Received: by 10.213.65.68 with SMTP id h4csp2944406imn; Mon, 9 Apr 2018 11:36:27 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/67hWRWzOiXzzRwAy7DQqayq6O14pXZFVjF97Wf+W/SqIbg6gpX4FVWQBRl96dFUJAhZAC X-Received: by 2002:a17:902:aa46:: with SMTP id c6-v6mr39112752plr.154.1523298986988; Mon, 09 Apr 2018 11:36:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523298986; cv=none; d=google.com; s=arc-20160816; b=G3/iZuLQ/Pn17cPmy5vkTF1/yrWbOMtxluvWikPms0pahMta/cWU46MU2ovqSrXBV4 pqCkpg7tVsi0Y8FXtTWbwJo0i+smZhWYtBSoSGDGrFmGZKEQfebRLIdlJyBtXRdLBi9/ rZrWQIuDNcerb+7ITTETl7Fy9kKGxpjJQhCewBXkqbthDW0HnKmVudonKw19vizhkl8v TeE1QdIO7R64lLwmHlZgE2b2oNIxYO03pewEkN2YbtI0S0AQ31aYDBQBfYPC2i0SDyer DTsYfDIyi93FrZH1J65xhhjq0m3akfn6PDTEANjuw6tki6m3yF61Ag8pCedC/73EtOpy y9ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=tphUW1g1QfCm/HpRfgQEJOFWJOkjl/wyDnXcwb4gXSM=; b=zcSb9MCYFdnWyQTlxwazy3xXn2+wqEXY0Dsd+ELDZ6yBl/94OsLCg3zwvuzdZMpvEY VAcZNTvUY1l3ogPQleeBjuLqtJ3qB5nqypgGbMcGs2gcLnwu1B5BhwavRrsp1juv2wQ0 SmDGlimVBDIvx33Uh4VaJDN7MnaLVe7dTvI1qv6Phr3htaPyNi5e3hC+0Nkr9fTrUPXC CGl6MRxXn7XNkURSlb31Tin8Uqz/DNZ5Bt8C8cBIJn7ejmVQ31Nk1eef/QTCs4L6auRQ pLiy1VtF63U08xId5HWZCDY82q2f7+WgN7qfSmesbT5m0v5r/iABzNCpIWqmPka7bNvA +Gug== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=uIJ/OYAK; dkim=fail header.i=@chromium.org header.s=google header.b=hhbs+LnK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8-v6si739058plw.251.2018.04.09.11.35.49; Mon, 09 Apr 2018 11:36:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=uIJ/OYAK; dkim=fail header.i=@chromium.org header.s=google header.b=hhbs+LnK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753454AbeDIScV (ORCPT + 99 others); Mon, 9 Apr 2018 14:32:21 -0400 Received: from mail-yb0-f194.google.com ([209.85.213.194]:34236 "EHLO mail-yb0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752065AbeDIScT (ORCPT ); Mon, 9 Apr 2018 14:32:19 -0400 Received: by mail-yb0-f194.google.com with SMTP id b14-v6so1702831ybk.1 for ; Mon, 09 Apr 2018 11:32:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=tphUW1g1QfCm/HpRfgQEJOFWJOkjl/wyDnXcwb4gXSM=; b=uIJ/OYAKJCWL4+853VdDH6fBFoOF14vprEq3vL8hcx2zDhzGEseV/w+3liRyJXwSxo TBhg+SFvtLiCTSMRYLlkqvdpl7UjWSyAhEUMtNkRmg/TFXlAxmoCSh7QfD9vHdvXtXQD AzKNuGdoArR07PY5C/DMVDT59aT65XszvYHPM98753yZIVj8JZJ2yDo5wA5Y1sGgeybz wHpwzI6MFHYn8D7fPca1GGmC3g7yDg+eE5Lufqjcy3cl7U2msbB0cU1PoXw0x9pxXyvW 25Tw7TiAZXoWITGGJWSC5CGkFOoqtJ4O1zrtJvf5qbmlvLxRlly3DVnMWFd60SlzOCwt FVYg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=tphUW1g1QfCm/HpRfgQEJOFWJOkjl/wyDnXcwb4gXSM=; b=hhbs+LnKi/GLpoVXnAY0XYlYS9uEGFci1MmVQ8+OuHz3sT3j0lUiujFj/YW0eZ23Kl