Received: by 10.192.165.156 with SMTP id m28csp534407imm;
        Tue, 17 Apr 2018 14:47:08 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+dbevvpo8HS6Iyj0/6jvCIDvbueC9WzQL9XxInu9HsDkIq0yz5iVa5Qp6skGWF8iZtirPh
X-Received: by 10.99.119.195 with SMTP id s186mr3011183pgc.296.1524001628541;
        Tue, 17 Apr 2018 14:47:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524001628; cv=none;
        d=google.com; s=arc-20160816;
        b=yVviAYwF+HHL6fBQlxoknR2PqR53M5BCMFJx0399B9pRIL/jtrDyLMvoagYmmwWm0s
         7r/bP/+eaw6aUOX1Vrgh2IitKiUKLndsFt7bjCZaoxDkKp8J0R/Ov+AR2DMQLo8quJs/
         TMhllhhh5c6H56sC6cWW2oNGGe8bVAbX0eJJvLRUck+A1YRAz+tKf76XEGzn+yLbxQkf
         hCd4v1bduw9aoUxNpUxxnxzMxG2JEaN1QqX/0EFjB065NkYSLqVkXnWVg+gmIOTs6ZlQ
         YgScza18M2ZTX2BTqLgbqD+l+GD+F9EQtXvJ8jD9WLeMefoA08BDW51ZpaP8/xtZlBNA
         rcdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=J1BlaGO7Sie5zq1MfwM73VQpRZFw0Wnr9s24naPL3UA=;
        b=hCpwbqrv8VtzHNiQxqRo+1c6NYmbXm+AssTKTFRM6/cAy9N5RVgmI26r31I6aJYUVS
         /0Xm1eQfBVvD00Qua3YT6RM7sauMdc4rx9kDtYQVPInNeVNbxu9nMuwbDVajFiX7nl+0
         6xoPH1uIIxRxg3OomysGcvw03xUPNRixYBql73lURmoRiy0IppRgxUi1xJzXLelhEWIe
         9YousKGp8YrvMRBDca2hQQTGKzqV2N6sK66btFI9Etu/Hekr9LngHLLNy+Ml6eEYyh/4
         URGjYWq+0v0C3/Dtua6nl+LukTmI9VSRSm67QZTkjD6mQbO+/GLl8YxntHJe8rA+E8q5
         sEDw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=o7o0r0dj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 3-v6si1087004plm.59.2018.04.17.14.46.52;
        Tue, 17 Apr 2018 14:47:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=o7o0r0dj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752963AbeDQVpr (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 17:45:47 -0400
Received: from mail-pl0-f47.google.com ([209.85.160.47]:39130 "EHLO
        mail-pl0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752786AbeDQVpn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 17:45:43 -0400
Received: by mail-pl0-f47.google.com with SMTP id e7-v6so12743575plt.6
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 14:45:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=J1BlaGO7Sie5zq1MfwM73VQpRZFw0Wnr9s24naPL3UA=;
        b=o7o0r0djz4adWrB6VaqTzWs0sH3KSJeAE/rtlVWhVB/ChWvbQTSX9liTFGfohKL92W
         bu0EdnqAy5VqDd6aHo2iJ7hnSJYSYrgzVsRxcEAmaO0yXdelsg3RYelvvhMU4hsqNuHq
         pxIgrLig9APStrCzIhpPsi6z544lDg83VrXDaXbbeFhKp/8IqwOHSJTVbv2Pptg/O+QH
         FabzCOIrLjsXimy5IPNL9C+M1Vo6x7KJakh1kEa5G9OlMESsjsfx+awwl82SZ6wrJZn0
         80TmJZcxFH7IFUw5xROgTNhZzgTvsYTB92Pt8Z/XupcSZELQju13fqjSKnSbzUC6Xmuf
         BMMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=J1BlaGO7Sie5zq1MfwM73VQpRZFw0Wnr9s24naPL3UA=;
        b=cqBSbXYcIXK894z3SgxTdnTqU8J+rD23N8opPJxv254JU2zUtvjxZbw7Q9HHAbCURj
         V1KHMvdUfzlvFLrhzZbT66JWJexfj6jsvKkBKB+d5TdikMz/AK2AEA9HQxogl9XYyuwH
         qVZJwDx/KDM5v6wLqpWnJtYTet95+nGuGh3cAHMV+xg4TZ8HpiS6oQVpMIh+yeG7Mc61
         cv6/dFqhejU29Y5rF6YaZnSAfW0WqL/pkvcGJd5NZ1a9UXANqhtlvvZUuA0t0XCsQLM6
         /gvagNk80vNy5Q20HAbsqqqFlEWqIo25JPemcycpplghaCHjABPZADI+ctDyzc6hXVFa
         3/2w==
X-Gm-Message-State: ALQs6tDzWGJVZcsGC/vkNjRkDlAYi06lFja/hPLveIRLighF67mQnZwy
        VdKrU31OBqe8awGY2rneGR1s6Q==
X-Received: by 2002:a17:902:41:: with SMTP id 59-v6mr1993460pla.345.1524001542044;
        Tue, 17 Apr 2018 14:45:42 -0700 (PDT)
Received: from ?IPv6:2620:10d:c081:1130::10de? ([2620:10d:c090:180::1:b264])
        by smtp.gmail.com with ESMTPSA id e1sm10881251pgt.49.2018.04.17.14.45.39
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 17 Apr 2018 14:45:40 -0700 (PDT)
Subject: Re: [PATCH] blk-mq: Clear out elevator private data
To:     Kees Cook <keescook@chromium.org>
Cc:     Oleksandr Natalenko <oleksandr@natalenko.name>,
        linux-kernel@vger.kernel.org,
        Paolo Valente <paolo.valente@linaro.org>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
References: <20180417214218.GA44753@beast>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <7d192394-568c-53e0-4359-723769c3ed7d@kernel.dk>
Date:   Tue, 17 Apr 2018 15:45:38 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <20180417214218.GA44753@beast>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/17/18 3:42 PM, Kees Cook wrote:
> Some elevators may not correctly check rq->rq_flags & RQF_ELVPRIV, and
> may attempt to read rq->elv fields. When requests got reused, this
> caused BFQ to think it already had a bfqq (rq->elv.priv[1]) allocated.
> This could lead to odd behaviors like having the sense buffer address
> slowly start incrementing. This eventually tripped HARDENED_USERCOPY
> and KASAN.
> 
> This patch wipes all of rq->elv instead of just rq->elv.icq. While
> it shouldn't technically be needed, this ends up being a robustness
> improvement that should lead to at least finding bugs in elevators faster.

Comments from the other email still apply, we should not need to do this
full memset() for every request. From a quick look, BFQ needs to straighten
out its usage of prepare request and interactions with insert_request.

> Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
> Fixes: bd166ef183c26 ("blk-mq-sched: add framework for MQ capable IO schedulers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> In theory, BFQ needs to also check the RQF_ELVPRIV flag, but I'll leave that
> to Paolo to figure out. Also, my Fixes line is kind of a best-guess. This
> is where icq was originally wiped, so it seemed as good a commit as any.

Yeah, that's probably a bit too broad for fixes :-)

-- 
Jens Axboe