsEdtpus=; b=cByFwzeMoM0TVbu1CWxlsUZV+yfO5702eK/qMprGjSWC0QFmBOBBljlip2ZUMobfMN 95zbvB7DMLZpeRl6RZWfLTjzQY4fYxS9y3YvUpHkfsvyFXw0TecI6WkUavbXwlxVw2/w KLHIcnMQCWtzxZsk/Sela3p6iTusbpeEv8tMsLUGxaKNaXfdEU14EYEWjRf5xQFnwQsY muL+cfvAOoS/8E72LF/CZ7Kd9gkW2hltoaxHZYh1EpsvAa9c1f6IPN1rGOoDZdhs9psk SEPV2d3vRcBaB5/DDeOXMlGnQLjwNgBzoExMmBVlKVuA6CD8HyC04F/MJg55SY2H4LfJ bDlA== X-Gm-Message-State: APf1xPBVR0++P020us87Jwya+DJCfMM/SmlkjmROWfF0ULEEdovHk10E DEiRCg+KhJ4SwVpkobuwbpxW82JPA3Y6sSPxnmdERA== X-Received: by 2002:a17:902:6c44:: with SMTP id h4-v6mr3760780pln.373.1517742678528; Sun, 04 Feb 2018 03:11:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.236.140.151 with HTTP; Sun, 4 Feb 2018 03:10:58 -0800 (PST) In-Reply-To: <20180204090710.GA607@zzz.localdomain> References: <1516638634.2545.0.camel@wdc.com> <097921fa-52c5-8b2b-f564-4b24d9720478@interlog.com> <1517501859.3417.67.camel@codethink.co.uk> <20180204090710.GA607@zzz.localdomain> From: Dmitry Vyukov Date: Sun, 4 Feb 2018 12:10:58 +0100 Message-ID: Subject: Re: scsi: sg: assorted memory corruptions To: Eric Biggers Cc: Ben Hutchings , Tejun Heo , linux-ide@vger.kernel.org, Doug Gilbert , Bart Van Assche , "jejb@linux.vnet.ibm.com" , "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "martin.petersen@oracle.com" , "syzkaller@googlegroups.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Feb 4, 2018 at 10:07 AM, Eric Biggers wrote: > On Thu, Feb 01, 2018 at 05:21:12PM +0100, 'Dmitry Vyukov' via syzkaller wrote: >> On Thu, Feb 1, 2018 at 5:17 PM, Ben Hutchings >> wrote: >> > On Thu, 2018-02-01 at 08:04 +0100, Dmitry Vyukov wrote: >> >> On Thu, Feb 1, 2018 at 7:03 AM, Douglas Gilbert wrote: >> >> > On 2018-01-30 07:22 AM, Dmitry Vyukov wrote: >> > [...] >> >> > > [1:0:0:0] cd/dvd QEMU QEMU DVD-ROM 2.0. /dev/sr0 /dev/sg1 >> >> > > >> >> > > # readlink /sys/class/scsi_generic/sg0 >> >> > > >> >> > > ../../devices/pci0000:00/0000:00:01.1/ata1/host0/target0:0:0/0:0:0:0/scsi_generic/sg0 >> >> > > >> >> > > # cat /sys/class/scsi_generic/sg0/device/vendor >> >> > > ATA >> >> > >> >> > >> >> > ^^^^^ >> >> > That subsystem is the culprit IMO, most likely libata. >> >> > >> >> > Until you can show this test failing on something other than an >> >> > ATA disk, then I will treat this issue as closed. >> >> >> >> Hi Doug, >> >> >> >> Why is bug in ATA not a bug? Is it long unused by everybody? I've got >> >> it by running qemu with default flags... >> > >> > If the bug is in libata then it's not on Doug to fix it since he's only >> > maintaining sg. >> >> >> Then I think we need to CC ata maintainers rather than treat it as closed. >> +Tejun, linux-ide@, you can see full thread here: >> https://groups.google.com/forum/#!topic/syzkaller/9RNr9Gu0MyY >> > > To get memory corruption it's actually sufficient just to submit "1-byte" reads; > there's no need for the SG_NEXT_CMD_LEN ioctl or anything: > > #include > #include > > int main() > { > int fd = open("/dev/sg0", O_RDWR); > char buf[43] = { [36] = 0x08 /* READ_6 */ }; > > for (;;) > write(fd, buf, sizeof(buf)); > } > > (where /dev/sg0 is the default QEMU disk type, "82371SB PIIX3 IDE") > > The SCSI command descriptor block is the 6 bytes at indices 36-41, so index 42 > is the only data byte. > > Also this is a different bug from the crash in ata_bmdma_fill_sg() which is > fixed by "libata: fix length validation of ATAPI-relayed SCSI commands". > > I'm guessing the driver is DMA'ing to somewhere it shouldn't be... It would be good to add KASAN checks to the DMA code that issues transfers. This is another case where a silent memory corruption causes dozens of assorted crashes all over the kernel. If we add checks, KASAN would pinpoint the exact stack that issues the bad command. This may be the simplest way to debug this bug as well. I've filed https://bugzilla.kernel.org/show_bug.cgi?id=198661 for this.