Received: by 10.192.165.156 with SMTP id m28csp1361408imm; Mon, 16 Apr 2018 20:14:10 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/vcgqTN4Hqd0arcPpvJcvjszZLkX/QdElmVn0G0dWbyT9komM6jsWb5vLcqiFNagExF8t0 X-Received: by 10.99.124.20 with SMTP id x20mr332367pgc.161.1523934850214; Mon, 16 Apr 2018 20:14:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523934850; cv=none; d=google.com; s=arc-20160816; b=yj6Y4ng96boKidO0y0vk2B3tQDPduds/Zjh8xxXZpZiDZ0qB4tAeYap9MAWhXAtofJ /Ji5Xi9WlQS73wttW1Lg0BJUt1gv6UENEFQ9LfoJDlUGz51MoFswt/eYMFfXpiBavbCD b5/2iYdF+1pZ3/PSmg/PZTq9Gkzuss+b4pPis1WxWCh8EyKc7Q8Zygv2wxxkTbSEEG6K s3ADeBWyVIjg5NDsSRnewNuac5HBt6fjggnJu8/uDnvWIYtR3MP0QXxhO751X93iHpxb DNoQXKTOv621SOrUjpY2fLJXvqDXH+pOd1+tDMzJ0WAGG4qM74/3Q0ljOvPOwkY4k52t afWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=mp3qQ0+XyrhCTFqyP9O7whhDlDrWOhj6pTHzP6/eWTc=; b=eaOeFhFfJhbSXqnJOsZy0BSUaNrB4ocWo9mH7RZjnBRnCA0g6kwXJRuF8LAxY+GPol YWGmUSNwbeREzYjJCPOSjV21BPmcIZgALV5JFP9kAvPnFIgjCspH+5vZMVqyoocUZkcX yf7Pt0Bnk8xicJ7Rk1pGh/a0+LogIb1pX0WgcWXesXB6WHSiF5vEwlheWECqhi1HAfvc 2pm+6aacPWgYx2Y/YEqU8gBKQVH6zdh9oQPaIoCHR/4mx2PrF4jn3sf/Wl5I9j+oviO/ 3huTQ1WtZ58PJz6P2Iphr4w0/1rBQXw4XhhgOFN9aO9NulQ8iOER0k58TAceflaRS1a1 A8yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=HDSo83vN; dkim=fail header.i=@chromium.org header.s=google header.b=dwDukL9+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13si4403795pgt.185.2018.04.16.20.13.56; Mon, 16 Apr 2018 20:14:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=HDSo83vN; dkim=fail header.i=@chromium.org header.s=google header.b=dwDukL9+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753051AbeDQDMt (ORCPT + 99 others); Mon, 16 Apr 2018 23:12:49 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:41058 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753006AbeDQDMo (ORCPT ); Mon, 16 Apr 2018 23:12:44 -0400 Received: by mail-ua0-f193.google.com with SMTP id t9so11512620uac.8 for ; Mon, 16 Apr 2018 20:12:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mp3qQ0+XyrhCTFqyP9O7whhDlDrWOhj6pTHzP6/eWTc=; b=HDSo83vNG4Q9wHfo1bIAO8DD+VEtUbp59765JFcjWsT0WlbIid72JcgK1VRKdO4rpe a88XP0B54VCj3jiqoKwHJ9/EpAUGu5aYxgTEufFM9aD7W9HsT7P0sFg9G7mOduOSp4zk DEuyqLej+2kocEmI0X25RTrFx3VjDdbi2hXhigcBI1b6Qsc2HQk2jp/txcKfYKijIIxB qJ4MAKFSoNnJif8UMXRxqgOvDw6bHrROPLh2e9OoWXADPu/vxljylrZTJTuEoFPdR2DH 7kmTVa1jMoCV7GPTdMSUTVFYOx8dAOR7d/SPyIur9+TOT+oNiNadJG/xj1OWBMLQ5vI8 ghOg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mp3qQ0+XyrhCTFqyP9O7whhDlDrWOhj6pTHzP6/eWTc=; b=dwDukL9+Ar1iXZeS0OPKgU3oS6puiiVCJFNo0g1wPRilON0es40G/nx9ChFnuBEtCg bXiNP1R4WKPGsaZuH5WYdJHgs+tq+HaHheZTebM62LCCwmR4MaWrK28kKsFHorhnIYvI mAFGKt5H4fwrgAeWSk2IiEvV1PDW0+2lClrFM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=mp3qQ0+XyrhCTFqyP9O7whhDlDrWOhj6pTHzP6/eWTc=; b=t7+ciDr7jmVvqOrrzM4ps7diLHGdUuTj2aHJH4A2ke57WV8YUEoI7XJPat1Bk7QMxB