Received: by 10.192.165.156 with SMTP id m28csp535361imm;
        Tue, 17 Apr 2018 14:48:32 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+bO5+wihRrv2rI7h6U1b3i5kDHAtlOFYva5Uv1DBde1sei+Z4vmlB1AkZFOMBQLCgBCrr4
X-Received: by 2002:a17:902:6c4b:: with SMTP id h11-v6mr3644227pln.33.1524001712370;
        Tue, 17 Apr 2018 14:48:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524001712; cv=none;
        d=google.com; s=arc-20160816;
        b=PczMA7sqXuK3Fa9M7F1pYaCyp+VzvHMDwf5rW4QEZcKlL2zp4ueuqOff3hHQn4mVrw
         /mYHTpoaj8+gQWaVSyzswAC0JKeeEu73m0M4WSYuHNGamo5tJWBXWGCcF/NTQdPWOixL
         WiZkxkoMIUu7bcMdpkji4pmHYntYVxfnkkR8SwKxaW4sEqBUUpDrSOt/vbJpDsRgIPGJ
         KKFXx+5snCASalkh7cfedLwRDvgcHIZwgTueoElgqu65ZwzUIcoM4Re1I2KTp7x98m2W
         KQjtmpwo9IhxRVlOyAtCDBFXOnluOnb1c4EaHwuFQ308oSF//HSe5GjLC5Vv2N8r4QMN
         p2tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=;
        b=f0d5mfGhGkeRgGQGzULTFjYhICjIC9gXL9TfgYVbKD/YW+XTy1t2hMSqFJ5/pJP6iA
         oi9C0qtKv5tFmU0PM8z8ZxP0IJNYPpInQ7zMkRczig+0Ci4NkcD8kKrkulKi3qOPPD9V
         q3azs67Px6vvprvXkPCXpP9pAN7WXyjbL6QT8nwjuplnY5pqayejyFgCFD8K8apSN3OU
         Siwd293DGe2l4c24epodMfovX4tMC9EtpKn1PqcdeW5QqxohM3UkAz7K738mG9TA2qDb
         IQFD+UIJ0rZpBTUbZZ5Tgm9PL9J7QsPU7NgRiAuQMcLCCmh9bAh64VIRRgzsvryGMAiG
         QHpw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=F5R9SVgK;
       dkim=fail header.i=@chromium.org header.s=google header.b=DOWXwP0n;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p9si12098674pgu.80.2018.04.17.14.48.18;
        Tue, 17 Apr 2018 14:48:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=F5R9SVgK;
       dkim=fail header.i=@chromium.org header.s=google header.b=DOWXwP0n;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753144AbeDQVrE (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 17:47:04 -0400
Received: from mail-ua0-f193.google.com ([209.85.217.193]:33308 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752310AbeDQVrC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 17:47:02 -0400
Received: by mail-ua0-f193.google.com with SMTP id q26so13630106uab.0
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 14:47:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=;
        b=F5R9SVgKEP3006dzH7GeM2kvrOzmNJ+tUL8X+6H2zEdiionwd5VG3AeNCExyf7cf9w
         qKokR4D1pEFKk9Ep/Z3DSLNYUziFlk6ye0Wxe4ShQWb4wJJACfKtdX90DQj2mMWktXPn
         m9893L7hnx6U1Tuw9V1JmLwRU2Hvr8w2R7bdhLbJvV0Z1gg0Sd7EYUbLX8SmX2AFX8eg
         rzxTez1phZr4X0d+7rZgbC+9kO6cOm38BhDcuwgazEXjfP5iJ3dL6x927vC9gkt8UxUk
         JSQAIS5nkaILwFqSulPZlo5GCOI4m1jQuHyZBCz6cZmwPCjNfNXpBQZzFmFNZvD+My6D
         qjDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=;
        b=DOWXwP0nFwXg8416qljI8puLZVj1TR9SabM2zVovmRsoollgv7n30iX/TtT+wqxxYE
         Uk/ytRNUidOUq2bLm1mtXicLmEctYg/eJPj1BlV3ch4+9IwuTbpJXWUKMhuxBFz7CHys
         7Vr6pDbssMh1ivZx66j3W8G/UgDZtM/iEi2tg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=VxU0427USrM1hmghAUpGY+adMD1Cba8g/prVqJjlz14=;
        b=bejbLJC52AKacWojeZijIYNHsQlawCZSQ5PuhyiGASozMDjE+4h6JnXtVagYu/gRGy
         DjT38KX+AVluwd2oMr+hXZVnmhpLaD2zLxZoNJioERSUg5cM1KN2ShIyU9XnL2m9FFZH
         KOwhXpQfqotjnVh0MhN59ThiGRoDcG/VfE+mbcYEP3eofyJZ2P1oBAr/AYimo2nRlfGy
         XXqqLUIp3xfy7ccLIwtlplcQsNBZWxCQiKmU2ZxUTupGA8FPs1ig62rObVgHEzYGflSi
         fKVjZiUB8NDmxC0piY+ghufEFZbu9EBF+pdnNS4dP04mvhJu5nlR8Z5bKb3wDNAWPoms
         bCOQ==
X-Gm-Message-State: ALQs6tB4rcDk/MaCXuKNt0ImvP2hm/0JmSqcpP8RXasW3olJt99nCKdk
        oRls465tnWn6fEPyud3/sZ9nUFmSialIEH5wzsszvQ==
X-Received: by 10.159.49.238 with SMTP id w43mr2887789uad.176.1524001621195;
