Received: by 10.192.165.156 with SMTP id m28csp1080890imm; Mon, 16 Apr 2018 13:48:46 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/f/Evg1T31OmejZkTC8TPJWs9wXrqrtfmvQT9wpX2FuFavtRtGdb9NdSyNsEt3+9HnWssU X-Received: by 2002:a17:902:ba88:: with SMTP id k8-v6mr16352364pls.305.1523911726637; Mon, 16 Apr 2018 13:48:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523911726; cv=none; d=google.com; s=arc-20160816; b=A6bfyNiIQ8svlQNGOMEKcCFzv/HP5Y+qs0MzRPmo1/ljFErYXWdhtxiiJ+Yo+seaFr +DmjcR8/hrjuArMiOWhkBcK7/ENOyZTQqcUjkzaF/WJ6ZRJrgerBpkym6iRgrNPabmUs ifO3hFI3HiAVj6B6slIcNNQbZ+nPIA62GUsrRvtJXHf/o6I8h/+i4/8pbvcafb/pu8iG H6AUXUM12Ow5gj52hahj6Iw3Io031Uo6Y1sZo2CSPKwOOc6+OSYw4bL89F2feM8sYN5x m5IPFzum2K46QL807Sa4Y9GesyVQjAcXa+9v6BsNnsFneJF5+pJR1Oj0BNnDAdrqjiRp z6Tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=rxSoO8NP0ORZntlU1nQNKvpz9YV4EBC5ZtlblUXDxwg=; b=prWWhEHcYR5nojEinJPt3BtkPyIK7iaHUI312EcPqIEWJLhzw1bnlPlV0810He6LPZ /rpDdWJq1dT+o/Snt2dquJDkxbT/GREpULhSL3hZJdjSIVEf+kimUmTWD6mp/pC6cprr HFCYrj2gwmsk8KTTnmYbywgp9isiXFRdW9JmzduPX4uFU0rWW6SX6gT2I0ySIB8KU7f5 KquDeRrZEeYijWVbq5nf/oT8rIT8/Qw2EZ/+reYMGsMWcELBZRGGSK5524qlLfDzAupf HmFJgCmQY8kz1cL1hN1Mcqk65Cby2wcNHQ4tZiXYwIpEjb0e+ixIxF7iSOuoslHUBrUQ bDNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=baAUt755; dkim=fail header.i=@chromium.org header.s=google header.b=Oe39qAyI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k7si10314978pgq.286.2018.04.16.13.48.02; Mon, 16 Apr 2018 13:48:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=baAUt755; dkim=fail header.i=@chromium.org header.s=google header.b=Oe39qAyI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752810AbeDPUoG (ORCPT + 99 others); Mon, 16 Apr 2018 16:44:06 -0400 Received: from mail-ua0-f196.google.com ([209.85.217.196]:44797 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752750AbeDPUoD (ORCPT ); Mon, 16 Apr 2018 16:44:03 -0400 Received: by mail-ua0-f196.google.com with SMTP id r16so11022205uak.11 for ; Mon, 16 Apr 2018 13:44:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rxSoO8NP0ORZntlU1nQNKvpz9YV4EBC5ZtlblUXDxwg=; b=baAUt755d8txbLX0vs7AW+ao3rPwm22rxeByJRHGG5R2hhirUJqG3pvkLlCurIlfWf d5vNpeLHhcOc65KQ99KJTUaqHBIPI1WGwTlNZxjTeT09566J+IPRfdBU90lbQIRxQL0m 3O/Y476Y/JB6BN/eS6Vp9BaX78sGllpuj6TBnYThFN/CDHuVqBSYEcxQzhzs1Kq2Mkzb vLE9WgYyW4RP8eUVXtA1XgsWWjtk0DeMKSYXlmv01kUyanagQRV1zi68AL3fnwLQja5J wdFN+vP5FLupFJEzfGYZ5ZXogBWt+4DyjjVnakjsoZD+5cdlZ2vXyOfzyvhq5jfvh+9s Tndw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rxSoO8NP0ORZntlU1nQNKvpz9YV4EBC5ZtlblUXDxwg=; b=Oe39qAyIC6zkUpjnHq0q0pKWk5sJMjqdSOQBqYWymx0xQaGhdeI5hIwMYmyWv+AREX VCQ81zfNca12Lkwvw+H4/9P7Bam28rK/TVLpWKWGpvacQWr77JaXJqg5s8qysC/SG13p fo1RoyLXIY2crwPyI0EGlcc8UZGGHraLUaCxw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rxSoO8NP0ORZntlU1nQNKvpz9YV4EBC5ZtlblUXDxwg=; b=d0cKr/w9TCKSUoQKpqqHIa82MQ9VE4lrLEbp6j0At+mHqS6D+Hm4UtPObgpGYACB2q pAZjZ9I9BMPF7XnnnuKTt4UaJ5PqKLI8NiSE3mPwAOko3RQURhsLV+jQJb/wwHDNe0O+ hDLr0f8y6NsYXaEC0wv6/VixeRPMI4teIJQX3K7eyxxUxvTWA/jZBGi9GXMP31QF3CE/ 2isDGD4oAPy2rlY/iK6sBR4/cTwyKQtVrNmun4OgxnlpCdRRv7aKJMgy2UQVtC/sJRRn mai2xT+/u1x36kIofSfrLJjXh++u/2MqrZaCNZ7erAJ0yQ7lYnrOEZ8KGPEdy8L45k22 