LBCjP+rUXVisELNVI55LytJQZeTowzzKYD2FNil64ABMbN/HfKK6rWvlsDD4EHORqgIS COa0vy6CWYCRdc5JEcPyLWx/pcVz8Pknl8PaM3UhH0nrhCwoZydhOkvtVxU2yTzcZB6q 0DkawxiFrlDnypr3J0dP7GhOALZuHuf/8R3jqj4zK7vLBQBp10RjTbhqf+X2jRpfUtMY Wq1GCrd01gqAhTmQ3G7AsgzhidGa+6T9llj76yldZtxn/HcktWgna2F8/cDpUdeBzaOS SYUQ== X-Gm-Message-State: ALQs6tD7wHR64/bXUUPwo44WwsG4HQz+WXOOZTA2IwayC7Ey70NxkO02 fI2bt6npu6nd+YpyEahKC/DahFIGmbLpZvyt0Dol6w== X-Received: by 10.176.73.176 with SMTP id e45mr201764uad.167.1523934763640; Mon, 16 Apr 2018 20:12:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Mon, 16 Apr 2018 20:12:42 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Kees Cook Date: Mon, 16 Apr 2018 20:12:42 -0700 X-Google-Sender-Auth: BKqWON40aqOBhgdF88EXEn-ecNI Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko , Jens Axboe , Bart Van Assche , Paolo Valente Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 16, 2018 at 1:44 PM, Kees Cook wrote: > On Thu, Apr 12, 2018 at 8:02 PM, Kees Cook wrote: >> On Thu, Apr 12, 2018 at 3:47 PM, Kees Cook wrote: >>> After fixing up some build issues in the middle of the 4.16 cycle, I >>> get an unhelpful bisect result of commit 0a4b6e2f80aa ("Merge branch >>> 'for-4.16/block'"). Instead of letting the test run longer, I'm going >>> to switch to doing several shorter test boots per kernel and see if >>> that helps. One more bisect coming... >> >> Okay, so I can confirm the bisect points at the _merge_ itself, not a >> specific patch. I'm not sure how to proceed here. It looks like some >> kind of interaction between separate trees? Jens, do you have >> suggestions on how to track this down? > > Turning off HARDENED_USERCOPY and turning on KASAN, I see the same report: > > [ 38.274106] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x42/0x60 > [ 38.274841] Read of size 22 at addr ffff8800122b8c4b by task smartctl/1064 > [ 38.275630] > [ 38.275818] CPU: 2 PID: 1064 Comm: smartctl Not tainted 4.17.0-rc1-ARCH+ #266 > [ 38.276631] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 > [ 38.277690] Call Trace: > [ 38.277988] dump_stack+0x71/0xab > [ 38.278397] ? _copy_to_user+0x42/0x60 > [ 38.278833] print_address_description+0x6a/0x270 > [ 38.279368] ? _copy_to_user+0x42/0x60 > [ 38.279800] kasan_report+0x243/0x360 > [ 38.280221] _copy_to_user+0x42/0x60 > [ 38.280635] sg_io+0x459/0x660 > ... > > Though we get slightly more details (some we already knew): > > [ 38.301330] Allocated by task 329: > [ 38.301734] kmem_cache_alloc_node+0xca/0x220 > [ 38.302239] scsi_mq_init_request+0x64/0x130 [scsi_mod] > [ 38.302821] blk_mq_alloc_rqs+0x2cf/0x370 > [ 38.303265] blk_mq_sched_alloc_tags.isra.4+0x7d/0xb0 > [ 38.303820] blk_mq_init_sched+0xf0/0x220 > [ 38.304268] elevator_switch+0x17a/0x2c0 > [ 38.304705] elv_iosched_store+0x173/0x220 > [ 38.305171] queue_attr_store+0x72/0xb0 > [ 38.305602] kernfs_fop_write+0x188/0x220 > [ 38.306049] __vfs_write+0xb6/0x330 > [ 38.306436] vfs_write+0xe9/0x240 > [ 38.306804] ksys_write+0x98/0x110 > [ 38.307181] do_syscall_64+0x6d/0x1d0 > [ 38.307590] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 38.308142] > [ 38.308316] Freed by task 0: > [ 38.308652] (stack is not available) > [ 38.309060] > [ 38.309243] The buggy address belongs to the object at ffff8800122b8c00 > [ 38.309243] which belongs to the cache scsi_sense_cache of size 96 > [ 38.310625] The buggy address is located 75 bytes inside of > [ 38.310625] 96-byte region [ffff8800122b8c00, ffff8800122b8c60) With a hardware watchpoint, I've isolated the corruption to here: bfq_dispatch_request+0x2be/0x1610: __bfq_dispatch_request at block/bfq-iosched.c:3902 3900 if (rq) { 3901 inc_in_driver_start_rq: 3902 bfqd->rq_in_driver++; 3903 start_rq: 3904 rq->rq_flags |= RQF_STARTED; 3905 } Through some race condition(?), rq_in_driver is also sense_buffer, and it can get incremented. Specifically, I am doing: diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c index 25c14c58385c..f50d5053d732 100644 --- a/block/blk-mq-sched.c +++ b/block/blk-mq-sched.c @@ -6,6 +6,8 @@ #include #include #include +#include +#include #include @@ -428,6 +430,18 @@ void blk_mq_sched_restart(struct blk_mq_hw_ctx *const hctx) } } +static void sample_hbp_handler(struct perf_event *bp, + struct perf_sample_data *data, + struct pt_regs *regs) +{ + printk(KERN_INFO "sense_buffer value is changed\n"); + dump_stack(); + printk(KERN_INFO "Dump stack from sample_hbp_handler\n"); +} + +struct perf_event * __percpu *sample_hbp; +int ok_to_go; + void blk_mq_sched_insert_request(struct request *rq, bool at_head, bool run_queue, bool async) { @@ -435,6 +449,16 @@ void blk_mq_sched_insert_request(struct request *rq, bool at_head, struct elevator_queue *e = q->elevator; struct blk_mq_ctx *ctx = rq->mq_ctx; struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, ctx->cpu); + struct perf_event_attr attr; + struct scsi_request *req = scsi_req(rq); + + if (ok_to_go) { + hw_breakpoint_init(&attr); + attr.bp_addr = (uintptr_t)&(req->sense); + attr.bp_len = HW_BREAKPOINT_LEN_8; + attr.bp_type = HW_BREAKPOINT_W; + sample_hbp = register_wide_hw_breakpoint(&attr, sample_hbp_handler, NULL); + } /* flush rq in flush machinery need to be dispatched directly */ if (!(rq->rq_flags & RQF_FLUSH_SEQ) && op_is_flush(rq->cmd_flags)) { @@ -461,6 +485,9 @@ void blk_mq_sched_insert_request(struct request *rq, bool at_head, run: if (run_queue) blk_mq_run_hw_queue(hctx, async); + + if (ok_to_go) + unregister_wide_hw_breakpoint(sample_hbp); } void blk_mq_sched_insert_requests(struct request_queue *q, Where "ok_to_go" is wired up to a sysctl so I don't trip other things (?) at boot-time. I still haven't figured this out, though... any have a moment to look at this? -Kees -- Kees Cook Pixel Security