Received: by 10.192.165.156 with SMTP id m28csp1299731imm; Wed, 18 Apr 2018 07:32:42 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/dRtmplt5zKZ5+BkBCMtqSB8JcMOkhW9FlE1U1UpXCqzcCRid3rM6dm+ZRvulWRpFOM3So X-Received: by 10.99.135.198 with SMTP id i189mr1907922pge.2.1524061962145; Wed, 18 Apr 2018 07:32:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524061962; cv=none; d=google.com; s=arc-20160816; b=ifBJSAfjKEHofdfEW/RgH41FD94EhJKK1XbqYebJHuojlEaDAYj5yVLCFw4OqxLTpI BEAbtW9D9gokIhxtqhbvKT+Fi8IMnFiRHkntvtIq1Bx/DF1YHhmiIDT1N1R1+Hzzxm91 vhZHBpB/PSmMLvnSHQ1ryI2ouoNYjF+RjAD6o1+TYqFWFT15Nj/kNCDZUBeZj+oHU5Pj U+o7M2/JaS4dYBWvkw4wjGVrYg6Z6DhrnW0RPHdz7Rugu21yoYTRIJ7JhN0fpeNTonNk bRPb8dzLjuNMaVZByxXKSEYulj6FCFSkK+51TAao/DFoSNoLNOwgdnKUDfk8+ehPFFUn VaMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=kvZYOoaMMjq/V6sDMJEVIMOmb3JEXVpERjDnN+zXa4M=; b=votM478SWmWF77pUYMo8OVBNMf6bB9uA1Tuk8bjPdZm0E5sb4wyXDIOOANKO2KeFW3 jIOH1GWlad6ntiwMwFbI6VyUhb2zYMVr9efkw8DRIsyLwT0yGC6ClHKFEIdGJR45yu7j DzbUVzJVsOdEplrEAikbw47SO2f4rXkyyOZ0lUT6Ws+yZX0MjCHlR1fX2kSmIXUwWktC pDuC5B8LgTPD5Ljkw154+nKZ2ux+AHZfLmJ5C0SGKfLPQnXejqlFgSIAKWUKdRCXIeFt CX74Z4u0FJMZVY+nnD88PHAQtSJvN5r7RSLero9lpMjVf9BZ9eJiXMTsFRt4cQXok9Eq TZNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=Ym/8A5q6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si1107987pgd.551.2018.04.18.07.32.28; Wed, 18 Apr 2018 07:32:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=Ym/8A5q6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754045AbeDROak (ORCPT + 99 others); Wed, 18 Apr 2018 10:30:40 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:51427 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752707AbeDROai (ORCPT ); Wed, 18 Apr 2018 10:30:38 -0400 Received: by mail-it0-f68.google.com with SMTP id o20-v6so1259017itc.1 for ; Wed, 18 Apr 2018 07:30:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=kvZYOoaMMjq/V6sDMJEVIMOmb3JEXVpERjDnN+zXa4M=; b=Ym/8A5q6DtVgsF6lPC/+XVPFvR/GzXPF/axf1/iQLZ25EZzwCObDXbPC23AcP9N4TI MqgtZvklWsYmoTLt8xTsGED7FXvntEWnmBVtIYn+2d7t1dc+cKPiKCGEHI7NpfJAuIbH A+h3qDGDd44EzjrtgnK6KljdZ/H3y+GJbW+Z+LBGKRNgaGR52vONaIBtj41vi86xQxcx qRXg7y/Js+hwI8tro7Oh33kpPurlB398rw6AlvJraLR4muHGJISrscMotZIFLNARcTfT nXD7akeilS7tdywz2mW/KGjGg3fKXt5BpIB5ejXzwo9e79n3zAkWIq43Pi4S0O+5Cmuv eEJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kvZYOoaMMjq/V6sDMJEVIMOmb3JEXVpERjDnN+zXa4M=; b=KjWgszQsv6kzG4iu0HE9AE5FdQ9DfLMM38wHOGbWxtokUpDIdBPHN4pzN4P59G75yg rDJdvMG1dCAhavAIO7lbJySwWFLwcxWE2qgBS+NGk44V6GdFc/WqWnJwqwO3Lbe+zAPv 2yWy3rwcbra5X/MYzhKCNNDmldgrLGtDJSlbTYV3LDv6GZfutrvAgXBuOrdinaF3mPL3 LD68kzj1SRBJ1l9p2PLsS6X0GUwKtAjhUPq04dQo1WTJ9p3wzoyvHzeFFTIBYq8AX14F +guYANT5G3LwlbSwofKXXEIFHvzyHJ25I0gTAYTlmH22gFZJRKL6MgS3Vk1M3jNlGgRR raUg== X-Gm-Message-State: ALQs6tDSjVTTqfMRIatSfCB7hu1Mc2oGiT8KGhiymFrMRCJjwRGMkP63 tNG1U6LJuU8PoQcXDcJ/nb+sQQ== X-Received: by 2002:a24:81c6:: with SMTP id q189-v6mr2585087itd.128.1524061838005; Wed, 18 Apr 2018 07:30:38 -0700 (PDT) Received: from [192.168.1.167] ([216.160.245.98]) by smtp.gmail.com with ESMTPSA id g6-v6sm624239ioc.76.2018.04.18.07.30.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Apr 2018 07:30:36 -0700 (PDT) Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Paolo Valente Cc: Kees Cook , Oleksandr Natalenko , Bart Van Assche , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org References: <10360653.ov98egbaqx@natalenko.name> <8473f909-2123-0cfc-43b1-beba0b1aef9b@kernel.dk> <07f263ff-cea6-ac3c-944b-0f36fee8ba25@kernel.dk> <8b32e079-d4e6-3fea-a89d-ff856e4e13b1@kernel.dk> <0fbf2b13-8bae-c7c5-d930-ebaafdc72202@kernel.dk> <011EF7D1-B095-4B8D-AD2A-993048932C49@linaro.org> From: Jens Axboe Message-ID: Date: Wed, 18 Apr 2018 08:30:35 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: <011EF7D1-B095-4B8D-AD2A-993048932C49@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/18/18 3:08 AM, Paolo Valente wrote: > > >> Il giorno 18 apr 2018, alle ore 00:57, Jens Axboe ha scritto: >> >> On 4/17/18 3:48 PM, Jens Axboe wrote: >>> On 4/17/18 3:47 PM, Kees Cook wrote: >>>> On Tue, Apr 17, 2018 at 2:39 PM, Jens Axboe wrote: >>>>> On 