Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2094969imm;
        Thu, 21 Jun 2018 07:10:24 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKAL+8WHP1Ghc303be7T7ETwXC3VR/ILRpDf5llfnAWw+/+PeZEL5fJx8/Hk6cYUvM3cIBy
X-Received: by 2002:a65:5306:: with SMTP id m6-v6mr22545275pgq.250.1529590224117;
        Thu, 21 Jun 2018 07:10:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529590224; cv=none;
        d=google.com; s=arc-20160816;
        b=dE2+7KK9gF21QD880Dz8SxD8udxvsgZ0I394frJ7U05xnoZGa7Ih1OSH65Nvo91WkL
         wuCL6aN6gm68qUjxRSCoQWw0/BI0Po0l7J0qyd3p78rfBDWGdXjpdipbZfp7CKQKTUzU
         o6tXMxGII2XzGImM8iYbuhTuyqC9Y4aKsM2CI1lUz0AkNyDgGrAez0xKKGFuFM+cM2tQ
         4dQ56z7HBKr48LrqueOQqa7F4DmtFOtjy71iTzyZgJj3+rUDxtRr+4Q3k7KSfoCwmFlO
         M+1zSBm1vaRBHm+8qYpDMFqEK3374JtH4FScrYcHr9ORHRCvG2dR7FHqa+lxomwLbxCA
         oerw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=NOzgmJAwMuEF9HezX9GzBZgjJCQiHmfEhnuiWJj8Wbc=;
        b=Q79mArOArBAxTckeTrctzfGICvSSjnxJM9tOnEVuUlKMSumgy0PMQ94TN+nQg4pUZN
         K+xcMSV+/j18Q+8P1481nzUomkPL5RxviamE6INc7sp4CAjz+pH4ANLydtjXciLL+2bI
         1IyPKDXa1CMsMTF1hhh3m/j+deJlkeFECQtLIVqfALSZns+mQMj11azdEwLxUgT/xDa4
         tCVYw5sMKToYWmnSgEsSZzM3bo/E75zp+heiZ7mudj9CfenvY8ujR8SalKX0kq0lcXHB
         9Hkz3cUagFa8CsoUFSS8H94z/IERDPOmJJxpobPcSXwB9gbeZvH4KiZ7qST5PMvLMLlJ
         FIiw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=R5ntSLCO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v129-v6si635040pgb.320.2018.06.21.07.10.09;
        Thu, 21 Jun 2018 07:10:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=R5ntSLCO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932931AbeFUOH2 (ORCPT <rfc822;huangleihappily@gmail.com>
        + 99 others); Thu, 21 Jun 2018 10:07:28 -0400
Received: from mail-it0-f68.google.com ([209.85.214.68]:36677 "EHLO
        mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932802AbeFUOH0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Jun 2018 10:07:26 -0400
Received: by mail-it0-f68.google.com with SMTP id j135-v6so4950228itj.1
        for <linux-kernel@vger.kernel.org>; Thu, 21 Jun 2018 07:07:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=NOzgmJAwMuEF9HezX9GzBZgjJCQiHmfEhnuiWJj8Wbc=;
        b=R5ntSLCOTvOBnYK/zsrlv50MaqRKhnLeGsylBYBzyTRify0OHgyXAZo5WiW0OTW5WW
         FkVgGBMQsAEmY6rl67/6A16gdUvx1sryDZLKOpOfZSoDTIY3AsxTygxoMdkWusQ0Wsll
         8J0LKHB9pWGS9tjkMH5+7Gw21AaPy6dnQBDdlx5CoAeWKKNZvQ4u4qlu/eX8Fnj8o6yY
         H5JtA5ftp9dbNqtDllufEiTOfiX28EcU6eCFtOxYUdc3s5wxrUg/Gbqbr3HXdeiqnPHC
         ZwG9Rzw9alFjcF839TDi7Br++pMEE5h534plmfFYjOZxeW1DIU+Pq2dYDlk7ptYIFhcg
         mFKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=NOzgmJAwMuEF9HezX9GzBZgjJCQiHmfEhnuiWJj8Wbc=;
        b=J78dm6nMSxpU09ykeEW9Jt/l1cLdsTQquhZsrBFudC3NL6bNwZMvz63SpBf+Xjbdkh
         rvHXcbhRO8YWu6rob18QMYtAw24QezwNVEIenCCH/12AcagtPx+nvtxiT+0HZQoahHO7
         2+j2RSXzRqk21Go4etykQ6oaTgoPOpLoSHml/pfNovKoXwBYcP0RclO1GPiz7hrvPhBM
         odZIlUdGiExs6ZjM+GMhdeVBvrFQLy7pbUVyZMJ+1C7oIK55Z63uNwxfC5PDe97lTBfD
         rYnHYooCniBVd604DtemoFRkfjNLLHx9EMkN1exItxswsogMpQV+wMQQuQh4yx7WPMwl
         ZkKw==
X-Gm-Message-State: APt69E0J6Nyg4qy4ZLUQF4UWLQd2O0n8jkw6JHG5tiIHV85EcIkOTape
        OtoAVfVU94kt6V7OQjL5qDTkrg==
X-Received: by 2002:a02:98b4:: with SMTP id q49-v6mr21030655jaj.122.1529590046175;
        Thu, 21 Jun 2018 07:07:26 -0700 (PDT)
Received: from [192.168.1.167] ([216.160.245.98])
        by smtp.gmail.com with ESMTPSA id j12-v6sm2598579itb.26.2018.06.21.07.07.24
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 Jun 2018 07:07:24 -0700 (PDT)
Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in
 release
To:     Christoph Hellwig <hch@infradead.org>
Cc:     dgilbert@interlog.com, Al Viro <viro@ZenIV.linux.org.uk>,
        Jann Horn <jannh@google.com>,
        FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-block@vger.kernel.org, linux-scsi@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
        security@kernel.org
References: <20180615152335.208202-1-jannh@google.com>
 <20180615164009.GD30522@ZenIV.linux.org.uk>
 <90063ef3-68fa-e983-9b47-838e6076b0f4@interlog.com>
 <813e817b-bb2f-4a47-6225-9e39f19be278@kernel.dk>
 <20180621123431.GA558@infradead.org>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <36a641db-fb1d-6c4c-7f1b-172f2b1cde32@kernel.dk>
Date:   Thu, 21 Jun 2018 08:07:23 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <20180621123431.GA558@infradead.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 6/21/18 6:34 AM, Christoph Hellwig wrote:
> On Mon, Jun 18, 2018 at 09:37:01AM -0600, Jens Axboe wrote:
>> It was born with that mode, but I don't think anyone ever really used it.
>> So it might feasible to simply yank it. That said, just doing a prune
>> mode at ->release() time doesn't seem like such a hard task.
> 
> Let's try to kill it.  It is a significant amount of code, which does
> fishy things and is probably entirely unused:

I'd be fine with that, if we knew that nobody uses it. But that's
really hard to figure out. I did see Jann's source code scan, which
even if non-exhaustive, still shows at least one user of it.

How about we just make the write interface sync? Then any copy can
happen while the we block the task, and the read side is just
copying the header info back, or dumping it if the task didn't
read it before it went away.

That will still be functional, just not queueable. But that's not
a huge concern, it won't break any applications. And with pure
sync issue, most of the code goes away anyway and becomes similar
to the sync ioctl.

-- 
Jens Axboe