From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754133AbcL3NhP (ORCPT <rfc822;w@1wt.eu>);
        Fri, 30 Dec 2016 08:37:15 -0500
Received: from bombadil.infradead.org ([198.137.202.9]:60632 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753938AbcL3NhO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Dec 2016 08:37:14 -0500
Date: Fri, 30 Dec 2016 05:37:12 -0800
From: Christoph Hellwig <hch@infradead.org>
To: Dave Jones <davej@codemonkey.org.uk>,
        Christoph Hellwig <hch@infradead.org>,
        Kees Cook <keescook@chromium.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: sg_io HARDENED_USERCOPY_PAGESPAN trace
Message-ID: <20161230133712.GA27511@infradead.org>
References: <20161228214016.leperioiukslpho4@codemonkey.org.uk>
 <20161229075642.GA30837@infradead.org>
 <20161229154351.6zrxuagi62pga6mt@codemonkey.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20161229154351.6zrxuagi62pga6mt@codemonkey.org.uk>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by bombadil.infradead.org. See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 29, 2016 at 10:43:51AM -0500, Dave Jones wrote:
> On Wed, Dec 28, 2016 at 11:56:42PM -0800, Christoph Hellwig wrote:
>  > On Wed, Dec 28, 2016 at 04:40:16PM -0500, Dave Jones wrote:
>  > >  sg_io+0x113/0x470
>  > 
>  > Can you resolve that to a source line using a gdb?
> 
> It's the copy_from_user in an inlined copy of blk_fill_sghdr_rq.

That must be this line right at the beginning of blk_fill_sghdr_rq

	if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
		return -EFAULT;

We're copying the SCSI CDB from the userspace pointer inside the hdr
we copied earlier into the request.

req->cmd is set to req->__cmd which is a u8 array with 16 members in
struct request by default, but if hdr->cmd_len is bigger than BLK_MAX_CDB
(16) we do a separate allocation for it in the caller:

	if (hdr->cmd_len > BLK_MAX_CDB) {
		rq->cmd = kzalloc(hdr->cmd_len, GFP_KERNEL);
		if (!rq->cmd)
			goto out_put_request;
	}

so I'm not really sure what the problem here could be.