Received: by 10.192.165.156 with SMTP id m28csp264199imm; Tue, 17 Apr 2018 09:45:45 -0700 (PDT) X-Google-Smtp-Source: AIpwx49opErpaSvpr98mxOBSV1zCh2zYwv+6pYqSE59jZMweoOEM4QsQOjupcDFl9KGgGqaAFc99 X-Received: by 10.99.127.89 with SMTP id p25mr2378238pgn.440.1523983545453; Tue, 17 Apr 2018 09:45:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523983545; cv=none; d=google.com; s=arc-20160816; b=qE3fKnziSvVi6qN0KgfqLHk2rIbmRZ6icVXiLr3nWWOCFhchDK7jwxy4loIxsmK5ol wjXv32s4AMlGJLj8nlP+JhKVe78lyAxoRKbkAaukjmN0pxfUD8PV1Vo8HDs31O2ryTMF srFG5M/qaH4Juvu2u2uYSp28kYF+7MsvjJJ7hIZx7LZDsFSvwhIVsmD4q6rAm7C+kNr/ 68XptVM8CoD8hWWPZLtgK2BeYdXZrrf3wI4X3DRLwvEKJnJ/8sDfUn4GyJTYKmZ2EQaC MpPN8FcEqbnyKbo58CGzXx0SMBfQYm6BQIvAO4r6ftMTESjiSWidQESSlXjb/YZpQi4L d2Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=; b=jXLzqS8Ey84qMjRyNKJ/uzBKfBzJ3coSoFPqEOwzQz52XWMlO4EzuZFN6BuE6MiG7B 18E3QRhnB+3l0aWtLevshpSNmBTk7PKPvBoSCJHiup+7T5SY9zrzd+JupllJIOIz+AHZ xpmJwQXBwWFnZ5m5mcSjn0jdK/F20wlzoHtMrqVyMeqa8dbF4SKs6msl9NKSwrvFak4P NdYUFf71g0TeoGBxDz5psgprP5aRf2JwLCOJaqrTnzbJqgBFKCsHOt4F/Ww21/pCqy/N HpZvSZjFaKyIoF2PW7H4F4iQCeTWxyOOHwCElC0bGOP7QJjG8KebpOF8fjMetCTgKOxP K2bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=M6H51t1k; dkim=fail header.i=@chromium.org header.s=google header.b=aFNve/cY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g15-v6si1670648pln.526.2018.04.17.09.45.31; Tue, 17 Apr 2018 09:45:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=M6H51t1k; dkim=fail header.i=@chromium.org header.s=google header.b=aFNve/cY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755300AbeDQQmr (ORCPT + 99 others); Tue, 17 Apr 2018 12:42:47 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:37792 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755246AbeDQQmo (ORCPT ); Tue, 17 Apr 2018 12:42:44 -0400 Received: by mail-ua0-f193.google.com with SMTP id d3so12712978uae.4 for ; Tue, 17 Apr 2018 09:42:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=; b=M6H51t1kPnjtCbyZPQCiXBmYv0FrYIlxapKw1+cZJLW2paZUdQLp7DcHv3R732dm7O s5RonmJS1ktT7x8YyZs742z0ELvSIRxBAGPRcyYOTVE7iQMnFbis5SGImxeovUYqSvnZ J5YezsJaxBDsTr2fdTveK21DR3pjeNkrEbWnbkf5yZotKoXsfGcIi70r8J+5G7Vi8qf1 1pjuh3NwxM/MphPEmIrXwdjAgJvKDkgd2jI8abKIgd/Hh+afTviP6xBsitjMtpA73vlu jyCEXzVaZdUXocxac8ehfqm7e2S0zUaSnomPZ71OtkXNSkod2xFUgQyZAKHugXZF6hsy rZsw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=; b=aFNve/cYT7gVJSw1fLL3uk7zkxe1V+zO5j4QZYKUzuLlKzLxcPtQr4BMMyZ5Jh5IR1 b5aCnpWxQC1+htuCvRigcfzOcJQmZgWLxmKaSgkIawvgr6APCFz1oweTgTJNVYjQFh02 gLb57uN6KkzP9Gs3Kl+QVb/Ng0Z2NbVvdU/J8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=U2gaZ+XwwJitAV83Nw58rfRgUc9h007QUd4jr3kcFDQ=; b=mlToq34xFtloPnKMQeROodRG5PfZd2Xcn3inBd1L8E4RBAmge5PgQFfWrdol7GKsvt 03aQ03UvVavjtLIsBDp+YoD2TaL5ElQKWVOxpXXgPvIDVIkPteteU+WaxycdxD4/Fbxo 9qZICxJgC0Da/vVZOQsgyVkeBDD4pSLT5ENKXLfcapQEe1wH12RsHOyrdegYyUePfX9J sT548yzxJSAT5GI1WIsZcEr5lh+h8LW4PG6euUFt7ryE1V5FuSJDctLZC+nkgT0Sb+vb mInwWVEuXh82fd9amLpKfHn56lXcBx9/Vx5R0dOEXnv+Q0l9RpQr/TDyStfjDnQmFs7l fUGw== X-Gm-Message-State: ALQs6tDZtXmbTqgymZzm3VL5oOLenFTam7F4AkqnEZ7ZHW1sHSt5ntaH g+RXTL7ul+CUJe7SuOcZaRbjaYxnWmyezs6hdd+/0w== X-Received: by 10.176.48.239 with SMTP id d15mr2073949uam.0.1523983363110; Tue, 17 Apr 2018 09:42:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 09:42:42 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Kees Cook Date: Tue, 17 Apr 2018 09:42:42 -0700 X-Google-Sender-Auth: MQ8xE2JvksbnXlGAnnBnRSgqW7o Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko , Jens Axboe , Bart Van Assche , Paolo Valente Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 16, 2018 at 8:12 PM, Kees Cook wrote: > With a hardware watchpoint, I've isolated the corruption to here: > > bfq_dispatch_request+0x2be/0x1610: > __bfq_dispatch_request at block/bfq-iosched.c:3902 > 3900 if (rq) { > 3901 inc_in_driver_start_rq: > 3902 bfqd->rq_in_driver++; > 3903 start_rq: > 3904 rq->rq_flags |= RQF_STARTED; > 3905 } FWIW, the stacktrace here (removing the ? lines) is: [ 34.311980] RIP: 0010:bfq_dispatch_request+0x2be/0x1610 [ 34.452491] blk_mq_do_dispatch_sched+0x1d9/0x260 [ 34.454561] blk_mq_sched_dispatch_requests+0x3da/0x4b0 [ 34.458789] __blk_mq_run_hw_queue+0xae/0x130 [ 34.460001] __blk_mq_delay_run_hw_queue+0x192/0x280 [ 34.460823] blk_mq_run_hw_queue+0x10b/0x1b0 [ 34.463240] blk_mq_sched_insert_request+0x3bd/0x4d0 [ 34.467342] blk_execute_rq+0xcf/0x140 [ 34.468483] sg_io+0x2f7/0x730 Can anyone tell me more about the memory allocation layout of the various variables here? It looks like struct request is a header in front of struct scsi_request? How do struct elevator_queue, struct blk_mq_ctx, and struct blk_mq_hw_ctx overlap these? Regardless, I'll check for elevator data changing too... -Kees -- Kees Cook Pixel Security