lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171107091323.20664e3f@pluto.restena.lu>
Date:   Tue, 7 Nov 2017 09:13:23 +0100
From:   Bruno Prémont <bonbons@...ophe.eu>
To:     Mikulas Patocka <mpatocka@...hat.com>
Cc:     Mike Snitzer <snitzer@...hat.com>,
        Milan Broz <gmazyland@...il.com>, dm-devel@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] dm-crypt, dm-integrity: allow unaligned bv_offset (was:
 [Regression, Bisected] dm-crypt IO failures with active slub_debug in 4.12
 and later)

On Mon, 6 Nov 2017 18:57:15 -0500 (EST) Mikulas Patocka wrote:
> On Mon, 6 Nov 2017, Bruno Prémont wrote:
> > On Mon, 6 Nov 2017 11:18:09 Mike Snitzer wrote:  
> > > On Thu, Nov 02 2017 at  4:39pm -0400, Bruno Prémont wrote:  
> > > > Hi,
> > > > 
> > > > Between 4.11 and 4.12 I stopped being able to boot my system with root
> > > > partition encrypted with dm-crypt (issue still present in 4.14-rc7).
> > > > The system was able to open the dm-crypt device and read-only mount the
> > > > XFS root partition on it.
> > > > Later read-write remounting though caused XFS to shutdown the filesystem
> > > > on IO error.
> > > > 
> > > > Some reports found online indicated a possible coincidence with stack
> > > > protection or the like as well as use of slub_debug, the latter causing
> > > > the IO errors to surface for me (I have slub_debug=ZP on my kernel
> > > > cmdline).
> > > > 
> > > > I finally got time to go and bisect in order to find the triggering
> > > > patch. Bisect log:
> > > > 
> > > > # good: [a351e9b9fc24e982ec2f0e76379a49826036da12] Linux 4.11
> > > > git bisect good a351e9b9fc24e982ec2f0e76379a49826036da12
> > > > # bad: [6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c] Linux 4.12
> > > > git bisect bad 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c
> > > > # bad: [2bd80401743568ced7d303b008ae5298ce77e695] Merge tag 'gpio-v4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
> > > > git bisect bad 2bd80401743568ced7d303b008ae5298ce77e695
> > > > # good: [8d65b08debc7e62b2c6032d7fe7389d895b92cbc] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
> > > > git bisect good 8d65b08debc7e62b2c6032d7fe7389d895b92cbc
> > > > # good: [8b03d1ed2c43a2ba5ef3381322ee4515b97381bf] Merge branch 'linux-4.12' of git://github.com/skeggsb/linux into drm-next
> > > > git bisect good 8b03d1ed2c43a2ba5ef3381322ee4515b97381bf
> > > > # bad: [e897f267c51812bfecec45771a2d835c1a2bdacf] Merge tag 'backlight-next-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
> > > > git bisect bad e897f267c51812bfecec45771a2d835c1a2bdacf
> > > > # good: [46f0537b1ecf672052007c97f102a7e6bf0791e4] Merge branch 'stable-4.12' of git://git.infradead.org/users/pcmoore/audit
> > > > git bisect good 46f0537b1ecf672052007c97f102a7e6bf0791e4
> > > > # good: [20d5c84bef067b7e804a163e2abca16c47125bad] Merge remote-tracking branches 'asoc/topic/wm8960', 'asoc/topic/wm8978' and 'asoc/topic/zte-tdm' into asoc-next
> > > > git bisect good 20d5c84bef067b7e804a163e2abca16c47125bad
> > > > # bad: [7b66f13207e60e7c550af730986e77e38a0c69a3] Merge tag 'for-4.12/dm-post-merge-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
> > > > git bisect bad 7b66f13207e60e7c550af730986e77e38a0c69a3
> > > > # good: [dd7a8f5dee81ffb1794df1103f07c63fd4f1d766] md/raid5: make chunk_aligned_read() split bios more cleanly.
> > > > git bisect good dd7a8f5dee81ffb1794df1103f07c63fd4f1d766
> > > > # bad: [6625d903253eb6f003849823e22d7b8de5bfb5b2] dm integrity: use hex2bin instead of open-coded variant
> > > > git bisect bad 6625d903253eb6f003849823e22d7b8de5bfb5b2
> > > > # bad: [449b668ce0b9069fcaafa6344c7f10fa2ba9632e] dm cache: set/clear the cache core's dirty_bitset when loading mappings
> > > > git bisect bad 449b668ce0b9069fcaafa6344c7f10fa2ba9632e
> > > > # good: [33d2f09fcb357fd1861c4959d1d3505492bf91f8] dm crypt: introduce new format of cipher with "capi:" prefix
> > > > git bisect good 33d2f09fcb357fd1861c4959d1d3505492bf91f8
> > > > # bad: [ff3af92b4461be773337111daea80bb91b2cd545] dm crypt: use shifts instead of sector_div
> > > > git bisect bad ff3af92b4461be773337111daea80bb91b2cd545
> > > > # bad: [1aa0efd4210df1c57764b77040a6615bc9b3ac0f] dm integrity: factor out create_journal() from dm_integrity_ctr()
> > > > git bisect bad 1aa0efd4210df1c57764b77040a6615bc9b3ac0f
> > > > # bad: [8f0009a225171cc1b76a6b443de5137b26e1374b] dm crypt: optionally support larger encryption sector size
> > > > git bisect bad 8f0009a225171cc1b76a6b443de5137b26e1374b
> > > > # first bad commit: [8f0009a225171cc1b76a6b443de5137b26e1374b] dm crypt: optionally support larger encryption sector size
> > > > 
> > > > In order to test on 4.12 I had to revert the following commits,
> > > > the first two having been applied on top of bad commit:
> > > >   583fe7474c05ee5523e14ef791ea59604cd846dc (dm crypt: fix large block integrity support)
> > > >   ff3af92b4461be773337111daea80bb91b2cd545 (dm crypt: use shifts instead of sector_div)
> > > >   8f0009a225171cc1b76a6b443de5137b26e1374b (dm crypt: optionally support larger encryption sector size)
> > > > 
> > > > From looking at 8f0009a225171cc1b76a6b443de5137b26e1374b I can't spot
> > > > direct cause though I assume there might be a mismatch in memory
