Received: by 10.192.165.156 with SMTP id m28csp474816imm; Tue, 17 Apr 2018 13:30:14 -0700 (PDT) X-Google-Smtp-Source: AIpwx48Os/DFxUWc3+gLSV74naBekkVHvSaxvRg1kne3a+qldY86y0i7nY6Gs9e9j0VSSdmjna1A X-Received: by 10.101.70.141 with SMTP id h13mr2393795pgr.166.1523997014677; Tue, 17 Apr 2018 13:30:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523997014; cv=none; d=google.com; s=arc-20160816; b=oBe3p6tkjoMH80t00lDBJBP1PwSSKHYUduT8T0nt7jS9j4uxE/llSd669aFicDS5ny r0W/WD2GBooMoxtguFYApMIlirD2cIBDMf8I97aFwOLTAtIjHlNtzKIcONEEuqSoybhD 0jxIRL56AIjhbbzzvfqNdXPNoVpKt23HgHAPRJdzK5AQhMy9cjYwxgaGdbV82k0Ysbfn KaA4Oi5Pa2wv9NuQgSLrmwApK/1djN3fkTMcM1LtccaRFKuc16D2wpWiqk/IcXZ4VA0x zHclLqCJYHmrZ+ORruYvjN6tZzBMlYgJzRewpbkp6ty5qJ69P5h4g+15DDpTbneuQ54M V/uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=R/jPv3rCCGNqnTVmmcCKpDi8gpuiBzRkbGMMETNxfTM=; b=Hk2OyqzJxH2MELBEjX35WbfVhc7Yb1kK42LOkSzI6P02MHtGcKAWTTRT5CgphJxuYg +LaQxx8TkGqdi6XLWGoVddWMpldjLQfan9FXEN8uJOIrt1F8Zf2Ky9nIyxQG+nkdv/Cg zslRTEkBRutMR6R04ztFWcoQTXr7mTUq6bdQ3dfIPGTvaRzspmgU6l4azvUB/HKEQ/pE 1ofD3dKjpBjx7Gxv9fweFSooK620HSUd2rdSCJTKNWdTxe3GSQLO2El+9Z+sZta19ZhE fHCOY8czcfHNhBSW+IB73PfTnx6a7Nw5xcynA+vIk7gdBHlbgc/xFECQNG/6qIgqT5Ic qQlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=WThKGjJi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1si6741169pgq.462.2018.04.17.13.29.59; Tue, 17 Apr 2018 13:30:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=WThKGjJi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752709AbeDQU2x (ORCPT + 99 others); Tue, 17 Apr 2018 16:28:53 -0400 Received: from mail-pf0-f180.google.com ([209.85.192.180]:40511 "EHLO mail-pf0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752427AbeDQU2u (ORCPT ); Tue, 17 Apr 2018 16:28:50 -0400 Received: by mail-pf0-f180.google.com with SMTP id y66so12685205pfi.7 for ; Tue, 17 Apr 2018 13:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=R/jPv3rCCGNqnTVmmcCKpDi8gpuiBzRkbGMMETNxfTM=; b=WThKGjJiTBemvd44+eRyZRZbvV1R51Rkfrx81Gkh5BolQP3ZVfsUCKk6yUWsgWlRp/ miNDVdtvCQWaFBMS4xcYY/thICUFrXvGiEagg+5Pxa1OLgW5rjza885FVI+6O8KZWqzv Y22p0zQCDXDlFi2c5KyMSpTAU9ZbHxh1kKriZpaJEFHcd1Pt8nq5xxjVo0cWSFfgfT9O WWnNpv98YkLg2RIQLd4B5DFgN6wvsOlj9pDSRu5n+lqu1C1dS7Gw0qFmvkypVtLbdFnC vHw8QhioF7NShwcPlG33kdmvIYgeuNB/CuPzJsazpoSt3bQU09iYqB1HPNIzHftzQ4N7 3Y2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=R/jPv3rCCGNqnTVmmcCKpDi8gpuiBzRkbGMMETNxfTM=; b=kanuOI8zqpm12S+AqJrQjPhQ588GVgiXpjstIKxbGSBk36PBMTzpmaQNZvb/nBUej3 1Ut5tcu8uti6ll7aCIBcJz2e+z5CkrzjZyYH6I4Oc9WrvJ8Jf9I1/BUXpbRbzWH4MZQG fht8f5APp17nXrkD45cfekhML6GyP03Ard77816tD/G/CdkwNrmzTfp++pghK5pUYqQ+ CurLZ+dTefL17wg7NTf/oEZ1qAoZeTjUWA1Ss1MJLsDYoH1N+t4VR5Z12lDx6kHJ5Lf+ VqeSHeg553Q/pn+vghpS8BA9Chc9gnJfr4K/QYVdwbnnqoUjv4RS6i8iqv1pHdMSPvsl TiXg== X-Gm-Message-State: ALQs6tBoZwiBBhOYkbvn8AUvx2+Md9E+SqdoFRpA4Ap74zAgLJ37CLfG mXh+F8WsEpt9HDOBJEBYnJPn6A== X-Received: by 10.99.125.75 with SMTP id m11mr2912212pgn.391.1523996930066; Tue, 17 Apr 2018 13:28:50 -0700 (PDT) Received: from ?IPv6:2620:10d:c081:1130::10de? ([2620:10d:c090:180::1:b264]) by smtp.gmail.com with ESMTPSA id b4sm27409677pfa.64.2018.04.17.13.28.