4/17/18 3:25 PM, Kees Cook wrote: >>>>>> On Tue, Apr 17, 2018 at 1:46 PM, Kees Cook wrote: >>>>>>> I see elv.priv[1] assignments made in a few places -- is it possible >>>>>>> there is some kind of uninitialized-but-not-NULL state that can leak >>>>>>> in there? >>>>>> >>>>>> Got it. This fixes it for me: >>>>>> >>>>>> diff --git a/block/blk-mq.c b/block/blk-mq.c >>>>>> index 0dc9e341c2a7..859df3160303 100644 >>>>>> --- a/block/blk-mq.c >>>>>> +++ b/block/blk-mq.c >>>>>> @@ -363,7 +363,7 @@ static struct request *blk_mq_get_request(struct >>>>>> request_queue *q, >>>>>> >>>>>> rq = blk_mq_rq_ctx_init(data, tag, op); >>>>>> if (!op_is_flush(op)) { >>>>>> - rq->elv.icq = NULL; >>>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>>> if (e && e->type->ops.mq.prepare_request) { >>>>>> if (e->type->icq_cache && rq_ioc(bio)) >>>>>> blk_mq_sched_assign_ioc(rq, bio); >>>>>> @@ -461,7 +461,7 @@ void blk_mq_free_request(struct request *rq) >>>>>> e->type->ops.mq.finish_request(rq); >>>>>> if (rq->elv.icq) { >>>>>> put_io_context(rq->elv.icq->ioc); >>>>>> - rq->elv.icq = NULL; >>>>>> + memset(&rq->elv, 0, sizeof(rq->elv)); >>>>>> } >>>>>> } >>>>> >>>>> This looks like a BFQ problem, this should not be necessary. Paolo, >>>>> you're calling your own prepare request handler from the insert >>>>> as well, and your prepare request does nothing if rq->elv.icq == NULL. >>>> >>>> I sent the patch anyway, since it's kind of a robustness improvement, >>>> I'd hope. If you fix BFQ also, please add: >>> >>> It's also a memset() in the hot path, would prefer to avoid that... >>> The issue here is really the convoluted bfq usage of insert/prepare, >>> I'm sure Paolo can take it from here. >> > > Hi, > I'm very sorry for tuning in very late, but, at the same time, very > glad to find the problem probably already solved ;) (in this respect, I swear, > my delay was not intentional) > >> Does this fix it? >> >> diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c >> index f0ecd98509d8..d883469a1582 100644 >> --- a/block/bfq-iosched.c >> +++ b/block/bfq-iosched.c >> @@ -4934,8 +4934,11 @@ static void bfq_prepare_request(struct request *rq, struct bio *bio) >> bool new_queue = false; >> bool bfqq_already_existing = false, split = false; >> >> - if (!rq->elv.icq) >> + if (!rq->elv.icq) { >> + rq->elv.priv[0] = rq->elv.priv[1] = NULL; >> return; >> + } >> + > > This does solve the problem at hand. But it also arouses a question, > related to a possible subtle bug. > > For BFQ, !rq->elv.icq basically means "this request is not for me, as > I am an icq-based scheduler". But, IIUC the main points in this > thread, then this assumption is false. If it is actually false, then > I hope that all requests with !rq->elv.icq that are sent to BFQ do > verify the condition (at_head || blk_rq_is_passthrough(rq)). In fact, > requests that do not verify that condition are those that BFQ must put > in a bfq_queue. So, even if this patch makes the crash disappear, we > drive BFQ completely crazy (and we may expect other strange failures) > if we send BFQ a request with !((at_head || blk_rq_is_passthrough(rq)) > and !rq->elv.icq. BFQ has to put that rq into a bfq_queue, but simply > cannot. > > Jens, or any other, could you please shed a light on this, and explain > how things are exactly? Your assumption is correct, however you set ->priv[0] and ->priv[1] for requests, but only for ->elv.icq != NULL. So let's assume you get a request and assign those two, request completes. Later on, you get the same request, bypass insert it. BFQ doesn't clear the bic/bfqq pointers in the request, since ->elv.icq == NULL. It gets inserted into the dispatch list. Then when __bfq_dispatch_request() is called, you do: bfqq = RQ_BFQQ(rq); if (bfqq) bfqq->dispatched++; [...] which is wrong, since you don't know if you assigned a bfqq for this request. The memory that bfqq points to could be long gone, if that queue is freed. So you could either guard any bfqq/bic retrieval with ->elv.icq != NULL, or you could just clear the pointers for the case where the values aren't valid. -- Jens Axboe