Received: by 10.192.165.156 with SMTP id m28csp520283imm;
        Tue, 17 Apr 2018 14:27:13 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49umyM8+0BF+POAwoPdnm9BcoUNTtz0/j+UBCabg3QtTh3f4ikmt6R9ObCIn8/p2EkUg5/S
X-Received: by 2002:a17:902:125:: with SMTP id 34-v6mr3603372plb.42.1524000432991;
        Tue, 17 Apr 2018 14:27:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524000432; cv=none;
        d=google.com; s=arc-20160816;
        b=urf/0DImtPUEGEBK/X9iCDNheJeAYu2CjDdVlXn5ZvClkujbvJNKXDu7oT/3u+zd9n
         TBuQTBXqWLDm6+QxEaVtoxGNo/7D8BnsDGvg2EsVyctodqsrhhqA+XyEwL0oiK+GMQsz
         TAcIx8g2IA/rsETv2xe0MREIJUPq1fJhEOJr3Nd3Z8BrT/au7c2NXGWfUg1ZysDvGKtM
         hPl+O9ITbNpGC0uaz9MZn4wGO5ZGciFzjm5EwjN14SRxtn4O31DRMFtLP6xIlxpkf/Bm
         2GvkhP29vmpiweHdsuETlU8mbJx3ezAfK532qWE5PtmLZFHxN0qu22aywS1C6vwqdcUg
         3Ckw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=;
        b=ZZBd3KzzPjISpQvQhimzBtHhdkbY/daE/qLgLb2m174w/bRrW+QjGj0IEOioUOLdCz
         LKj66rxNrhM80U6N4OSC3FdAUc81MZ7BDYziNH/gB2jcKrrRATZkNkanlFSYXqOx/Lxy
         hHtqVycU2hp+ON3UJ+fVVW+bI7S9OZ+jpwSpQx4hb3rZEzc/wZJ55QpMIj2kRL62Q7c4
         Q5udrYTpxJ61Ku5Ti26wyyUjds95EITMKBfoVOWZ5B4lMlDvK+e4+Hk6wM4RZly073qw
         Eov5B5YUjx1Vs/B/uYC4Z9n/6tc3JS3s36GJ9iYr2ALGLoCqt6lSFfGYipvamt+QZ7kR
         TdCw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=W8AMek98;
       dkim=fail header.i=@chromium.org header.s=google header.b=jeXY+VCR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n1si6827050pgq.436.2018.04.17.14.26.56;
        Tue, 17 Apr 2018 14:27:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=W8AMek98;
       dkim=fail header.i=@chromium.org header.s=google header.b=jeXY+VCR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752699AbeDQVZc (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 17:25:32 -0400
Received: from mail-ua0-f180.google.com ([209.85.217.180]:33851 "EHLO
        mail-ua0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752327AbeDQVZ2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 17:25:28 -0400
Received: by mail-ua0-f180.google.com with SMTP id t4so7887617ual.1
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 14:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=;
        b=W8AMek98xem6HHkxpWYPst+ppvi0MMjwDSjFUKUe+OIDFKb80DNJaRJqmdBF/3OndB
         I1ZzG52TrCGTOBtg0Y/DIObGbqMs4CUaZrbWM2In5U7gGpYd8DqEW5JDlIkNyIIok2KG
         jFajHr9sCkkqiJpd5xzf4OYO/yPiAbIqbZW3j57MUU4EA7LnG2tR8Sg72Sz6kzCm0R/t
         darMUkNGS2XqmSB/UrucNGuKT+d9aYJXrcXFXvGlHF7HWeziJl1SBJj8CoiFO6Xj/3dM
         bqmMuNBCXAlXa9jtuarTXyVSRlEVTMcNuOOCLv0Fhqo863timQxW8LAmuWcrCyYQ2QRe
         0d8g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=;
        b=jeXY+VCR24jKJeC65zbjQ/DfJXjAhOZRdvczgN4zi0XKljs0W/vDoM3xoZBGanXRU1
         IbqmSINvkiUL/1b4iEZMCBiJqwU6tD2dJlylsKsePU+7iER+OIjQRNRTOwaYx7vbRtf2
