Received: by 10.192.165.156 with SMTP id m28csp488499imm;
        Tue, 17 Apr 2018 13:47:38 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49l5Q4gI72RO9G0ftD3Af2dRMaaqb4iEXCy0t0w7OO5ULpOQ91235seVDoikYe7mpecjKV1
X-Received: by 10.98.227.16 with SMTP id g16mr3269933pfh.171.1523998058902;
        Tue, 17 Apr 2018 13:47:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523998058; cv=none;
        d=google.com; s=arc-20160816;
        b=W/JbRnDH/4FGsks0SxaHwQXk0qFQknZNzifQiMhp3XxHacmLSPdBGZulX1NJyD+k2l
         11GsBKfVFuzWLLS9fMwYY4TUc3+knukR81yljjQgthNNSzmqE02BlyKrPWeffcZj9u3f
         2MoI44oWDbC0zrMtiw54CDWOdEYyi6ltq9qxZqC1QZyt2T84lSuGUn0CUemOFhlle25c
         X68zWbxMxFynf6YlINaBtesOdLch5WCeYnlYQejElK16FiXAyJ3dmFZ/ccX4cUAZPFJx
         c9oXAjvwz3JPmBo7qai9bp2ePdlo9N+EGHrtFTBW+VZLSF2h40cAvnRnAk5BNlFUbVsB
         SWPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=;
        b=tlSp94uYawziMsReaXCAY6FAd1fAJnYB2e7w0okPYfabhyn/zZoEseBkG5Q6oUPU0B
         O+JGzQits0AFOBLqsrR6HKkcBRrOVWLijpzoBxnBMzica2OlmO+vq/jArIT6PyRwiuop
         12WH3LYKBBG0sHwi2sZd+NubvEyaUS6b23OeHXiZcD0b9ySL3Mt5qLzVRV0Wd2cI8i3Q
         gre7dJVZXSYR5gu7/8jFvjteqjqhtLRdMDemd7BswN4XbxtfRhUVGhk61V1W8MpRHHEy
         jGbgumNpkZoWBQEdtNazP9/C1ko/AYt7gpY9HzOdvjjb/9x7T1hM6fatguDXPxdT9tHp
         TwXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=rHC+hjwl;
       dkim=fail header.i=@chromium.org header.s=google header.b=DtUXbYMB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b8si13111272pfl.223.2018.04.17.13.47.18;
        Tue, 17 Apr 2018 13:47:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=rHC+hjwl;
       dkim=fail header.i=@chromium.org header.s=google header.b=DtUXbYMB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752757AbeDQUqI (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 16:46:08 -0400
Received: from mail-ua0-f195.google.com ([209.85.217.195]:32789 "EHLO
        mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752387AbeDQUqG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 16:46:06 -0400
Received: by mail-ua0-f195.google.com with SMTP id q26so13528888uab.0
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 13:46:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=;
        b=rHC+hjwlFHwn3mlmcYIfAeze3Y+QXzGtp/RI6ZdUYimPt1+5rvDZ7XrVo6Ac27wwx5
         /X+QVCSXcuAFX42yoQVYFysmHvPinZYKWJKHDQmhmzhZq0Fj8BBJ8dZlTMK3D8Sm0j1o
         Sr1rtj/0ziHsOAaUgy8Xyp6a+eTHasg/pPTM0go91xizJM0B4hFFyoWcUluzFcGsucMr
         vuWPA1MH55zu5PxME0dZfDt1Cfnt+EbnIdz8vURHYJzJWVLqcoEaGLLUH7ywk+jH2Zam
         jjCSHreEEa1sSiIdraNImGd1SBDpXXpnYGBxY2+Xly1ayRu/UEPFbjwGokdgNcfrdM0i
         6bAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=;
        b=DtUXbYMB7R7Upf8qgWC2BhS1e/wYUV+wCwJ0XNlKJCM7mPblhNDvvUlzoIdymaYRe3
         E1sY5C7+7YqxJLWEUZDnY+PsdNQYIs5rQwpBQE/JgO9+UQERsUmoqodv4BX63G1TQJzS
         GBYunXfu7DOa5irOEAX7t8XJ6+AksWiqKiu70=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=aQe+j1t/U954q1fzh70x2NTjffJMQU9wVoEUZxe7ojg=;
        b=IBi5JJweSJpCrJC8OZeyUDP24fsOFbCO6h57EumXgJrh52a1p0cYYddv5BWPRKjvMb
         Z89mQ7XFHa2cPWuEoSiBU0eNKOCDXHtLi+3lz6W6Ys2tHq0MfZvK7FQTHaK+10DtIJrZ
         /Ul9yrEKT9PNTu72EINFFrZXQvcFIQL65nveeFw4+ZQ3M3SrRETovYdaH1urYXuEUntT
         tCBCCxg70qcTAYutiPe4dMAM2Ik3iCxA11qD0EJzCZftabtrWth8S/VVLEIQG1clcGOP
         Y+tSC47mFFMshmbHBFpnHX3MoEco5EvormihfExZ94BDg0E+9tv8N+TswDPre7dqbIIg
         3Yeg==
X-Gm-Message-State: ALQs6tBnFIoTRkGS0Ek+oYnbuxNfVBdtJd0cySlgadHHb/cO/uJXo5Bl
        qW6P5137sdF1Jp5uJcYhPt970pKw83aKfRGqJpuxnQ==
X-Received: by 10.176.35.198 with SMTP id c6mr2692817uan.83.1523997965027;
 Tue, 17 Apr 2018 13:46:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:46:04 -0700 (PDT)
In-Reply-To: <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com>
 <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
 <CAGXu5jJTMqbXia7TmN2yEW11SM+XC3pkMt=bb+xBrY7-OOf=tw@mail.gmail.com>
 <CAGXu5j+xX3kDDS_sPY44hPVb=8isMX-evYzPx3ur=rge1rL5JQ@mail.gmail.com>
 <CAGXu5jJmvKcANUSsCz3fjGSv-tv1hceNd3rOpT4WTfYRb65RRA@mail.gmail.com> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 13:46:04 -0700
X-Google-Sender-Auth: 4OuUv_4apSIGIiLkd83Wq9VxJJI
Message-ID: <CAGXu5jL9miO3OXpjAxm9t8v=f_f5StB=Tk=aV8BVRdEj-Y-PDA@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Jens Axboe <axboe@kernel.dk>,
        Paolo Valente <paolo.valente@linaro.org>
Cc:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 17, 2018 at 1:28 PM, Jens Axboe <axboe@kernel.dk> wrote:
> It has to be the latter bfqq->dispatched increment, as those are
> transient (and bfqd is not).