 Tue, 17 Apr 2018 14:47:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 14:47:00 -0700 (PDT)
In-Reply-To: <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk>
References: <10360653.ov98egbaqx@natalenko.name> <CAGXu5j+-PNYxSc3v+QtQLK0S3wdtFthFSxNM_69kFDnPQX0Gaw@mail.gmail.com>
 <CAGXu5j+_UH0h9qeYCKKjhC7jw-mi_=fg4ASHi2=pCF9xGTpA4Q@mail.gmail.com>
 <2864697.7uzmEJovl2@natalenko.name> <CAGXu5jLSmJv9AstzsgSscrv-wA7FwfrxAKRxj-FVBmihQvnj1g@mail.gmail.com>
 <CAGXu5j+dh1zm32iBjRVh0s+3gLJYgjwt+z1aBJmrK2Cr8XPWnA@mail.gmail.com>
 <CAGXu5jLhnWnUiscP9B=kTEFNyRw9jgFn7Zr5FxhZrO20553+1Q@mail.gmail.com>
 <CAGXu5jKuZwicyyXH2gB3vp-OjtS+MkG+hqxV1cq1jaG9vAAO=g@mail.gmail.com>
 <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
 <CAGXu5jJTMqbXia7TmN2yEW11SM+XC3pkMt=bb+xBrY7-OOf=tw@mail.gmail.com>
 <CAGXu5j+xX3kDDS_sPY44hPVb=8isMX-evYzPx3ur=rge1rL5JQ@mail.gmail.com>
 <CAGXu5jJmvKcANUSsCz3fjGSv-tv1hceNd3rOpT4WTfYRb65RRA@mail.gmail.com>
 <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <CAGXu5jL9miO3OXpjAxm9t8v=f_f5StB=Tk=aV8BVRdEj-Y-PDA@mail.gmail.com>
 <CAGXu5jKVPQi0cdTbe5Y1DNHdiJ6-kEFRBTNv7znuqT9w5eifGg@mail.gmail.com> <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 17 Apr 2018 14:47:00 -0700
X-Google-Sender-Auth: iBtT1OguPdYgWu0Mjzyd29ZP6BY
Message-ID: <CAGXu5j+kHipvoyFWjGp8M6+83zbd6yHOzwxQ-2LNBQbD5-jS9w@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Jens Axboe <axboe@kernel.dk>
Cc:     Paolo Valente <paolo.valente@linaro.org>,
        Oleksandr Natalenko <oleksandr@natalenko.name>,
        Bart Van Assche <bart.vanassche@wdc.com>,
        David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        linux-block@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 17, 2018 at 2:39 PM, Jens Axboe <axboe@kernel.dk> wrote:
> On 4/17/18 3:25 PM, Kees Cook wrote:
>> On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook <keescook@chromium.org> wrote:
>>> I see elv.priv[1] assignments made in a few places -- is it possible
>>> there is some kind of uninitialized-but-not-NULL state that can leak
>>> in there?
>>
>> Got it. This fixes it for me:
>>
>> diff --git a/block/blk-mq.c b/block/blk-mq.c
>> index 0dc9e341c2a7..859df3160303 100644
>> --- a/block/blk-mq.c
>> +++ b/block/blk-mq.c
>> @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct
>> request_queue *q,
>>
>>         rq = blk_mq_rq_ctx_init(data, tag, op);
>>         if (!op_is_flush(op)) {
>> -               rq->elv.icq = NULL;
>> +               memset(&rq->elv, 0, sizeof(rq->elv));
>>                 if (e && e->type->ops.mq.prepare_request) {
>>                         if (e->type->icq_cache && rq_ioc(bio))
>>                                 blk_mq_sched_assign_ioc(rq, bio);
>> @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq)
>>                         e->type->ops.mq.finish_request(rq);
>>                 if (rq->elv.icq) {
>>                         put_io_context(rq->elv.icq->ioc);
>> -                       rq->elv.icq = NULL;
>> +                       memset(&rq->elv, 0, sizeof(rq->elv));
>>                 }
>>         }
>
> This looks like a BFQ problem, this should not be necessary. Paolo,
> you're calling your own prepare request handler from the insert
> as well, and your prepare request does nothing if rq->elv.icq == NULL.

I sent the patch anyway, since it's kind of a robustness improvement,
I'd hope. If you fix BFQ also, please add:

Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Root-caused-by: Kees Cook <keescook@chromium.org>

:) I gotta task-switch to other things!

Thanks for the pointers, and thank you Oleksandr for providing the reproducer!

-Kees

-- 
Kees Cook
Pixel Security