Received: by 10.192.165.156 with SMTP id m28csp252225imm; Tue, 17 Apr 2018 09:32:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Dm43uJQmrnqgfGAmueu6JR7tJQIts0JRbLNX0dWcNJKUGgZ18YYFLhsycIhkBx4r4z0M6 X-Received: by 10.99.136.73 with SMTP id l70mr2375119pgd.49.1523982758469; Tue, 17 Apr 2018 09:32:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523982758; cv=none; d=google.com; s=arc-20160816; b=DFv78Co9n4A5ZqGL6xitx/0PEbt9pcvzVTpbN/zDkAoI153+iZFXA3iMcPVqcbAVAa +Jesh2IE8ruV9Gcca8+ZT/260DE4HEKPCVbnR1ki+1ggRvGBRpo/joSI2D5OadADiy4S Y2e1Fu5XnuIlljtI2Exp5IWeVebXF7KLUrQoaFxabUNo72fSHRNm0cCEGM56DN4A4o/1 GXGhbviaUlJsbBNtxx3/dz8h4ss1iLFlxidjIRFkOzrVDVaNdgynO/eXAkbOtTrLAqwM KjTieC3OqLUnW4mE0CWW+pU7zTPVp3I3OtCOqb4GyrFE0OMbjg+bchS4hSyjtPns0plf i/EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=FBVVk+4wDaZpByfv6cnlhmu7u6tt8zBMEE/wmzVmghs=; b=UcwnVjSHV4SjM1Run74Phc3T5rLRG7t/0cgeZOliXYInmedq+ueluns+L/ki+m8X8f Fo3y8zTxNu9fSK4uJq4U11DLnpxHea41N+xg3D9WXGhcih6gEYggxfVOeShqZYwpHY/F PXQF2hV31aM9usIIsAnXqctbC2qlLzNA4r1NtJsVyQg3qD5lg4R0wpVXhG+p5uNawYqq yWi9dqQYDV8qOHLXtoHoK26Tne2emRXUVIAqxhK3j1an9dYbTKndH+uo30KqMGPo0t51 RWJIqY+qwGDiR7kc+EgJMQ+GsDe1sh0s6LMlefuX9XG2yog9oRf/Rn0Er2d+YdHqdOdt R4LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=hRI3LO1f; dkim=fail header.i=@chromium.org header.s=google header.b=izHCiQGS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e12si11704541pgn.339.2018.04.17.09.32.24; Tue, 17 Apr 2018 09:32:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=hRI3LO1f; dkim=fail header.i=@chromium.org header.s=google header.b=izHCiQGS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755183AbeDQQbF (ORCPT + 99 others); Tue, 17 Apr 2018 12:31:05 -0400 Received: from mail-ua0-f196.google.com ([209.85.217.196]:41824 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754021AbeDQQbB (ORCPT ); Tue, 17 Apr 2018 12:31:01 -0400 Received: by mail-ua0-f196.google.com with SMTP id t9so12988238uac.8 for ; Tue, 17 Apr 2018 09:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FBVVk+4wDaZpByfv6cnlhmu7u6tt8zBMEE/wmzVmghs=; b=hRI3LO1fstmbdhshHSSeJJyMHhlbexVa0aZZi25dPfYBCmM8YmAAftCXLj+HBcbUm1 6vFCuHJuCfCkxiPtfFSnHE+cU3Dou/Pv1F8agduvyF8EYFBQTcRXk90Byn7zAh77zerg 9NmFMViG5X4UKIm17S1IN9Y5rfoiwilSTLxBzzUJJ1g05c54JrpZVV9L+9BFWry9yV3m tJa8cmWGvMwWahaC8QVIi79Z+mi/g1kLa6sJAR5OpXJWOLi+zkyndwVNO2bpurqRK/4f nXPAH8VTG6JCslcW96JNbvXJGBPQxxUQkJfwoEazomvGbRhU8CIoOZCMLFqdLYgamSft 5saw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FBVVk+4wDaZpByfv6cnlhmu7u6tt8zBMEE/wmzVmghs=; b=izHCiQGS6qASqyxvlJIhr2lIDtqOcjygwNQTWCjcU3pl4maWxyoKo0wdDlgyFLK4tT 9Z3OBqGlNqoHPCUYcwv/KIxwZKLqSm9BAOnAsNNZnzvXdQlP2E6D/dbH6ncXhWjVtND3 RKHkM+Vwj27IRzQDa7pgdYfem1wsSJ61auyH8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=FBVVk+4wDaZpByfv6cnlhmu7u6tt8zBMEE/wmzVmghs=; b=kx2qrSy95YDw08goOBpJ1FmFjUFGObcP0box9T5syzDY5FOS1B+fwOnLCCpvmnn2y7 