Received: by 10.192.165.156 with SMTP id m28csp488499imm; Tue, 17 Apr 2018 13:47:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx49l5Q4gI72RO9G0ftD3Af2dRMaaqb4iEXCy0t0w7OO5ULpOQ91235seVDoikYe7mpecjKV1 X-Received: by 10.98.227.16 with SMTP id g16mr3269933pfh.171.1523998058902; Tue, 17 Apr 2018 13:47:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523998058; cv=none; d=google.com; s=arc-20160816; b=W/JbRnDH/4FGsks0SxaHwQXk0qFQknZNzifQiMhp3XxHacmLSPdBGZulX1NJyD+k2l 11GsBKfVFuzWLLS9fMwYY4TUc3+knukR81yljjQgthNNSzmqE02BlyKrPWeffcZj9u3f 2MoI44oWDbC0zrMtiw54CDWOdEYyi6ltq9qxZqC1QZyt2T84lSuGUn0CUemOFhlle25c X68zWbxMxFynf6YlINaBtesOdLch5WCeYnlYQejElK16FiXAyJ3dmFZ/ccX4cUAZPFJx c9oXAjvwz3JPmBo7qai9bp2ePdlo9N+EGHrtFTBW+VZLSF2h40cAvnRnAk5BNlFUbVsB SWPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=; b=tlSp94uYawziMsReaXCAY6FAd1fAJnYB2e7w0okPYfabhyn/zZoEseBkG5Q6oUPU0B O+JGzQits0AFOBLqsrR6HKkcBRrOVWLijpzoBxnBMzica2OlmO+vq/jArIT6PyRwiuop 12WH3LYKBBG0sHwi2sZd+NubvEyaUS6b23OeHXiZcD0b9ySL3Mt5qLzVRV0Wd2cI8i3Q gre7dJVZXSYR5gu7/8jFvjteqjqhtLRdMDemd7BswN4XbxtfRhUVGhk61V1W8MpRHHEy jGbgumNpkZoWBQEdtNazP9/C1ko/AYt7gpY9HzOdvjjb/9x7T1hM6fatguDXPxdT9tHp TwXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=rHC+hjwl; dkim=fail header.i=@chromium.org header.s=google header.b=DtUXbYMB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8si13111272pfl.223.2018.04.17.13.47.18; Tue, 17 Apr 2018 13:47:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=rHC+hjwl; dkim=fail header.i=@chromium.org header.s=google header.b=DtUXbYMB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752757AbeDQUqI (ORCPT + 99 others); Tue, 17 Apr 2018 16:46:08 -0400 Received: from mail-ua0-f195.google.com ([209.85.217.195]:32789 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752387AbeDQUqG (ORCPT ); Tue, 17 Apr 2018 16:46:06 -0400 Received: by mail-ua0-f195.google.com with SMTP id q26so13528888uab.0 for ; Tue, 17 Apr 2018 13:46:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=; b=rHC+hjwlFHwn3mlmcYIfAeze3Y+QXzGtp/RI6ZdUYimPt1+5rvDZ7XrVo6Ac27wwx5 /X+QVCSXcuAFX42yoQVYFysmHvPinZYKWJKHDQmhmzhZq0Fj8BBJ8dZlTMK3D8Sm0j1o Sr1rtj/0ziHsOAaUgy8Xyp6a+eTHasg/pPTM0go91xizJM0B4hFFyoWcUluzFcGsucMr vuWPA1MH55zu5PxME0dZfDt1Cfnt+EbnIdz8vURHYJzJWVLqcoEaGLLUH7ywk+jH2Zam jjCSHreEEa1sSiIdraNImGd1SBDpXXpnYGBxY2+Xly1ayRu/UEPFbjwGokdgNcfrdM0i 6bAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=; b=DtUXbYMB7R7Upf8qgWC2BhS1e/wYUV+wCwJ0XNlKJCM7mPblhNDvvUlzoIdymaYRe3 E1sY5C7+7YqxJLWEUZDnY+PsdNQYIs5rQwpBQE/JgO9+UQERsUmoqodv4BX63G1TQJzS GBYunXfu7DOa5irOEAX7t8XJ6+AksWiqKiu70= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=; b=IBi5JJweSJpCrJC8OZeyUDP24fsOFbCO6h57EumXgJrh52a1p0cYYddv5BWPRKjvMb Z89mQ7XFHa2cPWuEoSiBU0eNKOCDXHtLi+3lz6W6Ys2tHq0MfZvK7FQTHaK+10DtIJrZ /Ul9yrEKT9PNTu72EINFFrZXQvcFIQL65nveeFw4+ZQ3M3SrRETovYdaH1urYXuEUntT tCBCCxg70qcTAYutiPe4dMAM2Ik3iCxA11qD0EJzCZftabtrWth8S/VVLEIQG1clcGOP Y+tSC47mFFMshmbHBFpnHX3MoEco5EvormihfExZ94BDg0E+9tv8N+TswDPre7dqbIIg 3Yeg== X-Gm-Message-State: ALQs6tBnFIoTRkGS0Ek+oYnbuxNfVBdtJd0cySlgadHHb/cO/uJXo5Bl qW6P5137sdF1Jp5uJcYhPt970pKw83aKfRGqJpuxnQ== X-Received: by 10.176.35.198 with SMTP id c6mr2692817uan.83.1523997965027; Tue, 17 Apr 2018 13:46:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:46:04 -0700 (PDT) In-Reply-To: <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> From: Kees Cook Date: Tue, 17 Apr 2018 13:46:04 -0700 X-Google-Sender-Auth: 4OuUv_4apSIGIiLkd83Wq9VxJJI Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Jens Axboe , Paolo Valente Cc: Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 1:28 PM, Jens Axboe wrote: > It has to be the latter bfqq->dispatched increment, as those are > transient (and bfqd is not). Yeah, and I see a lot of comments around the lifetime of rq and bfqq, so I assume something is not being locked correctly. #define RQ_BFQQ(rq) ((rq)->elv.priv[1]) static struct request *__bfq_dispatch_request(struct blk_mq_hw_ctx *hctx) { struct bfq_data *bfqd = hctx->queue->elevator->elevator_data; struct request *rq = NULL; struct bfq_queue *bfqq = NULL; if (!list_empty(&bfqd->dispatch)) { rq = list_first_entry(&bfqd->dispatch, struct request, queuelist); list_del_init(&rq->queuelist); bfqq = RQ_BFQQ(rq); if (bfqq) { /* * Increment counters here, because this * dispatch does not follow the standard * dispatch flow (where counters are * incremented) */ bfqq->dispatched++; ... I see elv.priv[1] assignments made in a few places -- is it possible there is some kind of uninitialized-but-not-NULL state that can leak in there? bfq_prepare_request() assigns elv.priv[1], and bfq_insert_request() only checks that it's non-NULL (if at all) in one case. Can bfq_insert_request() get called without bfq_prepare_request() being called first? -Kees -- Kees Cook Pixel Security