Received: by 10.192.165.156 with SMTP id m28csp1002137imm; Wed, 18 Apr 2018 02:10:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx499nX77HCb/M09NxGdn0F77QZ+y8+lDVKDZk17mELDiLfrBi95qAMRRT0oUkelQQkdECNnd X-Received: by 10.98.139.7 with SMTP id j7mr1268078pfe.28.1524042624439; Wed, 18 Apr 2018 02:10:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524042624; cv=none; d=google.com; s=arc-20160816; b=IvlYXHuha5s2Wzo0eRx17KAKRhr7t4xgmzfWndYegI+ho6F1dngYl+zn+z8rO8rAXM +ksIJFXO0d+xcEzDRoeDNaCXBsrITIvc8UkobCbhjqn5aKW9wk9+oTIimcalFdUGDXpj JiMiRA0THQDnxXJot5GrHarXBTlcwza0tVL7WSphHnIJR/WVbeKxRSW3QCNRRAGzBtn7 zmT/ob3b0M/w+TmUJvbG4Ik6lLZ7zS7gYv5pHgmgeaNPFmn+LPFeirHHKMkkbJmeslIv X4EqorQlZuTobh2SLCqXxqOmlVXocHl71jaZpPpLF+AspFnSy41pGjZCy4APQi/vW/M5 oMzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=+cJ1oQfM9oAhmz2yF02Qgk+0W1HTPKgI2GEODjdbfaU=; b=XFp+/0fEiLbm1Mzn6cG/pnP3RoqyKfg9J1r7UD/nR7qahx9Q80RBcJwjYQaULbL1wq KYfN98LTP+vZhf4HW+rCmPMo3A3K6Wr/MRIjjmAtmb0v3ua1e7bCN3h538JX/4pz4q8H /+NO0Tzg6kNfQu7ZzlMUdmhG/1UgetFvc3TA/65/yT4ctzL5S70fAfJFVLpbNFKPiLvh EOR/1nJ9vYMqsRNEZbLFEl+FSK+fD72pkrH1e8BxSYfZx7ffnya0CQjhofOXTc+PCOAJ zkaVo5NKcMn+if6xNmP8X0zM4Nd6Oc5InSES+hPbxTur0yViSryZM0t7THCy7M3LG1h7 5C5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cDhyGuqP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3-v6si853106plb.285.2018.04.18.02.10.10; Wed, 18 Apr 2018 02:10:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cDhyGuqP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753303AbeDRJIw (ORCPT + 99 others); Wed, 18 Apr 2018 05:08:52 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:46858 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753223AbeDRJIt (ORCPT ); Wed, 18 Apr 2018 05:08:49 -0400 Received: by mail-wr0-f193.google.com with SMTP id d1-v6so2680232wrj.13 for ; Wed, 18 Apr 2018 02:08:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+cJ1oQfM9oAhmz2yF02Qgk+0W1HTPKgI2GEODjdbfaU=; b=cDhyGuqP1g2uVxCAKuJMZiGnZ535pW4SXCCe75qW+jldnSwtfbAk4azqbhuD0XcKCW vCPBaLgnvfi3wVnQKzpgubKg0nbpCkrLHB4zJUwhMy+gKrJLwn9bN2dDbcaijf8TN+90 0+JhfYycUelVALH4r5mN8oVpOloDzqwQbEmd0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+cJ1oQfM9oAhmz2yF02Qgk+0W1HTPKgI2GEODjdbfaU=; b=RGpC/avxPwFrLIz5Er8I6FYLzuihQO2Hmy894exIco53fOc/P/DhaJ4wxuC4LRnZzK lYARIDOnQXLwr9rdsXKiyfMtpZ4xAP2nBi97usxsekTSt44WeQR7/6l93zXJVxJTLWW8 QbdQhA2lU7ydElIo+UDELBCgSiGG6lmZqrl345eUPkgXGRTTYJQiz+1fltbIdA/lYjPy un7Wi8jAkK3U94zIYk6nvLdAVuLRlRkQYfpZ7/Lu5ypMfkIFl07BpseTgtlaygg0iR8K 3i2MULrhcFu1++pvCuWIY4imgzT+Nj5YcFabjaQA0oz+SObYiyZTsF2ZJWckNmTWGJPL tVGw== X-Gm-Message-State: ALQs6tDCDv63MsomHpPm4d2OL30k+uhAOngiF577Hwc0Iwq0ixOJVCv8 qpizmvSRyLlWNaJnzvT7rp+yBg== X-Received: by 2002:adf:8584:: with SMTP id 4-v6mr697912wrt.15.1524042528275; Wed, 18 Apr 2018 02:08:48 -0700 (PDT) Received: from wifi-122_dhcprange-52.wifi.unimo.it (wifi-122_dhcprange-52.wifi.unimo.it. [155.185.122.52]) by smtp.gmail.com with ESMTPSA id h7sm692069wme.0.2018.04.18.02.08.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Apr 2018 02:08:47 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: usercopy whitelist woe in scsi_sense_cache From: Paolo Valente In-Reply-To: <0fbf2b13-8bae-c7c5-d930-ebaafdc72202@kernel.dk> Date: Wed, 18 Apr 2018 11:08:45 +0200 Cc: Kees Cook , Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <011EF7D1-B095-4B8D-AD2A-993048932C49@linaro.org> References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk> <8b32e079-d4e6-3fea-a89d-ff856e4e13b1@kernel.dk> <0fbf2b13-8bae-c7c5-d930-ebaafdc72202@kernel.dk> To: Jens Axboe X-Mailer: Apple Mail (2.3445.5.20) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Il