Received: by 10.192.165.156 with SMTP id m28csp984805imm; Wed, 18 Apr 2018 01:48:44 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/EcP9OijvW/U1UNvA9KDuMR9HhR8K/uI9ff9MlUDHfBDtDx2/SMY3uz23g6ZmaRM9CYvwt X-Received: by 10.98.6.3 with SMTP id 3mr1190713pfg.37.1524041323972; Wed, 18 Apr 2018 01:48:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524041323; cv=none; d=google.com; s=arc-20160816; b=J5RSkiMWGfvVmrHRWqW6TXGhlXFUmg+bO8F08aL3aZAtBfhaP/hT8DK+ZnuhR9h6E8 qVKJWKLz55fk9nwPWJQdsCNVTGs3dy9VhrfEjdGXH8SdSJRyXDt3YSPElWvJ0ZLXdqeb g+GXi7QqYoX9VhHU3ydiav5C1uHNQtSsEEHjMLSpiRQ68IwvtsYdgYk17hrW/zhoShS8 79aDcQPysqBp3t5Yru/rrVAWXZ/73dSU51k6GN3QRy88chOhPm70wjcSDcx+dov5KzlW dx9MUtl83arEgQPoPxMHYPXny4LYdM/+OT6kwTnXWPg/8enx0qdhjRCHREN8WwarYJwd LTdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=1P9GWmup/k+OBC16iQjmUGNsrL8vXxj+6LWYhIAJASw=; b=uzl6RTDm4FgKvWLn/spwXMGCl02DBikch58Szqw5aPdai+JqpLLsR9WPljtYDJhysh Oid8xpFRCze+nbbatcDEeqFuQyHzCx8fIIElvAEXpbLPZ5QeXXB4GPX1T0f0shNTv5lz /UWgMDDm54mKfZJBGvbkc+BuvTxE9gR9m1FOcHxtf1fglKf+P39wGoXPnzpbf4yqZYbi hzgFgTtlbLYnMaSWXp6xL/iYg+d2Q0I/pHfRPcQGSM1zec3ZfGqr51+J5Ko31Prmmf2b wZ7GxChJJ5yLj0TfkG5bu7zhUyQccalVh2yx3nnl48jkPz6dN+MZh5uoveKTLn7fxyje lGrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=AbV5MORA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b6si715695pgc.166.2018.04.18.01.48.29; Wed, 18 Apr 2018 01:48:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=AbV5MORA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752848AbeDRIrW (ORCPT + 99 others); Wed, 18 Apr 2018 04:47:22 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:41533 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751407AbeDRIrU (ORCPT ); Wed, 18 Apr 2018 04:47:20 -0400 Received: by mail-wr0-f194.google.com with SMTP id v24-v6so2504315wra.8 for ; Wed, 18 Apr 2018 01:47:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1P9GWmup/k+OBC16iQjmUGNsrL8vXxj+6LWYhIAJASw=; b=AbV5MORAp7LHR9jCLVQUejUKA3Yfeq31bteN1Nf4y+FE9cEnXZnvqwKVv5VNdS9uR0 dTfh+4c6UzvZXJ6KB37mSyor2A3WMTL+FKMeiMuWJj4ZnkqtIfGF841vse1xgfA6rsDc x1x4DUnoOertLif2g2Zw900k7Ou/gZSpY3rBw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1P9GWmup/k+OBC16iQjmUGNsrL8vXxj+6LWYhIAJASw=; b=qAueZWr5GFLtFBUfNNB5rTeb91mBDdS/bKNq+F6+uEDNeFPc6jzHBVk1R4SsOLfdcY wtlwXP119XL6r+oqEau8Zo5rBhNm+JEYfkzWH4k4+z+/jVe0BxrMZ9/A+YwkCry4OmDD bgtGzt0l7DvfFPD2rDOARM4Lv0lip7YJAe+MwQoOKjZBEEWgmZKSHdc07hKoKlIwJeLo hlXUZN6x3HJUA+fAYhtB5FWqlW1nktKA0LtNU/i5naKPyNMO5HLTz6F9rzlz8n7Cn6Zc ODB0DOpHLRwFLjp3kPURzLEEvojs9AKoO1roMZjmOv2szZFAHiKu3XTZga31aznDcAra oKJg== X-Gm-Message-State: ALQs6tAzPToCWqSrOpjKnXvHnUrkqAXwz2j8GTuzEJt/BsIueyfrqUl1 +yfea3YacO8cRUABL2gg7+O02g== X-Received: by 2002:adf:8028:: with SMTP id 37-v6mr943192wrk.73.1524041239208; Wed, 18 Apr 2018 01:47:19 -0700 (PDT) Received: from wifi-122_dhcprange-52.wifi.unimo.it (wifi-122_dhcprange-52.wifi.unimo.it. [155.185.122.52]) by smtp.gmail.com with ESMTPSA id u4-v6sm511932wre.97.2018.04.18.01.47.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Apr 2018 01:47:18 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [PATCH] blk-mq: Clear out elevator private data From: Paolo Valente In-Reply-To: <20180417214218.GA44753@beast> Date: Wed, 18 Apr 2018 10:47:17 +0200 Cc: Jens Axboe , Oleksandr Natalenko , Linux Kernel Mailing List , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180417214218.GA44753@beast> To: Kees Cook X-Mailer: Apple Mail (2.3445.5.20) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Il giorno 17 apr 2018, alle ore 23:42, Kees Cook = ha scritto: >=20 > Some elevators may not correctly check rq->rq_flags & RQF_ELVPRIV, and > may attempt to read rq->elv fields. When requests got reused, this > caused BFQ to think it already had a bfqq (rq->elv.priv[1]) allocated. Hi Kees, where does BFQ gets confused and operates on a request not destined to it? I'm asking because I paid attention to always avoid such a mistake. Thanks, Paolo > This could lead to odd behaviors like having the sense buffer address > slowly start incrementing. This eventually tripped HARDENED_USERCOPY > and KASAN. >=20 > This patch wipes all of rq->elv instead of just rq->elv.icq. While > it shouldn't technically be needed, this ends up being a robustness > improvement that should lead to at least finding bugs in elevators = faster. >=20 > Reported-by: Oleksandr Natalenko > Fixes: bd166ef183c26 ("blk-mq-sched: add framework for MQ capable IO = schedulers") > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook > --- > In theory, BFQ needs to also check the RQF_ELVPRIV flag, but I'll = leave that > to Paolo to figure out. Also, my Fixes line is kind of a best-guess. = This > is where icq was originally wiped, so it seemed as good a commit as = any. > --- > block/blk-mq.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/block/blk-mq.c b/block/blk-mq.c > index 0dc9e341c2a7..859df3160303 100644 > --- a/block/blk-mq.c > +++ b/block/blk-mq.c > @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct = request_queue *q, >=20 > rq =3D blk_mq_rq_ctx_init(data, tag, op); > if (!op_is_flush(op)) { > - rq->elv.icq =3D NULL; > + memset(&rq->elv, 0, sizeof(rq->elv)); > if (e && e->type->ops.mq.prepare_request) { > if (e->type->icq_cache && rq_ioc(bio)) > blk_mq_sched_assign_ioc(rq, bio); > @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) > e->type->ops.mq.finish_request(rq); > if (rq->elv.icq) { > put_io_context(rq->elv.icq->ioc); > - rq->elv.icq =3D NULL; > + memset(&rq->elv, 0, sizeof(rq->elv)); > } > } >=20 > --=20 > 2.7.4 >=20 >=20 > --=20 > Kees Cook > Pixel Security