Received: by 10.192.165.156 with SMTP id m28csp599701imm; Tue, 17 Apr 2018 16:07:53 -0700 (PDT) X-Google-Smtp-Source: AIpwx49BYCDApNrpTjPun/MzjkCI5cm/yvDDBuGVVw8uczZ72s7I8m70A6JuVidgDk6HG42jZGmR X-Received: by 2002:a17:902:988b:: with SMTP id s11-v6mr3711930plp.306.1524006473053; Tue, 17 Apr 2018 16:07:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524006473; cv=none; d=google.com; s=arc-20160816; b=eDfRyzUDX1IDWd4jpAO07jJa0G2CdfaYqCgEk6tQy2wk1Eh/hsfjQBtw+Q1viXxajb doOqBT4XaSApdEH2X3gBViG6HatPKHrFUvkT2dOV1kapdA/02VV2a1gYSxqq/vXFUvcj k4MrtbF77bf8KnzwjqiKNcTlMn57Vf9Einuc7qyVQx3n9CYzoZTLcazQsp67/mNewehZ djAjUVsy4ZQn4V9qFT8kqjOLO0E0G9D7Y66EKu4zbDMwpz1kuxlhC/bzVGOzGd7sPX7E 9BLo7ugarqvmBMVGDcb3MjZJ8+i0T9HsH9pgVIGfHbcdwWWoW86J9+6vd/PxD4xIDkx3 xP0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=wavspCkwgb0TMV8l8msl3dLpQeJy1FShxSovA28vxc0=; b=DRTLqJa0hZ/iko4tk1jPA6BPCWzSNU5aFPynP4QZkFrx2+ccuLRDbVm4FE26BTlFcz oy9gzdrUgUzPtQYod4JHbylngWJO+LVz/s9lbEq900VhHpxthNnUjz+YkRGbF5g3yMAd saXesOT0I55kXfb/r2DJBREvsRMJFjK08rlr/ccybrUplxHXHQ8FOv4MG/hvr/2purh3 vf8pZMvgXRr719iMRoFNKSqk/FPBNu9A1WJy4xfWSk59C6VYKBHx/DLYyu46AZxBFsqC UeiOpVYSM1j//UDU4FE146K98WqR8uu/cgfTzhfmOzGvHQ60xi8yQ5nOEg3QMj7oM+Yg 6N2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TnYpfPzm; dkim=fail header.i=@chromium.org header.s=google header.b=kQTy8o9q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20si14218971pfj.320.2018.04.17.16.07.38; Tue, 17 Apr 2018 16:07:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TnYpfPzm; dkim=fail header.i=@chromium.org header.s=google header.b=kQTy8o9q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752707AbeDQXGd (ORCPT + 99 others); Tue, 17 Apr 2018 19:06:33 -0400 Received: from mail-vk0-f67.google.com ([209.85.213.67]:34329 "EHLO mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751010AbeDQXGa (ORCPT ); Tue, 17 Apr 2018 19:06:30 -0400 Received: by mail-vk0-f67.google.com with SMTP id m76so1205741vka.1 for ; Tue, 17 Apr 2018 16:06:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=wavspCkwgb0TMV8l8msl3dLpQeJy1FShxSovA28vxc0=; b=TnYpfPzmmJpQ8BT9haKYXWQXymSCKbDw8ncHuX1HtU8QdeTf7d+68MJpTpatQiABNH Aa5y3R0YMVTa2xWM/C2NMUlIzHFqsn2u8QouG5aU5pZqnMOvzGqPLTgguTcHFKKzYIFf IZfjFEtTTq3lcdiFJMfAynAl1S8O3/3ScdqsQtrlhhxleR4EatUtLp7rpTHtQTf04Y/M 5cmBDUYAq4ChKfbrQ72UdbH9ZztXAxUn6K8s+0qGbJIALmep+aXEC0QOE3mEf3GlMNWR GSQxmtKcJ5CdN50fGubbWirTtxkn+0LMMDwDsv8SxudjXSBaYSTrzOTtQwcUDZnJnSwJ 4QTA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=wavspCkwgb0TMV8l8msl3dLpQeJy1FShxSovA28vxc0=; b=kQTy8o9q8/uiovtV+oM4imEJZ0c7szduDE4Gko+DAplD8hxAoCUhgehmeqE+mYlVAn 3rKebQ8L1utgXb8b0jYuJT6xKHDzdwFtbNBHkbFd9RFY2S6BsouZ7QXXMQAl2JNGk9gQ 0z4FAH/IL/Rg/tGI8JYkA2tXhAZDgvb2cwbH0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=wavspCkwgb0TMV8l8msl3dLpQeJy1FShxSovA28vxc0=; b=uESjjk5FUPW716Ivg8qTqWoFASwoTWmUNoXIN8Tz0eHdFl8yPIYnOMLtUIcNcEh7EV 4xhOsUx8QswFt25kHX35ucNXTZiBki3ELiZOdw7mf2aj+C31WzEAho+ueGPo3wtIwKR5 TqI5jh2tWldB4cUeeIfQkQmQogQFGOHZ0cVOqms2QomAjPJLHaGaeT8sgsiol7hr7PPv BCfvEadSToC1KlqgTvIAtEh67gv1x84t9lJy0GJV8DcLZiB0f73TwigTM2/xz4mGgE0c rzshVkTCyQRShAF90d+Qe4CcJaHyicrM1KN9Q5sjKw7W6JMrS1wo3n8ot4w5tMtbAsQV pWGg== X-Gm-Message-State: ALQs6tDJ9S8Ui9yshM0k8eQFoOES8u3CvUJ/w+/5V8zG0rnNx8gB6xzj RiIAvuX+VySpWqwZpTDVS469+NCoLEU+XetF5BB1Cw== X-Received: by 10.31.148.135 with SMTP id w129mr2927323vkd.7.1524006389786; Tue, 17 Apr 2018 16:06:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 16:06:28 -0700 (PDT) In-Reply-To: <0fbf2b13-8bae-c7c5-d930-ebaafdc72202@kernel.dk> References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk> <8b32e079-d4e6-3fea-a89d-ff856e4e13b1@kernel.dk> <0fbf2b13-8bae-c7c5-d930-ebaafdc72202@kernel.dk> From: Kees Cook Date: Tue, 17 Apr 2018 16:06:28 -0700 X-Google-Sender-Auth: oPvkQ4EOF5qWgg4qimdeOBoTJSc Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Jens Axboe Cc: Paolo Valente , Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 3:57 PM, Jens Axboe wrote: > On 4/17/18 3:48 PM, Jens Axboe wrote: >> On 4/17/18 3:47 PM, Kees Cook wrote: >>> On Tue, Apr 17, 2018 at 2:39 PM, Jens Axboe wrote: >>>> On 4/17/18 3:25 PM, Kees Cook wrote: >>>>> On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook wrote: >>>>>> I see elv.priv[1] assignments made in a few places -- is it possible >>>>>> there is some kind of uninitialized-but-not-NULL state that can leak >>>>>> in there? >>>>> >>>>> Got it. This fixes it for me: >>>>> >>>>> diff --git a/block/blk-mq.c b/block/blk-mq.c >>>>> index 0dc9e341c2a7..859df3160303 100644 >>>>> --- a/block/blk-mq.c >>>>> +++ b/block/blk-mq.c >>>>> @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct >>>>> request_queue *q, >>>>> >>>>> rq = blk_mq_rq_ctx_init(data, tag, op); >>>>> if (!op_is_flush(op)) { >>>>> - rq->elv.icq = NULL; >>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>> if (e && e->type->ops.mq.prepare_request) { >>>>> if (e->type->icq_cache && rq_ioc(bio)) >>>>> blk_mq_sched_assign_ioc(rq, bio); >>>>> @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) >>>>> e->type->ops.mq.finish_request(rq); >>>>> if (rq->elv.icq) { >>>>> put_io_context(rq->elv.icq->ioc); >>>>> - rq->elv.icq = NULL; >>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>> } >>>>> } >>>> >>>> This looks like a BFQ problem, this should not be necessary. Paolo, >>>> you're calling your own prepare request handler from the insert >>>> as well, and your prepare request does nothing if rq->elv.icq == NULL. >>> >>> I sent the patch anyway, since it's kind of a robustness improvement, >>> I'd hope. If you fix BFQ also, please add: >> >> It's also a memset() in the hot path, would prefer to avoid that... >> The issue here is really the convoluted bfq usage of insert/prepare, >> I'm sure Paolo can take it from here. > > Does this fix it? > > diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c > index f0ecd98509d8..d883469a1582 100644 > --- a/block/bfq-iosched.c > +++ b/block/bfq-iosched.c > @@ -4934,8 +4934,11 @@ static void bfq_prepare_request(struct request *rq, struct bio *bio) > bool new_queue = false; > bool bfqq_already_existing = false, split = false; > > - if (!rq->elv.icq) > + if (!rq->elv.icq) { > + rq->elv.priv[0] = rq->elv.priv[1] = NULL; > return; > + } > + > bic = icq_to_bic(rq->elv.icq); > > spin_lock_irq(&bfqd->lock); It does! Excellent. :) -Kees -- Kees Cook Pixel Security