KwFg== X-Gm-Message-State: ALQs6tDAsSzWtl8RPsFRG9I/+4zUzhcCyTygdcJxM33MJPEgIfCNs+C0 I31w55HKIg9xLEVQemHva1G2RITpSltD85GLNZLjDQ== X-Received: by 10.176.48.239 with SMTP id d15mr12684499uam.0.1523911442039; Mon, 16 Apr 2018 13:44:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Mon, 16 Apr 2018 13:44:01 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Kees Cook Date: Mon, 16 Apr 2018 13:44:01 -0700 X-Google-Sender-Auth: XKdJnk0QaewBKlmCOHVSR_ujcVY Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko , Jens Axboe , Bart Van Assche Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org, paolo.valente@linaro.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 12, 2018 at 8:02 PM, Kees Cook wrote: > On Thu, Apr 12, 2018 at 3:47 PM, Kees Cook wrote: >> After fixing up some build issues in the middle of the 4.16 cycle, I >> get an unhelpful bisect result of commit 0a4b6e2f80aa ("Merge branch >> 'for-4.16/block'"). Instead of letting the test run longer, I'm going >> to switch to doing several shorter test boots per kernel and see if >> that helps. One more bisect coming... > > Okay, so I can confirm the bisect points at the _merge_ itself, not a > specific patch. I'm not sure how to proceed here. It looks like some > kind of interaction between separate trees? Jens, do you have > suggestions on how to track this down? Turning off HARDENED_USERCOPY and turning on KASAN, I see the same report: [ 38.274106] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x42/0x60 [ 38.274841] Read of size 22 at addr ffff8800122b8c4b by task smartctl/1064 [ 38.275630] [ 38.275818] CPU: 2 PID: 1064 Comm: smartctl Not tainted 4.17.0-rc1-ARCH+ #266 [ 38.276631] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 38.277690] Call Trace: [ 38.277988] dump_stack+0x71/0xab [ 38.278397] ? _copy_to_user+0x42/0x60 [ 38.278833] print_address_description+0x6a/0x270 [ 38.279368] ? _copy_to_user+0x42/0x60 [ 38.279800] kasan_report+0x243/0x360 [ 38.280221] _copy_to_user+0x42/0x60 [ 38.280635] sg_io+0x459/0x660 ... Though we get slightly more details (some we already knew): [ 38.301330] Allocated by task 329: [ 38.301734] kmem_cache_alloc_node+0xca/0x220 [ 38.302239] scsi_mq_init_request+0x64/0x130 [scsi_mod] [ 38.302821] blk_mq_alloc_rqs+0x2cf/0x370 [ 38.303265] blk_mq_sched_alloc_tags.isra.4+0x7d/0xb0 [ 38.303820] blk_mq_init_sched+0xf0/0x220 [ 38.304268] elevator_switch+0x17a/0x2c0 [ 38.304705] elv_iosched_store+0x173/0x220 [ 38.305171] queue_attr_store+0x72/0xb0 [ 38.305602] kernfs_fop_write+0x188/0x220 [ 38.306049] __vfs_write+0xb6/0x330 [ 38.306436] vfs_write+0xe9/0x240 [ 38.306804] ksys_write+0x98/0x110 [ 38.307181] do_syscall_64+0x6d/0x1d0 [ 38.307590] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.308142] [ 38.308316] Freed by task 0: [ 38.308652] (stack is not available) [ 38.309060] [ 38.309243] The buggy address belongs to the object at ffff8800122b8c00 [ 38.309243] which belongs to the cache scsi_sense_cache of size 96 [ 38.310625] The buggy address is located 75 bytes inside of [ 38.310625] 96-byte region [ffff8800122b8c00, ffff8800122b8c60) -Kees -- Kees Cook Pixel Security