Yeah, and I see a lot of comments around the lifetime of rq and bfqq,
so I assume something is not being locked correctly.

#define RQ_BFQQ(rq)             ((rq)->elv.priv[1])

static struct request *__bfq_dispatch_request(struct blk_mq_hw_ctx *hctx)
{
        struct bfq_data *bfqd = hctx->queue->elevator->elevator_data;
        struct request *rq = NULL;
        struct bfq_queue *bfqq = NULL;

        if (!list_empty(&bfqd->dispatch)) {
                rq = list_first_entry(&bfqd->dispatch, struct request,
                                      queuelist);
                list_del_init(&rq->queuelist);

                bfqq = RQ_BFQQ(rq);

                if (bfqq) {
                        /*
                         * Increment counters here, because this
                         * dispatch does not follow the standard
                         * dispatch flow (where counters are
                         * incremented)
                         */
                        bfqq->dispatched++;
...

I see elv.priv[1] assignments made in a few places -- is it possible
there is some kind of uninitialized-but-not-NULL state that can leak
in there?

bfq_prepare_request() assigns elv.priv[1], and bfq_insert_request()
only checks that it's non-NULL (if at all) in one case. Can
bfq_insert_request() get called without bfq_prepare_request() being
called first?

-Kees

-- 
Kees Cook
Pixel Security