From: Oleksandr Natalenko <oleksandr@natalenko.name>
To: Kees Cook <keescook@chromium.org>
Cc: Jens Axboe <axboe@kernel.dk>,
Bart Van Assche <bart.vanassche@wdc.com>,
Paolo Valente <paolo.valente@linaro.org>,
David Windsor <dave@nullcore.net>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
linux-block@vger.kernel.org, keescook@google.com
Subject: Re: usercopy whitelist woe in scsi_sense_cache
Date: Tue, 17 Apr 2018 11:19:57 +0200 [thread overview]
Message-ID: <8faec18239a6104b250d9668bb1d3abc@natalenko.name> (raw)
In-Reply-To: <CAGXu5jLQuzpjFcfjpT=MvgOxBizFNMjnfmY+E7eCHkDAV5swHg@mail.gmail.com>
Hi.
17.04.2018 05:12, Kees Cook wrote:
>> Turning off HARDENED_USERCOPY and turning on KASAN, I see the same
>> report:
>>
>> [ 38.274106] BUG: KASAN: slab-out-of-bounds in
>> _copy_to_user+0x42/0x60
>> [ 38.274841] Read of size 22 at addr ffff8800122b8c4b by task
>> smartctl/1064
>> [ 38.275630]
>> [ 38.275818] CPU: 2 PID: 1064 Comm: smartctl Not tainted
>> 4.17.0-rc1-ARCH+ #266
>> [ 38.276631] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
>> BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 38.277690] Call Trace:
>> [ 38.277988] dump_stack+0x71/0xab
>> [ 38.278397] ? _copy_to_user+0x42/0x60
>> [ 38.278833] print_address_description+0x6a/0x270
>> [ 38.279368] ? _copy_to_user+0x42/0x60
>> [ 38.279800] kasan_report+0x243/0x360
>> [ 38.280221] _copy_to_user+0x42/0x60
>> [ 38.280635] sg_io+0x459/0x660
>> ...
>>
>> Though we get slightly more details (some we already knew):
>>
>> [ 38.301330] Allocated by task 329:
>> [ 38.301734] kmem_cache_alloc_node+0xca/0x220
>> [ 38.302239] scsi_mq_init_request+0x64/0x130 [scsi_mod]
>> [ 38.302821] blk_mq_alloc_rqs+0x2cf/0x370
>> [ 38.303265] blk_mq_sched_alloc_tags.isra.4+0x7d/0xb0
>> [ 38.303820] blk_mq_init_sched+0xf0/0x220
>> [ 38.304268] elevator_switch+0x17a/0x2c0
>> [ 38.304705] elv_iosched_store+0x173/0x220
>> [ 38.305171] queue_attr_store+0x72/0xb0
>> [ 38.305602] kernfs_fop_write+0x188/0x220
>> [ 38.306049] __vfs_write+0xb6/0x330
>> [ 38.306436] vfs_write+0xe9/0x240
>> [ 38.306804] ksys_write+0x98/0x110
>> [ 38.307181] do_syscall_64+0x6d/0x1d0
>> [ 38.307590] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 38.308142]
>> [ 38.308316] Freed by task 0:
>> [ 38.308652] (stack is not available)
>> [ 38.309060]
>> [ 38.309243] The buggy address belongs to the object at
>> ffff8800122b8c00
>> [ 38.309243] which belongs to the cache scsi_sense_cache of size 96
>> [ 38.310625] The buggy address is located 75 bytes inside of
>> [ 38.310625] 96-byte region [ffff8800122b8c00, ffff8800122b8c60)
>
> With a hardware watchpoint, I've isolated the corruption to here:
>
> bfq_dispatch_request+0x2be/0x1610:
> __bfq_dispatch_request at block/bfq-iosched.c:3902
> 3900 if (rq) {
> 3901 inc_in_driver_start_rq:
> 3902 bfqd->rq_in_driver++;
> 3903 start_rq:
> 3904 rq->rq_flags |= RQF_STARTED;
> 3905 }
>
> Through some race condition(?), rq_in_driver is also sense_buffer, and
> it can get incremented.
