Received: by 10.192.165.156 with SMTP id m28csp472553imm;
        Tue, 17 Apr 2018 13:27:20 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/lJ7QAGroyPuB7xB4E8M9ozJZ/VBawKf1hmoVv40Nledzi3rkvzINVeblnAkPzFtSI7nZJ
X-Received: by 2002:a17:902:8:: with SMTP id 8-v6mr3304814pla.287.1523996840225;
        Tue, 17 Apr 2018 13:27:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523996840; cv=none;
        d=google.com; s=arc-20160816;
        b=vbxtgBtc7NDySRAjpS/d2y/6PmAfatH/FNs2Po3Gr56Y6i4ukwQiPfBaA79JDsTstD
         jESTp8MoHbb00wgr3E3Z9H/A1jYFMTuy9QxvfassvfIT5Td21qUArhMMg2m8v+dqfLP+
         aWIm6FYjtHlTsV+TX45VqLEeZtfIsogNAXIZoaNUdbNHdxiV01ngZywLLfdGSQLgabID
         L37ywSsAB73UHtm1WMSvC9n4ITl0beY/7C6bmbLyIWJzkIQn3SZ3Qf+uYEwVTnXTgA3R
         hzvrR8LH8BAtMom3tgqmVs3wOnfVTEdhRoJ63b8eqV0nvm/UZuk/POFb3GelVjYfIUag
         qCrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=;
        b=bvc3V5Gr7DQNMnG89PhVpEf6LOSxAgYuSpge5AXlnXht6kAPmNlMtcwohxwb48K4f9
         v90croH0dpj6iCCh2o7ppuH7qIn74gpy7Pxb46mo3VMWjE21aTsqDddeoF6ZjAOloF87
         uXaEkLzJZIZdEl67jDF9lwvWzfDzlslr/V3eME89ypuH0nx21+4D5xVMOR6PLpwAph+V
         1RNlW1jGdiHqc6G1n8CbNElbaDGJy02wLQSXhOgiur+a+r50PbY5L9Dy/MjIMq6w2JNM
         7A9cuZWiSPh572/sc4I37EFdyajYq0Nt52RdV/rMb7R6R1GKuJj18br4hQ0gZZHUuTEF
         ITcg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=fKf+3+gw;
       dkim=fail header.i=@chromium.org header.s=google header.b=DZMopbU5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z2-v6si14637475plk.94.2018.04.17.13.27.05;
        Tue, 17 Apr 2018 13:27:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=fKf+3+gw;
       dkim=fail header.i=@chromium.org header.s=google header.b=DZMopbU5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752712AbeDQUZx (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 16:25:53 -0400
Received: from mail-vk0-f65.google.com ([209.85.213.65]:40983 "EHLO
        mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752633AbeDQUZv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 16:25:51 -0400
Received: by mail-vk0-f65.google.com with SMTP id i75so7886181vke.8
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 13:25:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=;
        b=fKf+3+gwu3FdHJKfUDQH0WUXfkf9cO99GerAqpOuqy8vB+3YK8EvJBaMyD9aZToUVs
         ZQg83S7TXIbx29kfVmsZ6wKHLhbhPOWX7V2lE2OJZsdoPyOGjKR2YMlFqbomX6CAuRiS
         jnooaDAeN1V9tX3Km4x8ZMoQH220tmjtd0ItMvJ/+fvCttaq2G+zgcYimOZkJH2RNf3y
         UF7WV6wjL3yrPloEEOm2Vcb+Hb3zsDisk18JK357Huc52blqWXQU6Ml6dXrh1UNVc2Dq
         KWOX2hBac1RXFsWuCd4GtXLOH/FinDfUsBn7YC1GG8+IL3RZWEPFYrX32Pb1jqdMZgOY
         D5NA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=;
        b=DZMopbU5p+cstxHEeD3Nzlvtc/shlEyxsmP1VHlDFd2ntLlPnZzh/QdvSo9ToWPJza
         a3pDGIx/6UwUVT3FkCZNEIIBkzjUpKNXCUNqEq9oPfD0U5Kn9b0ZwCATEU0JUzXq40i6
         e/apsBOByBzRKbxsIxlzLXS/QAeoW4R+lXKro=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=;
        b=pDaG8ktdIdreN1myw/vgCapXKeGlrYLq9eCYdQxLYqmQuXTp/bxkho3G5wT2VtmzRJ
         j1TXMHg1cbxJdKQmgI0/aHFgHFIqqKhLsvoLRp53ld4GNCnu4gMM5N/GUtq5NJP7Tk5D
         SvNEW6sUa4xD71DqHgt43kMOHN5zP2sDTYvz3dJ62D8S2t+jRRYi+IU0r3nzUv8EoLKJ
         LWbJFfGi4mW8MnNcZVwmsocu02UsCwmry3dWcM1UTegDXrbGfZg/+vTQMONzl6weufj3
         D1rDhxLIjoQaMfRDCKFdSQdIXlo0I5YbkXVFA7u32REFKrF1u/4q4YcH0VAldPjA9ieS
         s2ww==
X-Gm-Message-State: ALQs6tC//GxbkKgKedgVXQDXi8W5NHEchRGPkGJqxYgXFzKTsYj/9LmI
        sKBNNNhwC2IMjq5Hvq7lpylHdq/gm3ryyaJGs7JCpA==
X-Received: by 10.31.148.135 with SMTP id w129mr2585313vkd.7.1523996750799;