> > > > allocation versus access sizes as a consequence of support for larger
> > > > encryption sector size (someplace 512 byte versus page size access
> > > > tripping on memory poison?).    
> > > 
> > > Thanks for bisecting this.
> > > 
> > > Can you apply the following debug patch to see if either of these newer
> > > -EIO returns (introduced by commit 8f0009a225) are causing you problems
> > > for some reason?
> > > 
> > > Thanks
> > > 
> > > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
> > > index 05acc42..daefe37 100644
> > > --- a/drivers/md/dm-crypt.c
> > > +++ b/drivers/md/dm-crypt.c
> > > @@ -1056,7 +1056,7 @@ static int crypt_convert_block_aead(struct crypt_config *cc,
> > >  	BUG_ON(cc->integrity_iv_size && cc->integrity_iv_size != cc->iv_size);
> > >  
> > >  	/* Reject unexpected unaligned bio. */
> > > -	if (unlikely(bv_in.bv_offset & (cc->sector_size - 1)))
> > > +	if (WARN_ON_ONCE(unlikely(bv_in.bv_offset & (cc->sector_size - 1)))))
> > >  		return -EIO;
> > >  
> > >  	dmreq = dmreq_of_req(cc, req);
> > > @@ -1149,7 +1149,7 @@ static int crypt_convert_block_skcipher(struct crypt_config *cc,
> > >  	int r = 0;
> > >  
> > >  	/* Reject unexpected unaligned bio. */
> > > -	if (unlikely(bv_in.bv_offset & (cc->sector_size - 1)))
> > > +	if (WARN_ON_ONCE(unlikely(bv_in.bv_offset & (cc->sector_size - 1))))
> > >  		return -EIO;
> > >  
> > >  	dmreq = dmreq_of_req(cc, req);  
> > 
> > This second one triggers:
> > [  143.238220] ------------[ cut here ]------------
> > [  143.238228] WARNING: CPU: 1 PID: 379 at /usr/src/linux-git/drivers/md/dm-crypt.c:1158 crypt_convert+0xd53/0x1070
> > [  143.238229] Modules linked in:
> > [  143.238233] CPU: 1 PID: 379 Comm: kworker/u17:3 Not tainted 4.12.14+ #2
> > [  143.238234] Hardware name: FUJITSU LIFEBOOK U904/FJNB27D, BIOS Version 1.09 03/20/2014
> > [  143.238236] Workqueue: kcryptd kcryptd_crypt
> > [  143.238238] task: ffff982ccdf628c0 task.stack: ffffb3b5c0bb8000
> > [  143.238240] RIP: 0010:crypt_convert+0xd53/0x1070
> > [  143.238242] RSP: 0018:ffffb3b5c0bbbd28 EFLAGS: 00010202
> > [  143.238243] RAX: 00000000000001ff RBX: ffff982ccbebafe0 RCX: ffffd8d08a2fc880
> > [  143.238244] RDX: 0000000000000868 RSI: ffff982ccbebaf40 RDI: 0000000000000000
> > [  143.238245] RBP: ffffb3b5c0bbbdd8 R08: 0000000000000000 R09: 0000000000000018
> > [  143.238246] R10: ffffb3b5c0073e60 R11: ffffd8d08a2fc880 R12: 0000000000000000
> > [  143.238247] R13: ffff982ccbebaf40 R14: ffff982ccdf5f308 R15: ffff982cd00dd288
> > [  143.238248] FS:  0000000000000000(0000) GS:ffff982cde240000(0000) knlGS:0000000000000000
> > [  143.238249] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  143.238251] CR2: 00007f45350793c4 CR3: 000000006b20a000 CR4: 00000000001406e0
> > [  143.238251] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [  143.238252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > [  143.238253] Call Trace:
> > [  143.238256]  kcryptd_crypt+0x32c/0x3a0
> > [  143.238261]  process_one_work+0x11c/0x340
> > [  143.238264]  worker_thread+0x43/0x3e0
> > [  143.238267]  kthread+0xfe/0x140
> > [  143.238269]  ? create_worker+0x1a0/0x1a0
> > [  143.238271]  ? kthread_create_on_node+0x40/0x40
> > [  143.238275]  ret_from_fork+0x22/0x30
> > [  143.238276] Code: ff ff 49 8b 7e 10 be 00 00 40 01 e8 a8 2b 9c ff 49 89 45 70 e9 42 f3 ff ff 48 8b 75 c0 48 8b 7d c8 e8 52 34 c1 ff e9 d2 fa ff ff <0f> ff e9 0f ff ff ff 41 3b 86 d8 00 00 00 0f 84 c2 f3 ff ff 0f
> > [  143.238306] ---[ end trace 81f0c82a360b9fb6 ]---
> > [  143.238369] XFS (dm-1): metadata I/O error: block 0x2 ("xfs_trans_read_buf_map") error 5 numblks 1
> > [  143.238373] XFS (dm-1): xfs_do_force_shutdown(0x1) called from line 315 of file /usr/src/linux-git/fs/xfs/xfs_trans_buf.c.  Return address = 0xffffffff9734a15c
> > [  143.238378] XFS (dm-1): I/O Error Detected. Shutting down filesystem
> > [  143.238378] XFS (dm-1): Please umount the filesystem and rectify the problem(s)
> > 
> > (your patch, compile-fixed, applied on 4.12.14 with offset=6)
> > 
> > Bruno  
> 
> Hi
> 
> I've made this patch for this bug. Try it.
> 
> Mikulas
> 
> 
> 
> From: Mikulas Patocka <mpatocka@...hat.com>
> Subject: [PATCH] dm-crypt, dm-integrity: allow unaligned bv_offset
> 
> When slub_debug is enabled, kmalloc returns unaligned memory. XFS uses
> this unaligned memory for its buffers (if an unaligned buffer crosses a
> page, XFS frees it and allocates a full page instead - see the function
> xfs_buf_allocate_memory).
> 
> dm-crypt and dm-integrity contain checks if bv_offset is aligned on page
> size and these checks fail with slub_debug and XFS.
> 
> This patch fixes the bug by removing the bv_offset checks. In dm-crypt, we 
> check if bv_len is aligned instead of bv_offset (this check should be 
> sufficient to prevent overruns if a bio with too small bv_len is 
> received). In dm-integrity, we remove the check for bv_offset and leave 
> only the check for bv_len.
> 
> Signed-off-by: Mikulas Patocka <mpatocka@...hat.com>
> Cc: stable@...r.kernel.org	# v4.12+
> Fixes: 8f0009a22517 ("dm crypt: optionally support larger encryption sector size")
> Fixes: 7eada909bfd7 ("dm: add integrity target")

