Received: by 10.192.165.156 with SMTP id m28csp453425imm;
        Tue, 17 Apr 2018 13:05:08 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/Se836udSFqafDl2gE/1pL8XikPI1NZ1qC+lx6MI/70Nj1CpoTgExjerjXuvfyDF+F8UDx
X-Received: by 2002:a17:902:bc44:: with SMTP id t4-v6mr3318696plz.2.1523995508417;
        Tue, 17 Apr 2018 13:05:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523995508; cv=none;
        d=google.com; s=arc-20160816;
        b=BYcqpMmvK/l4nq5gWsrqpOt84R4vSd+UG/xRU5TRH2WlIR9UHEf4hIYsGwAjIyhxDZ
         tcily5SYZr8q2z/hCQIVGVYmpnQzFIXnB5Nqw4VqvlLf2yRi96Usl+sUKhuNWQ6/pj7w
         Fs4PlDwqNffdpHt2/m4d5PmQ1AoAG5DGkYtFg1TIA2yzR+p7DD9W1a5PzVen/1205PYZ
         3KCsDOdP4ir0yS5lGxnLTcEGe3zb2GJLdZ0FUz0wbn4PKqKizj+zo4FiWQ3XzNlMGngd
         UD+rJJpSwONmplwwQcWP3ksSVwTsLaCnpXS7VdQJugKjqchnRex01udFoJetiqIW8Hwv
         m3HA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=;
        b=apZC3FYFmL0z0GzxLiAct/jUraZnGg2nHPHRNIhXJPFP1aeEwGzv185VLrl1F9L8sc
         eDOpOCOKdKP79oLAl1BxCZGOo0ljC3WkrTCJC6VSkEd+yNh0rM4s+pa5hZxTci2+jhNM
         wLdCwCdeDaLaDhalaRA+rUtMBdTTug+zm85LwSoI8dvhoaDgXNu2P8qB2APxrqGkN4i8
         VMuLTamHZ7nSDacN0jSLsuscraO231x2txqrtjzjRWGbEHGjAs48uRp00PTj+seIEm0y
         fNeF2SE1ZQ7eI8t03vvCMsWE7lWqt9XvDiQbM1kXBT0RgmltPT83JuEEVN9U5lqkZChA
         fYJA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=RLVriIlz;
       dkim=fail header.i=@chromium.org header.s=google header.b=RC3P8SON;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id be3-v6si14166995plb.75.2018.04.17.13.04.54;
        Tue, 17 Apr 2018 13:05:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=RLVriIlz;
       dkim=fail header.i=@chromium.org header.s=google header.b=RC3P8SON;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752848AbeDQUD0 (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 16:03:26 -0400
Received: from mail-ua0-f194.google.com ([209.85.217.194]:39136 "EHLO
        mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752651AbeDQUDY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 16:03:24 -0400
Received: by mail-ua0-f194.google.com with SMTP id g10so13445670ual.6
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 13:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=;
        b=RLVriIlzyfSULQd6FDYWds6lphw+Q/64Cq68IHh1DuYumxeqH4daGlSEZz+51gst47
         oaWVzCmOlfPoInjaCuhBb2tvmRtKAsHxNfVBYpx4AgFgY03tOhj4qy7c864Y8p+rqMqm
         kf8/pzr58bpi0gdRq8EQ4KYan7B64rpvQHoh5yx8977+v1zkXpdQ6jpHJa4lUXMfHu87
         Fb80g3UsJklxxAZdBytXtbIAhlHFuypGa8a/T/ItCudNa2mlp5Hze0jQSAgSm8Pf6Omx
         zHMulnR6MGEWenzY/W3N4m7l0tRUHElB4pNoKbJIsFfbUSGOH2MPHRaS4bkraJlkv54Z
         UdwQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=;
        b=RC3P8SONn22L96GXBSFn+m1/KZYuJqMDFbWDr+fDc3fS4Us4tBdxbFq+1jZ0xFSJ23
         8nKsn6GfPtTdiMOOiq9dKMiJKAQiQ02qS0PANFtwGNSungts+l4yGuRpL8Dv4NQDHHV8
         rT9oNNNm2MnyWLf+5S2Si7YXwxluaWT1gFILI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=;
        b=LLvzCWl2ofjzn70VviNkUT3hlmlFiuD7o3A8x5n+Un5/V7vV0GaHKrmNaLVF+aTpP8
         z8+Lkf1UfH+il7u5K3w1M8maZ3NgyhSombVGXwiTQbNEDgK+9jkOa+yaj+mU5esMb/w0
         cO/39XB/eccc0pobRuosOJHQlkWaPJeKGNh5OykVePMpF0dRiznokiUOMA9bB6SIfeW/
         3jV3FaVxzJOnGpSqQDGkHpoWVQzofd1zTesBxtcLurjZ37Ub0POQCPBxMnj+cRBWOny6
         vDGSUNrffCKTS4IgL2YSnaHgSkIHc6rmHpEiKJZnMJ6y6nKzylS9fZDN2Bvl/gcHsFIu
         MTow==
X-Gm-Message-State: ALQs6tDfDfqMY+SnSr/ZHka+vtKMi33JoHPHJnUTZybSemAPqgxauuN/
        ly7P40OJvGB50bPeKQ4I0ho0xSNHzMzV7P7xzloAGg==
X-Received: by 10.159.49.238 with SMTP id w43mr2653553uad.176.1523995403333;
 Tue, 17 Apr 2018 13:03:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:03:22 -0700 (PDT)
In-Reply-To: <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com> <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 13:03:22 -0700
X-Google-Sender-Auth: zzNgFiYzXTijY8lVcVWlOeEWq6w
Message-ID: <CAGXu5jJTMqbXia7TmN2yEW11SM+XC3pkMt=bb+xBrY7-OOf=tw@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        Jens Axboe <axboe@kernel.dk>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        Paolo Valente <paolo.valente@linaro.org>
Cc:     David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 16, 2018 at 8:12 PM, Kees Cook <keescook@chromium.org> wrote:
> With a hardware watchpoint, I've isolated the corruption to here:
>
> bfq_dispatch_request+0x2be/0x1610:
> __bfq_dispatch_request at block/bfq-iosched.c:3902
> 3900            if (rq) {
> 3901    inc_in_driver_start_rq:
> 3902                    bfqd->rq_in_driver++;
> 3903    start_rq:
> 3904                    rq->rq_flags |= RQF_STARTED;
> 3905            }

