Received: by 10.192.165.156 with SMTP id m28csp520283imm; Tue, 17 Apr 2018 14:27:13 -0700 (PDT) X-Google-Smtp-Source: AIpwx49umyM8+0BF+POAwoPdnm9BcoUNTtz0/j+UBCabg3QtTh3f4ikmt6R9ObCIn8/p2EkUg5/S X-Received: by 2002:a17:902:125:: with SMTP id 34-v6mr3603372plb.42.1524000432991; Tue, 17 Apr 2018 14:27:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524000432; cv=none; d=google.com; s=arc-20160816; b=urf/0DImtPUEGEBK/X9iCDNheJeAYu2CjDdVlXn5ZvClkujbvJNKXDu7oT/3u+zd9n TBuQTBXqWLDm6+QxEaVtoxGNo/7D8BnsDGvg2EsVyctodqsrhhqA+XyEwL0oiK+GMQsz TAcIx8g2IA/rsETv2xe0MREIJUPq1fJhEOJr3Nd3Z8BrT/au7c2NXGWfUg1ZysDvGKtM hPl+O9ITbNpGC0uaz9MZn4wGO5ZGciFzjm5EwjN14SRxtn4O31DRMFtLP6xIlxpkf/Bm 2GvkhP29vmpiweHdsuETlU8mbJx3ezAfK532qWE5PtmLZFHxN0qu22aywS1C6vwqdcUg 3Ckw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=; b=ZZBd3KzzPjISpQvQhimzBtHhdkbY/daE/qLgLb2m174w/bRrW+QjGj0IEOioUOLdCz LKj66rxNrhM80U6N4OSC3FdAUc81MZ7BDYziNH/gB2jcKrrRATZkNkanlFSYXqOx/Lxy hHtqVycU2hp+ON3UJ+fVVW+bI7S9OZ+jpwSpQx4hb3rZEzc/wZJ55QpMIj2kRL62Q7c4 Q5udrYTpxJ61Ku5Ti26wyyUjds95EITMKBfoVOWZ5B4lMlDvK+e4+Hk6wM4RZly073qw Eov5B5YUjx1Vs/B/uYC4Z9n/6tc3JS3s36GJ9iYr2ALGLoCqt6lSFfGYipvamt+QZ7kR TdCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=W8AMek98; dkim=fail header.i=@chromium.org header.s=google header.b=jeXY+VCR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si6827050pgq.436.2018.04.17.14.26.56; Tue, 17 Apr 2018 14:27:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=W8AMek98; dkim=fail header.i=@chromium.org header.s=google header.b=jeXY+VCR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752699AbeDQVZc (ORCPT + 99 others); Tue, 17 Apr 2018 17:25:32 -0400 Received: from mail-ua0-f180.google.com ([209.85.217.180]:33851 "EHLO mail-ua0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752327AbeDQVZ2 (ORCPT ); Tue, 17 Apr 2018 17:25:28 -0400 Received: by mail-ua0-f180.google.com with SMTP id t4so7887617ual.1 for ; Tue, 17 Apr 2018 14:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=; b=W8AMek98xem6HHkxpWYPst+ppvi0MMjwDSjFUKUe+OIDFKb80DNJaRJqmdBF/3OndB I1ZzG52TrCGTOBtg0Y/DIObGbqMs4CUaZrbWM2In5U7gGpYd8DqEW5JDlIkNyIIok2KG jFajHr9sCkkqiJpd5xzf4OYO/yPiAbIqbZW3j57MUU4EA7LnG2tR8Sg72Sz6kzCm0R/t darMUkNGS2XqmSB/UrucNGuKT+d9aYJXrcXFXvGlHF7HWeziJl1SBJj8CoiFO6Xj/3dM bqmMuNBCXAlXa9jtuarTXyVSRlEVTMcNuOOCLv0Fhqo863timQxW8LAmuWcrCyYQ2QRe 0d8g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=; b=jeXY+VCR24jKJeC65zbjQ/DfJXjAhOZRdvczgN4zi0XKljs0W/vDoM3xoZBGanXRU1 IbqmSINvkiUL/1b4iEZMCBiJqwU6tD2dJlylsKsePU+7iER+OIjQRNRTOwaYx7vbRtf2 csgBlg5AoheW6xCNKdXTcb0JrO3GAvYr1lTdk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=; b=cNDJiI27VhUHGzxWD/ZiIYE2SiX2n/w6GY7KnqC2rY0lQ7Tu070bh4hSE1g4rpDYdn 6K+394u12NK6Ioi0BGQ+yhT2CIVP/W92YLnsmBdNsPNcNy9Zap7I6YvGWNMS3WHMhVKR hGxQIbWA+QEqd5L0Sog3/N9WwfIg3ThdAHHenPzH3GwgfFmaidgAEcj4/Jw7eUWXgGkX Ga0FEXqDZHHzMXG1vdlM6Ulo/vEVhT53vpzGkxTTOskRjwut2FcOLhjq7M+CUYjga9/O U+Ib51vb0fOudgIOLhDq2D9n82rXIbaOSWNUkbzrprgy42px1OpBL6Bkjr2d/unLAfy1 nMGQ== X-Gm-Message-State: ALQs6tAMPtUyAiFeJGqaI4YUgJD9knRPWYyDSHbBcLQeiOZrpQ1c5ped VBsI5AYpf8MEIsEKByLuT0yYq+p6BlUwUBQcbnNyQQ== X-Received: by 10.176.0.178 with SMTP id 47mr2770221uaj.74.1524000327567; Tue, 17 Apr 2018 14:25:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 14:25:25 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> From: Kees Cook Date: Tue, 17 Apr 2018 14:25:25 -0700 X-Google-Sender-Auth: svKG9YO9hroYV27EgwP86sDx4yk Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Jens Axboe , Paolo Valente Cc: Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook wrote: > I see elv.priv[1] assignments made in a few places -- is it possible > there is some kind of uninitialized-but-not-NULL state that can leak > in there? Got it. This fixes it for me: diff --git a/block/blk-mq.c b/block/blk-mq.c index 0dc9e341c2a7..859df3160303 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct request_queue *q, rq = blk_mq_rq_ctx_init(data, tag, op); if (!op_is_flush(op)) { - rq->elv.icq = NULL; + memset(&rq->elv, 0, sizeof(rq->elv)); if (e && e->type->ops.mq.prepare_request) { if (e->type->icq_cache && rq_ioc(bio)) blk_mq_sched_assign_ioc(rq, bio); @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) e->type->ops.mq.finish_request(rq); if (rq->elv.icq) { put_io_context(rq->elv.icq->ioc); - rq->elv.icq = NULL; + memset(&rq->elv, 0, sizeof(rq->elv)); } } -- Kees Cook Pixel Security