Reported-by: Bruno Prémont <bonbons@...ophe.eu>
Tested-by: Bruno Prémont <bonbons@...ophe.eu>

Successfully tested on 4.12.14, 4.13.11 and 4.14-rc8+ (e4880bc5dfb1).


Thanks,
Bruno


> ---
>  drivers/md/dm-crypt.c     |    4 ++--
>  drivers/md/dm-integrity.c |    2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> Index: linux-2.6/drivers/md/dm-crypt.c
> ===================================================================
> --- linux-2.6.orig/drivers/md/dm-crypt.c
> +++ linux-2.6/drivers/md/dm-crypt.c
> @@ -1075,7 +1075,7 @@ static int crypt_convert_block_aead(stru
>  	BUG_ON(cc->integrity_iv_size && cc->integrity_iv_size != cc->iv_size);
>  
>  	/* Reject unexpected unaligned bio. */
> -	if (unlikely(bv_in.bv_offset & (cc->sector_size - 1)))
> +	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
>  		return -EIO;
>  
>  	dmreq = dmreq_of_req(cc, req);
> @@ -1168,7 +1168,7 @@ static int crypt_convert_block_skcipher(
>  	int r = 0;
>  
>  	/* Reject unexpected unaligned bio. */
> -	if (unlikely(bv_in.bv_offset & (cc->sector_size - 1)))
> +	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
>  		return -EIO;
>  
>  	dmreq = dmreq_of_req(cc, req);
> Index: linux-2.6/drivers/md/dm-integrity.c
> ===================================================================
> --- linux-2.6.orig/drivers/md/dm-integrity.c
> +++ linux-2.6/drivers/md/dm-integrity.c
> @@ -1376,7 +1376,7 @@ static int dm_integrity_map(struct dm_ta
>  		struct bvec_iter iter;
>  		struct bio_vec bv;
>  		bio_for_each_segment(bv, bio, iter) {
> -			if (unlikely((bv.bv_offset | bv.bv_len) & ((ic->sectors_per_block << SECTOR_SHIFT) - 1))) {
> +			if (unlikely(bv.bv_len & ((ic->sectors_per_block << SECTOR_SHIFT) - 1))) {
>  				DMERR("Bio vector (%u,%u) is not aligned on %u-sector boundary",
>  					bv.bv_offset, bv.bv_len, ic->sectors_per_block);
>  				return DM_MAPIO_KILL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