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Apr 2018 13:28:48 -0700 (PDT) Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Kees Cook , Oleksandr Natalenko , Bart Van Assche , Paolo Valente Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org, Paolo Valente References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Jens Axboe Message-ID: <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> Date: Tue, 17 Apr 2018 14:28:46 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/17/18 2:25 PM, Kees Cook wrote: > On Tue, Apr 17, 2018 at 1:20 PM, Kees Cook wrote: >> On Tue, Apr 17, 2018 at 1:03 PM, Kees Cook wrote: >>> The above bfq_dispatch_request+0x99/0xad0 is still >>> __bfq_dispatch_request at block/bfq-iosched.c:3902, just with KASAN >>> removed. 0x99 is 153 decimal: >>> >>> (gdb) disass bfq_dispatch_request >>> Dump of assembler code for function bfq_dispatch_request: >>> ... >>> 0xffffffff8134b2ad <+141>: test %rax,%rax >>> 0xffffffff8134b2b0 <+144>: je 0xffffffff8134b2bd >>> >>> 0xffffffff8134b2b2 <+146>: addl $0x1,0x100(%rax) >>> 0xffffffff8134b2b9 <+153>: addl $0x1,0x3c(%rbx) >>> 0xffffffff8134b2bd <+157>: orl $0x2,0x18(%r12) >>> 0xffffffff8134b2c3 <+163>: test %ebp,%ebp >>> 0xffffffff8134b2c5 <+165>: je 0xffffffff8134b2ce >>> >>> 0xffffffff8134b2c7 <+167>: mov 0x108(%r14),%rax >>> 0xffffffff8134b2ce <+174>: mov %r15,%rdi >>> 0xffffffff8134b2d1 <+177>: callq 0xffffffff81706f90 <_raw_spin_unlock_irq> >>> >>> Just as a sanity-check, at +157 %r12 should be rq, rq_flags is 0x18 >>> offset from, $0x2 is RQF_STARTED, so that maps to "rq->rq_flags |= >>> RQF_STARTED", the next C statement. I don't know what +146 is, though? >>> An increment of something 256 bytes offset? There's a lot of inline >>> fun and reordering happening here, so I'm ignoring that for the >>> moment. >> >> No -- I'm reading this wrong. The RIP is the IP _after_ the trap, so >> +146 is the offender. >> >> [ 29.284746] watchpoint @ ffff95d41a0fe580 triggered >> [ 29.285349] sense before:ffff95d41f45f700 after:ffff95d41f45f701 (@ffff95d41a >> 0fe580) >> [ 29.286176] elevator before:ffff95d419419c00 after:ffff95d419419c00 >> [ 29.286847] elevator_data before:ffff95d419418c00 after:ffff95d419418c00 >> ... >> [ 29.295069] RIP: 0010:bfq_dispatch_request+0x99/0xbb0 >> [ 29.295622] RSP: 0018:ffffb26e01707a40 EFLAGS: 00000002 >> [ 29.296181] RAX: ffff95d41a0fe480 RBX: ffff95d419418c00 RCX: ffff95d419418c08 >> >> RAX is ffff95d41a0fe480 and sense is stored at ffff95d41a0fe580, >> exactly 0x100 away. >> >> WTF is this addl? > > What are the chances? :P Two ++ statements in a row separate by a > collapsed goto. FML. :) > > ... > bfqq->dispatched++; > goto inc_in_driver_start_rq; > ... > inc_in_driver_start_rq: > bfqd->rq_in_driver++; > ... > > And there's the 0x100 (256): > > struct bfq_queue { > ... > int dispatched; /* 256 4 */ > > So bfqq is corrupted somewhere... I'll keep digging. I hope you're all > enjoying my live debugging transcript. ;) It has to be the latter bfqq->dispatched increment, as those are transient (and bfqd is not). Adding Paolo. -- Jens Axboe