giorno 18 apr 2018, alle ore 00:57, Jens Axboe ha = scritto: >=20 > On 4/17/18 3:48 PM, Jens Axboe wrote: >> On 4/17/18 3:47 PM, Kees Cook wrote: >>> On Tue, Apr 17, 2018 at 2:39 PM, Jens Axboe wrote: >>>> On 4/17/18 3:25 PM, Kees Cook wrote: >>>>> On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook = wrote: >>>>>> I see elv.priv[1] assignments made in a few places -- is it = possible >>>>>> there is some kind of uninitialized-but-not-NULL state that can = leak >>>>>> in there? >>>>>=20 >>>>> Got it. This fixes it for me: >>>>>=20 >>>>> diff --git a/block/blk-mq.c b/block/blk-mq.c >>>>> index 0dc9e341c2a7..859df3160303 100644 >>>>> --- a/block/blk-mq.c >>>>> +++ b/block/blk-mq.c >>>>> @@ -363,7 +363,7 @@ static struct request = *blk_mq_get_request(struct >>>>> request_queue *q, >>>>>=20 >>>>> rq =3D blk_mq_rq_ctx_init(data, tag, op); >>>>> if (!op_is_flush(op)) { >>>>> - rq->elv.icq =3D NULL; >>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>> if (e && e->type->ops.mq.prepare_request) { >>>>> if (e->type->icq_cache && rq_ioc(bio)) >>>>> blk_mq_sched_assign_ioc(rq, bio); >>>>> @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) >>>>> e->type->ops.mq.finish_request(rq); >>>>> if (rq->elv.icq) { >>>>> put_io_context(rq->elv.icq->ioc); >>>>> - rq->elv.icq =3D NULL; >>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>> } >>>>> } >>>>=20 >>>> This looks like a BFQ problem, this should not be necessary. Paolo, >>>> you're calling your own prepare request handler from the insert >>>> as well, and your prepare request does nothing if rq->elv.icq =3D=3D = NULL. >>>=20 >>> I sent the patch anyway, since it's kind of a robustness = improvement, >>> I'd hope. If you fix BFQ also, please add: >>=20 >> It's also a memset() in the hot path, would prefer to avoid that... >> The issue here is really the convoluted bfq usage of insert/prepare, >> I'm sure Paolo can take it from here. >=20 Hi, I'm very sorry for tuning in very late, but, at the same time, very glad to find the problem probably already solved ;) (in this respect, I = swear, my delay was not intentional) > Does this fix it? >=20 > diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c > index f0ecd98509d8..d883469a1582 100644 > --- a/block/bfq-iosched.c > +++ b/block/bfq-iosched.c > @@ -4934,8 +4934,11 @@ static void bfq_prepare_request(struct request = *rq, struct bio *bio) > bool new_queue =3D false; > bool bfqq_already_existing =3D false, split =3D false; >=20 > - if (!rq->elv.icq) > + if (!rq->elv.icq) { > + rq->elv.priv[0] =3D rq->elv.priv[1] =3D NULL; > return; > + } > + This does solve the problem at hand. But it also arouses a question, related to a possible subtle bug. For BFQ, !rq->elv.icq basically means "this request is not for me, as I am an icq-based scheduler". But, IIUC the main points in this thread, then this assumption is false. If it is actually false, then I hope that all requests with !rq->elv.icq that are sent to BFQ do verify the condition (at_head || blk_rq_is_passthrough(rq)). In fact, requests that do not verify that condition are those that BFQ must put in a bfq_queue. So, even if this patch makes the crash disappear, we drive BFQ completely crazy (and we may expect other strange failures) if we send BFQ a request with !((at_head || blk_rq_is_passthrough(rq)) and !rq->elv.icq. BFQ has to put that rq into a bfq_queue, but simply cannot. Jens, or any other, could you please shed a light on this, and explain how things are exactly? Thanks, Paolo > bic =3D icq_to_bic(rq->elv.icq); >=20 > spin_lock_irq(&bfqd->lock); >=20 > --=20 > Jens Axboe