This state continues to appear to be "impossible".

[   68.845979] watchpoint triggered
[   68.846462] sense before:ffff8b8f9f6aae00 after:ffff8b8f9f6aae01
[   68.847196] elevator before:ffff8b8f9a2c2000 after:ffff8b8f9a2c2000
[   68.847905] elevator_data before:ffff8b8f9a2c0400 after:ffff8b8f9a2c0400
...
[   68.856925] RIP: 0010:bfq_dispatch_request+0x99/0xad0
[   68.857553] RSP: 0018:ffff900280c63a58 EFLAGS: 00000082
[   68.858253] RAX: ffff8b8f9aefbe80 RBX: ffff8b8f9a2c0400 RCX: ffff8b8f9a2c0408
[   68.859201] RDX: ffff8b8f9a2c0408 RSI: ffff900280c63b34 RDI: 0000000000000001
[   68.860147] RBP: 0000000000000000 R08: 0000000f00000204 R09: 0000000000000000
[   68.861122] R10: ffff900280c63af0 R11: 0000000000000040 R12: ffff8b8f9aefbe00
[   68.862089] R13: ffff8b8f9a221950 R14: 0000000000000000 R15: ffff8b8f9a2c0770

Here we can see that sense buffer has, as we've seen, been
incremented. However, the "before" values for elevator and
elevator_data still match their expected values. As such, this should
be "impossible", since:

static struct request *__bfq_dispatch_request(struct blk_mq_hw_ctx *hctx)
{
        struct bfq_data *bfqd = hctx->queue->elevator->elevator_data;
...
        if (rq) {
inc_in_driver_start_rq:
                bfqd->rq_in_driver++;
start_rq:
                rq->rq_flags |= RQF_STARTED;
        }
exit:
        return rq;
}

For rq_in_driver++ to touch sense, bfqd must be equal to scsi_request
- 12 bytes (rq_in_driver is 60 byte offset from struct bfq_data, and
sense is 48 bytes offset from struct scsi_request).

The above bfq_dispatch_request+0x99/0xad0 is still
__bfq_dispatch_request at block/bfq-iosched.c:3902, just with KASAN
removed. 0x99 is 153 decimal:

(gdb) disass bfq_dispatch_request
Dump of assembler code for function bfq_dispatch_request:
...
   0xffffffff8134b2ad <+141>:   test   %rax,%rax
   0xffffffff8134b2b0 <+144>:   je     0xffffffff8134b2bd
<bfq_dispatch_request+157>
   0xffffffff8134b2b2 <+146>:   addl   $0x1,0x100(%rax)
   0xffffffff8134b2b9 <+153>:   addl   $0x1,0x3c(%rbx)
   0xffffffff8134b2bd <+157>:   orl    $0x2,0x18(%r12)
   0xffffffff8134b2c3 <+163>:   test   %ebp,%ebp
   0xffffffff8134b2c5 <+165>:   je     0xffffffff8134b2ce
<bfq_dispatch_request+174>
   0xffffffff8134b2c7 <+167>:   mov    0x108(%r14),%rax
   0xffffffff8134b2ce <+174>:   mov    %r15,%rdi
   0xffffffff8134b2d1 <+177>:   callq  0xffffffff81706f90 <_raw_spin_unlock_irq>

Just as a sanity-check, at +157 %r12 should be rq, rq_flags is 0x18
offset from, $0x2 is RQF_STARTED, so that maps to "rq->rq_flags |=
RQF_STARTED", the next C statement. I don't know what +146 is, though?
An increment of something 256 bytes offset? There's a lot of inline
fun and reordering happening here, so I'm ignoring that for the
moment.

So at +153 %rbx should be bfqd (i.e. elevator_data), but this is the
tripped instruction. The watchpoint dump shows RBX as ffff8b8f9a2c0400
... which matches elevator_data.

So, what can this be? Some sort of cache issue? By the time the
watchpoint handler captures the register information, it's already
masked the problem? I'm stumped again. :(

-Kees

-- 
Kees Cook
Pixel Security