qUJzH6wyGk/omtq1ryJ/2TvTTGsk2NOxxjXqZfn5aw5D5eSUvEseeWrLuZMNlCx7EWcY QIXahlLL7YgYm6NgjM5ZJFdv8IK+ClI9QGhrA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=tphUW1g1QfCm/HpRfgQEJOFWJOkjl/wyDnXcwb4gXSM=; b=oJos7eZgVHkYa8tb9Bak2aDrwyuYM2jztxwxhz/JTp54sgKFVXtgRZaYrq8UE/2zQi bCB2AoLl4YVSXVaL+mgSfvgwHvc5F6mHs+vIYTRxuScAJwjlJdLN0/GIuIADzbwo/GeB e80+CkxPzpNGQpBQgn7HWzX7hPQ6XPwe76vssbTZ7sdR14Jx9YLMGwym0K7Eh0T9/Wxw 7wgBbF3BaAoEhdejxhexl+eVjcu+IN89M6MpSxXAkEJOlIPaxHG/3x8vO/mi4Mbccz8j MeeWIHL/w5jucMt1IhrJjOKntLemn3yfC1P8GV1atdNXP7zvNzA52qUKoRX1jYLXvqgx mpCA== X-Gm-Message-State: ALQs6tDv2K5zNHkwLiSV//0eTnaZTTr4Dpxqnw3mZNloSW79WVMKWsZw ZCJ9d61F3REVK1jhvWpRD7WLi0ndvqdOh1ATeQ3ZPQ== X-Received: by 2002:a25:76c5:: with SMTP id r188-v6mr21262472ybc.193.1523298738345; Mon, 09 Apr 2018 11:32:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:cf41:0:0:0:0:0 with HTTP; Mon, 9 Apr 2018 11:32:17 -0700 (PDT) In-Reply-To: <2679696.GDoj5zcZOu@natalenko.name> References: <10360653.ov98egbaqx@natalenko.name> <2679696.GDoj5zcZOu@natalenko.name> From: Kees Cook Date: Mon, 9 Apr 2018 11:32:17 -0700 X-Google-Sender-Auth: LnhaNSR4blZu6scNoZPyst7tDzY Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Jens Axboe , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org, paolo.valente@linaro.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 8, 2018 at 12:07 PM, Oleksandr Natalenko wrote: > So far, I wasn't able to trigger this with mq-deadline (or without blk-mq). > Maybe, this has something to do with blk-mq+BFQ re-queuing, or it's just me > not being persistent enough. Ah, this detail I didn't have. I've changed my environment to build with: CONFIG_BLK_MQ_PCI=y CONFIG_BLK_MQ_VIRTIO=y CONFIG_IOSCHED_BFQ=y boot with scsi_mod.use_blk_mq=1 and select BFQ in the scheduler: # cat /sys/block/sd?/queue/scheduler mq-deadline kyber [bfq] none mq-deadline kyber [bfq] none Even with this, I'm not seeing anything yet... > It looks like this code path was re-written completely with 17cb960f29c2, but > it went merged for the upcoming v4.17 only, and thus I haven't tried it yet. > > Kees took a brief look at it already: [1]. This is what smartctl does [2] > (just a usual strace capture when the bug is not triggered). > > Christoph, do you have some idea on why this can happen? > > Thanks. > > Regards, > Oleksandr > > [1] https://marc.info/?l=linux-scsi&m=152287333013845&w=2 > [2] https://gist.github.com/pfactum/6f58f8891468aeba1ab2cc9f45668735 The thing I can't figure out is how req->sense is slipping forward in (and even beyond!) the allocation. -Kees -- Kees Cook Pixel Security