Received: by 10.192.165.156 with SMTP id m28csp264199imm;
        Tue, 17 Apr 2018 09:45:45 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49opErpaSvpr98mxOBSV1zCh2zYwv+6pYqSE59jZMweoOEM4QsQOjupcDFl9KGgGqaAFc99
X-Received: by 10.99.127.89 with SMTP id p25mr2378238pgn.440.1523983545453;
        Tue, 17 Apr 2018 09:45:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523983545; cv=none;
        d=google.com; s=arc-20160816;
        b=qE3fKnziSvVi6qN0KgfqLHk2rIbmRZ6icVXiLr3nWWOCFhchDK7jwxy4loIxsmK5ol
         wjXv32s4AMlGJLj8nlP+JhKVe78lyAxoRKbkAaukjmN0pxfUD8PV1Vo8HDs31O2ryTMF
         srFG5M/qaH4Juvu2u2uYSp28kYF+7MsvjJJ7hIZx7LZDsFSvwhIVsmD4q6rAm7C+kNr/
         68XptVM8CoD8hWWPZLtgK2BeYdXZrrf3wI4X3DRLwvEKJnJ/8sDfUn4GyJTYKmZ2EQaC
         MpPN8FcEqbnyKbo58CGzXx0SMBfQYm6BQIvAO4r6ftMTESjiSWidQESSlXjb/YZpQi4L
         d2Fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=;
        b=jXLzqS8Ey84qMjRyNKJ/uzBKfBzJ3coSoFPqEOwzQz52XWMlO4EzuZFN6BuE6MiG7B
         18E3QRhnB+3l0aWtLevshpSNmBTk7PKPvBoSCJHiup+7T5SY9zrzd+JupllJIOIz+AHZ
         xpmJwQXBwWFnZ5m5mcSjn0jdK/F20wlzoHtMrqVyMeqa8dbF4SKs6msl9NKSwrvFak4P
         NdYUFf71g0TeoGBxDz5psgprP5aRf2JwLCOJaqrTnzbJqgBFKCsHOt4F/Ww21/pCqy/N
         HpZvSZjFaKyIoF2PW7H4F4iQCeTWxyOOHwCElC0bGOP7QJjG8KebpOF8fjMetCTgKOxP
         K2bQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=M6H51t1k;
       dkim=fail header.i=@chromium.org header.s=google header.b=aFNve/cY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g15-v6si1670648pln.526.2018.04.17.09.45.31;
        Tue, 17 Apr 2018 09:45:45 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=M6H51t1k;
       dkim=fail header.i=@chromium.org header.s=google header.b=aFNve/cY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755300AbeDQQmr (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 12:42:47 -0400
Received: from mail-ua0-f193.google.com ([209.85.217.193]:37792 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755246AbeDQQmo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 12:42:44 -0400
Received: by mail-ua0-f193.google.com with SMTP id d3so12712978uae.4
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 09:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=;
        b=M6H51t1kPnjtCbyZPQCiXBmYv0FrYIlxapKw1+cZJLW2paZUdQLp7DcHv3R732dm7O
         s5RonmJS1ktT7x8YyZs742z0ELvSIRxBAGPRcyYOTVE7iQMnFbis5SGImxeovUYqSvnZ
         J5YezsJaxBDsTr2fdTveK21DR3pjeNkrEbWnbkf5yZotKoXsfGcIi70r8J+5G7Vi8qf1
         1pjuh3NwxM/MphPEmIrXwdjAgJvKDkgd2jI8abKIgd/Hh+afTviP6xBsitjMtpA73vlu
         jyCEXzVaZdUXocxac8ehfqm7e2S0zUaSnomPZ71OtkXNSkod2xFUgQyZAKHugXZF6hsy
         rZsw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=;
        b=aFNve/cYT7gVJSw1fLL3uk7zkxe1V+zO5j4QZYKUzuLlKzLxcPtQr4BMMyZ5Jh5IR1
         b5aCnpWxQC1+htuCvRigcfzOcJQmZgWLxmKaSgkIawvgr6APCFz1oweTgTJNVYjQFh02
         gLb57uN6KkzP9Gs3Kl+QVb/Ng0Z2NbVvdU/J8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=;
        b=mlToq34xFtloPnKMQeROodRG5PfZd2Xcn3inBd1L8E4RBAmge5PgQFfWrdol7GKsvt
         03aQ03UvVavjtLIsBDp+YoD2TaL5ElQKWVOxpXXgPvIDVIkPteteU+WaxycdxD4/Fbxo
         9qZICxJgC0Da/vVZOQsgyVkeBDD4pSLT5ENKXLfcapQEe1wH12RsHOyrdegYyUePfX9J
         sT548yzxJSAT5GI1WIsZcEr5lh+h8LW4PG6euUFt7ryE1V5FuSJDctLZC+nkgT0Sb+vb
         mInwWVEuXh82fd9amLpKfHn56lXcBx9/Vx5R0dOEXnv+Q0l9RpQr/TDyStfjDnQmFs7l
         fUGw==
X-Gm-Message-State: ALQs6tDZtXmbTqgymZzm3VL5oOLenFTam7F4AkqnEZ7ZHW1sHSt5ntaH
        g+RXTL7ul+CUJe7SuOcZaRbjaYxnWmyezs6hdd+/0w==
X-Received: by 10.176.48.239 with SMTP id d15mr2073949uam.0.1523983363110;
 Tue, 17 Apr 2018 09:42:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 09:42:42 -0700 (PDT)
In-Reply-To: <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com> <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 09:42:42 -0700
X-Google-Sender-Auth: MQ8xE2JvksbnXlGAnnBnRSgqW7o
Message-ID: <CAGXu5jLsX+nmc8hRSdOa28js7=ggPSGkUuTHbc3DUEcKSpEDbw@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        Jens Axboe <axboe@kernel.dk>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        Paolo Valente <paolo.valente@linaro.org>
Cc:     David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 16, 2018 at 8:12 PM, Kees Cook <keescook@chromium.org> wrote:
> With a hardware watchpoint, I've isolated the corruption to here:
>
> bfq_dispatch_request+0x2be/0x1610:
> __bfq_dispatch_request at block/bfq-iosched.c:3902
> 3900            if (rq) {
> 3901    inc_in_driver_start_rq:
> 3902                    bfqd->rq_in_driver++;
> 3903    start_rq:
> 3904                    rq->rq_flags |= RQF_STARTED;
> 3905            }

FWIW, the stacktrace here (removing the ? lines) is:

[   34.311980] RIP: 0010:bfq_dispatch_request+0x2be/0x1610
[   34.452491]  blk_mq_do_dispatch_sched+0x1d9/0x260
[   34.454561]  blk_mq_sched_dispatch_requests+0x3da/0x4b0
[   34.458789]  __blk_mq_run_hw_queue+0xae/0x130
[   34.460001]  __blk_mq_delay_run_hw_queue+0x192/0x280
[   34.460823]  blk_mq_run_hw_queue+0x10b/0x1b0
[   34.463240]  blk_mq_sched_insert_request+0x3bd/0x4d0
[   34.467342]  blk_execute_rq+0xcf/0x140
[   34.468483]  sg_io+0x2f7/0x730

Can anyone tell me more about the memory allocation layout of the
various variables here? It looks like struct request is a header in
front of struct scsi_request? How do struct elevator_queue, struct
blk_mq_ctx, and struct blk_mq_hw_ctx overlap these?

Regardless, I'll check for elevator data changing too...

-Kees

-- 
Kees Cook
Pixel Security