YJHAnE/2CAqCg32yRCR6xHr0+A2hFx76kbaw4lTEtyNaVK1CR4GEcNudM6YBYCTCc9UB zCA49kHL25ARqdQxEwTsWCWbAiFe+wezfwnrzSNyNdFyNfChIUF/rKNfhOB6Nhz+3QUi thBjZxEs3Evjz49KwjFsE/yEzeM8fLPXw3JnEELWo58STFqmZXEnW0irnBO98QY9iGzh NHIng3NebUlJG0+1ZAEkgLI0YLJPyni5EkphW05lc8oIOywXIIhQUS9Ngi+bEHu6kxrV 1KOw== X-Gm-Message-State: ALQs6tCUz8m3gtyfvcy+ZOuVAf1CeYkM7HoOCXVRmrzf0DlRvKtmcWFO mcfdAJb+QCfiBGAoHu02ZJbAQxopVrtYO/1xf11JVg== X-Received: by 10.159.49.238 with SMTP id w43mr2048285uad.176.1523982660608; Tue, 17 Apr 2018 09:31:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 09:30:59 -0700 (PDT) In-Reply-To: <1523959328.3250.11.camel@linux.vnet.ibm.com> References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <1523959328.3250.11.camel@linux.vnet.ibm.com> From: Kees Cook Date: Tue, 17 Apr 2018 09:30:59 -0700 X-Google-Sender-Auth: oHTr8X0bUt6HvZwmEd9ciWtCnUY Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: James Bottomley Cc: Oleksandr Natalenko , Jens Axboe , Bart Van Assche , Paolo Valente , David Windsor , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 3:02 AM, James Bottomley wrote: > On Mon, 2018-04-16 at 20:12 -0700, Kees Cook wrote: >> I still haven't figured this out, though... any have a moment to look >> at this? > > Just to let you know you're not alone ... but I can't make any sense of > this either. The bfdq is the elevator_data, which is initialised when > the scheduler is attached, so it shouldn't change. Is it possible to > set a data break point on elevator_data after it's initialised and see > if it got changed by something? Yeah, it seems like some pointer chain is getting overwritten outside of a lock or rcu or ?. I don't know this code well enough to guess at where to check, though. What I find so strange is that the structure offsets are different between bfpd's rq_in_driver field and scsi_request's sense field, so even THAT doesn't look to be clear-cut either: struct bfq_data { struct request_queue * queue; /* 0 8 */ struct list_head dispatch; /* 8 16 */ struct bfq_group * root_group; /* 24 8 */ struct rb_root queue_weights_tree; /* 32 8 */ struct rb_root group_weights_tree; /* 40 8 */ int busy_queues; /* 48 4 */ int wr_busy_queues; /* 52 4 */ int queued; /* 56 4 */ int rq_in_driver; /* 60 4 */ ... struct scsi_request { unsigned char __cmd[16]; /* 0 16 */ unsigned char * cmd; /* 16 8 */ short unsigned int cmd_len; /* 24 2 */ /* XXX 2 bytes hole, try to pack */ int result; /* 28 4 */ unsigned int sense_len; /* 32 4 */ unsigned int resid_len; /* 36 4 */ int retries; /* 40 4 */ /* XXX 4 bytes hole, try to pack */ void * sense; /* 48 8 */ ... This is _so_ weird. :P -Kees -- Kees Cook Pixel Security