> …
> I still haven't figured this out, though... any have a moment to look
> at this?
By any chance, have you tried to simplify the reproducer environment, or
it still needs my complex layout to trigger things even with KASAN?
Regards,
Oleksandr
next prev parent reply other threads:[~2018-04-17 9:20 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-04 19:07 usercopy whitelist woe in scsi_sense_cache Oleksandr Natalenko
2018-04-04 20:21 ` Kees Cook
2018-04-04 20:44 ` Douglas Gilbert
2018-04-04 20:49 ` Oleksandr Natalenko
2018-04-04 21:25 ` Kees Cook
2018-04-04 21:34 ` Oleksandr Natalenko
2018-04-05 9:56 ` Oleksandr Natalenko
2018-04-05 14:21 ` Kees Cook
2018-04-05 14:32 ` Oleksandr Natalenko
2018-04-05 14:33 ` Oleksandr Natalenko
[not found] ` <CAGXu5jL8oLV2xvjBVYv_SNXr74LdgpXEmU7K+cLYpD7jh2chgw@mail.gmail.com>
2018-04-05 18:52 ` Kees Cook
2018-04-06 6:21 ` Oleksandr Natalenko
2018-04-08 19:07 ` Oleksandr Natalenko
2018-04-09 9:35 ` Christoph Hellwig
2018-04-09 15:54 ` Oleksandr Natalenko
2018-04-09 18:32 ` Kees Cook
2018-04-09 19:02 ` Oleksandr Natalenko
2018-04-09 20:30 ` Kees Cook
2018-04-09 23:03 ` Kees Cook
2018-04-10 6:35 ` Oleksandr Natalenko
2018-04-10 6:53 ` Kees Cook
2018-04-10 17:16 ` Oleksandr Natalenko
2018-04-11 3:13 ` Kees Cook
2018-04-11 22:47 ` Kees Cook
2018-04-12 0:03 ` Kees Cook
2018-04-12 18:44 ` Kees Cook
2018-04-12 19:04 ` Oleksandr Natalenko
2018-04-12 22:01 ` Kees Cook
2018-04-12 22:47 ` Kees Cook
2018-04-13 3:02 ` Kees Cook
2018-04-16 20:44 ` Kees Cook
2018-04-17 3:12 ` Kees Cook
2018-04-17 9:19 ` Oleksandr Natalenko [this message]
2018-04-17 16:25 ` Kees Cook
2018-04-17 10:02 ` James Bottomley
2018-04-17 16:30 ` Kees Cook
2018-04-17 16:42 ` Kees Cook
2018-04-17 16:46 ` Jens Axboe
2018-04-17 20:03 ` Kees Cook
2018-04-17 20:20 ` Kees Cook
2018-04-17 20:25 ` Kees Cook
2018-04-17 20:28 ` Jens Axboe
2018-04-17 20:46 ` Kees Cook
2018-04-17 21:25 ` Kees Cook
2018-04-17 21:39 ` Jens Axboe
2018-04-17 21:47 ` Kees Cook
2018-04-17 21:48 ` Jens Axboe
2018-04-17 22:57 ` Jens Axboe
2018-04-17 23:06 ` Kees Cook
2018-04-17 23:12 ` Jens Axboe
2018-04-18 9:08 ` Paolo Valente
2018-04-18 14:30 ` Jens Axboe
2018-04-19 9:32 ` Paolo Valente
2018-04-20 20:23 ` Kees Cook
2018-04-20 20:41 ` Oleksandr Natalenko
2018-04-21 8:43 ` Paolo Valente
2018-04-17 21:55 ` Oleksandr Natalenko
2018-04-10 13:47 ` Oleksandr Natalenko
2018-04-04 20:32 ` Kees Cook
2018-04-04 20:47 ` Douglas Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8faec18239a6104b250d9668bb1d3abc@natalenko.name \
--to=oleksandr@natalenko.name \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=dave@nullcore.net \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=jejb@linux.vnet.ibm.com \
--cc=jthumshirn@suse.de \
--cc=keescook@chromium.org \
--cc=keescook@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=paolo.valente@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).