         csgBlg5AoheW6xCNKdXTcb0JrO3GAvYr1lTdk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=9HkXynL9Rlmdm9RMtuZRH6IptjUXnktYMc9rRJyIOFA=;
        b=cNDJiI27VhUHGzxWD/ZiIYE2SiX2n/w6GY7KnqC2rY0lQ7Tu070bh4hSE1g4rpDYdn
         6K+394u12NK6Ioi0BGQ+yhT2CIVP/W92YLnsmBdNsPNcNy9Zap7I6YvGWNMS3WHMhVKR
         hGxQIbWA+QEqd5L0Sog3/N9WwfIg3ThdAHHenPzH3GwgfFmaidgAEcj4/Jw7eUWXgGkX
         Ga0FEXqDZHHzMXG1vdlM6Ulo/vEVhT53vpzGkxTTOskRjwut2FcOLhjq7M+CUYjga9/O
         U+Ib51vb0fOudgIOLhDq2D9n82rXIbaOSWNUkbzrprgy42px1OpBL6Bkjr2d/unLAfy1
         nMGQ==
X-Gm-Message-State: ALQs6tAMPtUyAiFeJGqaI4YUgJD9knRPWYyDSHbBcLQeiOZrpQ1c5ped
        VBsI5AYpf8MEIsEKByLuT0yYq+p6BlUwUBQcbnNyQQ==
X-Received: by 10.176.0.178 with SMTP id 47mr2770221uaj.74.1524000327567; Tue,
 17 Apr 2018 14:25:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 14:25:25 -0700 (PDT)
In-Reply-To: <CAGXu5jL9miO3OXpjAxm9t8v=f_f5StB=Tk=aV8BVRdEj-Y-PDA@mail.gmail.com>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com>
 <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
 <CAGXu5jJTMqbXia7TmN2yEW11SM+XC3pkMt=bb+xBrY7-OOf=tw@mail.gmail.com>
 <CAGXu5j+xX3kDDS_sPY44hPVb=8isMX-evYzPx3ur=rge1rL5JQ@mail.gmail.com>
 <CAGXu5jJmvKcANUSsCz3fjGSv-tv1hceNd3rOpT4WTfYRb65RRA@mail.gmail.com>
 <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <CAGXu5jL9miO3OXpjAxm9t8v=f_f5StB=Tk=aV8BVRdEj-Y-PDA@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 14:25:25 -0700
X-Google-Sender-Auth: svKG9YO9hroYV27EgwP86sDx4yk
Message-ID: <CAGXu5jKVPQi0cdTbe5Y1DNHdiJ6-kEFRBTNv7znuqT9w5eifGg@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Jens Axboe <axboe@kernel.dk>,
        Paolo Valente <paolo.valente@linaro.org>
Cc:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook <keescook@chromium.org> wrote:
> I see elv.priv[1] assignments made in a few places -- is it possible
> there is some kind of uninitialized-but-not-NULL state that can leak
> in there?

Got it. This fixes it for me:

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 0dc9e341c2a7..859df3160303 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct
request_queue *q,

        rq = blk_mq_rq_ctx_init(data, tag, op);
        if (!op_is_flush(op)) {
-               rq->elv.icq = NULL;
+               memset(&rq->elv, 0, sizeof(rq->elv));
                if (e && e->type->ops.mq.prepare_request) {
                        if (e->type->icq_cache && rq_ioc(bio))
                                blk_mq_sched_assign_ioc(rq, bio);
@@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq)
                        e->type->ops.mq.finish_request(rq);
                if (rq->elv.icq) {
                        put_io_context(rq->elv.icq->ioc);
-                       rq->elv.icq = NULL;
+                       memset(&rq->elv, 0, sizeof(rq->elv));
                }
        }



-- 
Kees Cook
Pixel Security