 Tue, 17 Apr 2018 13:25:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:25:49 -0700 (PDT)
In-Reply-To: <CAGXu5j+xX3kDDS_sPY44hPVb=8isMX-evYzPx3ur=rge1rL5JQ@mail.gmail.com>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com>
 <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
 <CAGXu5jJTMqbXia7TmN2yEW11SM+XC3pkMt=bb+xBrY7-OOf=tw@mail.gmail.com> <CAGXu5j+xX3kDDS_sPY44hPVb=8isMX-evYzPx3ur=rge1rL5JQ@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 13:25:49 -0700
X-Google-Sender-Auth: ithOsYFmwRPnQ0E_24BbOjywe_s
Message-ID: <CAGXu5jJmvKcANUSsCz3fjGSv-tv1hceNd3rOpT4WTfYRb65RRA@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        Jens Axboe <axboe@kernel.dk>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        Paolo Valente <paolo.valente@linaro.org>
Cc:     David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 17, 2018 at 1:20 PM, Kees Cook <keescook@chromium.org> wrote:
> On Tue, Apr 17, 2018 at 1:03 PM, Kees Cook <keescook@chromium.org> wrote:
>> The above bfq_dispatch_request+0x99/0xad0 is still
>> __bfq_dispatch_request at block/bfq-iosched.c:3902, just with KASAN
>> removed. 0x99 is 153 decimal:
>>
>> (gdb) disass bfq_dispatch_request
>> Dump of assembler code for function bfq_dispatch_request:
>> ...
>>    0xffffffff8134b2ad <+141>:   test   %rax,%rax
>>    0xffffffff8134b2b0 <+144>:   je     0xffffffff8134b2bd
>> <bfq_dispatch_request+157>
>>    0xffffffff8134b2b2 <+146>:   addl   $0x1,0x100(%rax)
>>    0xffffffff8134b2b9 <+153>:   addl   $0x1,0x3c(%rbx)
>>    0xffffffff8134b2bd <+157>:   orl    $0x2,0x18(%r12)
>>    0xffffffff8134b2c3 <+163>:   test   %ebp,%ebp
>>    0xffffffff8134b2c5 <+165>:   je     0xffffffff8134b2ce
>> <bfq_dispatch_request+174>
>>    0xffffffff8134b2c7 <+167>:   mov    0x108(%r14),%rax
>>    0xffffffff8134b2ce <+174>:   mov    %r15,%rdi
>>    0xffffffff8134b2d1 <+177>:   callq  0xffffffff81706f90 <_raw_spin_unlock_irq>
>>
>> Just as a sanity-check, at +157 %r12 should be rq, rq_flags is 0x18
>> offset from, $0x2 is RQF_STARTED, so that maps to "rq->rq_flags |=
>> RQF_STARTED", the next C statement. I don't know what +146 is, though?
>> An increment of something 256 bytes offset? There's a lot of inline
>> fun and reordering happening here, so I'm ignoring that for the
>> moment.
>
> No -- I'm reading this wrong. The RIP is the IP _after_ the trap, so
> +146 is the offender.
>
> [   29.284746] watchpoint @ ffff95d41a0fe580 triggered
> [   29.285349] sense before:ffff95d41f45f700 after:ffff95d41f45f701 (@ffff95d41a
> 0fe580)
> [   29.286176] elevator before:ffff95d419419c00 after:ffff95d419419c00
> [   29.286847] elevator_data before:ffff95d419418c00 after:ffff95d419418c00
> ...
> [   29.295069] RIP: 0010:bfq_dispatch_request+0x99/0xbb0
> [   29.295622] RSP: 0018:ffffb26e01707a40 EFLAGS: 00000002
> [   29.296181] RAX: ffff95d41a0fe480 RBX: ffff95d419418c00 RCX: ffff95d419418c08
>
> RAX is ffff95d41a0fe480 and sense is stored at ffff95d41a0fe580,
> exactly 0x100 away.
>
> WTF is this addl?

What are the chances? :P Two ++ statements in a row separate by a
collapsed goto. FML. :)

...
                        bfqq->dispatched++;
                        goto inc_in_driver_start_rq;
...
inc_in_driver_start_rq:
                bfqd->rq_in_driver++;
...

And there's the 0x100 (256):

struct bfq_queue {
...
        int                        dispatched;           /*   256     4 */

So bfqq is corrupted somewhere... I'll keep digging. I hope you're all
enjoying my live debugging transcript. ;)

-Kees

-- 
Kees Cook
Pixel Security