From: Oleksandr Natalenko <oleksandr@natalenko.name>
To: Kees Cook <keescook@chromium.org>
Cc: David Windsor <dave@nullcore.net>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>,
Hannes Reinecke <hare@suse.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
linux-block@vger.kernel.org, paolo.valente@linaro.org,
keescook@google.com
Subject: Re: usercopy whitelist woe in scsi_sense_cache
Date: Tue, 10 Apr 2018 08:35:25 +0200 [thread overview]
Message-ID: <3d7b5a707e216e19eb3defe0586bfbc8@natalenko.name> (raw)
In-Reply-To: <CAGXu5jKRrdYjuyLSvc4k4mqttkM7zw-96poQ1GYqRRgPqZFOYQ@mail.gmail.com>
Hi.
09.04.2018 22:30, Kees Cook wrote:
>> echo 1 | tee /sys/block/sd*/queue/nr_requests
>
> I can't get this below "4".
Oops, yeah. It cannot be less than BLKDEV_MIN_RQ (which is 4), so it is
enforced explicitly in queue_requests_store(). It is the same for me.
>> echo 1 | tee /sys/block/sd*/device/queue_depth
>
> I've got this now too.
> Ah! dm-crypt too. I'll see if I can get that added easily to my tests.
> And XFS! You love your corner cases. ;)
Yeah, so far this wonderful configuration has allowed me to uncover a
bunch of bugs, and see, we are not done yet ;).
> Two other questions, since you can reproduce this easily:
> - does it reproduce _without_ hardened usercopy? (I would assume yes,
> but you'd just not get any warning until the hangs started.) If it
> does reproduce without hardened usercopy, then a new bisect run could
> narrow the search even more.
Looks like it cannot be disabled via kernel cmdline, so I have to
re-compile the kernel, right? I can certainly do that anyway.
> - does it reproduce with Linus's current tree?
Will try this too.
> What would imply missing locking, yes? Yikes. But I'd expect
> use-after-free or something, or bad data, not having the pointer slip
> forward?
I still think this has something to do with blk-mq re-queuing capability
and how BFQ implements it, because there are no sings of issue popping
up with Kyber so far.
> Quick update: I added dm-crypt (with XFS on top) and it hung my system
> almost immediately. I got no warnings at all, though.
Did your system hang on smartctl hammering too? Have you got some stack
traces to compare with mine ones?
Regards,
Oleksandr
next prev parent reply other threads:[~2018-04-10 6:35 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <10360653.ov98egbaqx@natalenko.name>
[not found] ` <CAGXu5jL8oLV2xvjBVYv_SNXr74LdgpXEmU7K+cLYpD7jh2chgw@mail.gmail.com>
[not found] ` <CAGXu5j+mVc6O_=GOF3YQmS4QZxeFgVPQtMxNH8sjBAhpJLjm9w@mail.gmail.com>
2018-04-08 19:07 ` usercopy whitelist woe in scsi_sense_cache Oleksandr Natalenko
2018-04-09 9:35 ` Christoph Hellwig
2018-04-09 15:54 ` Oleksandr Natalenko
2018-04-09 18:32 ` Kees Cook
2018-04-09 19:02 ` Oleksandr Natalenko
2018-04-09 20:30 ` Kees Cook
2018-04-09 23:03 ` Kees Cook
2018-04-10 6:35 ` Oleksandr Natalenko [this message]
2018-04-10 6:53 ` Kees Cook
2018-04-10 17:16 ` Oleksandr Natalenko
2018-04-11 3:13 ` Kees Cook
2018-04-11 22:47 ` Kees Cook
2018-04-12 0:03 ` Kees Cook
2018-04-12 18:44 ` Kees Cook
2018-04-12 19:04 ` Oleksandr Natalenko
2018-04-12 22:01 ` Kees Cook
2018-04-12 22:47 ` Kees Cook
2018-04-13 3:02 ` Kees Cook
2018-04-16 20:44 ` Kees Cook
2018-04-17 3:12 ` Kees Cook
2018-04-17 9:19 ` Oleksandr Natalenko
2018-04-17 16:25 ` Kees Cook
2018-04-17 10:02 ` James Bottomley
2018-04-17 16:30 ` Kees Cook
2018-04-17 16:42 ` Kees Cook
2018-04-17 16:46 ` Jens Axboe
2018-04-17 20:03 ` Kees Cook
2018-04-17 20:20 ` Kees Cook
2018-04-17 20:25 ` Kees Cook
2018-04-17 20:28 ` Jens Axboe
2018-04-17 20:46 ` Kees Cook
2018-04-17 21:25 ` Kees Cook
2018-04-17 21:39 ` Jens Axboe
2018-04-17 21:47 ` Kees Cook
2018-04-17 21:48 ` Jens Axboe
2018-04-17 22:57 ` Jens Axboe
2018-04-17 23:06 ` Kees Cook
2018-04-17 23:12 ` Jens Axboe
2018-04-18 9:08 ` Paolo Valente
2018-04-18 14:30 ` Jens Axboe
2018-04-19 9:32 ` Paolo Valente
2018-04-20 20:23 ` Kees Cook
2018-04-20 20:41 ` Oleksandr Natalenko
2018-04-21 8:43 ` Paolo Valente
2018-04-17 21:55 ` Oleksandr Natalenko
2018-04-10 13:47 ` Oleksandr Natalenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d7b5a707e216e19eb3defe0586bfbc8@natalenko.name \
--to=oleksandr@natalenko.name \
--cc=axboe@kernel.dk \
--cc=dave@nullcore.net \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=jejb@linux.vnet.ibm.com \
--cc=jthumshirn@suse.de \
--cc=keescook@chromium.org \
--cc=keescook@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=paolo.valente@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).