Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp580056pxk;
        Fri, 11 Sep 2020 15:02:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxBqsNBwGEluOnWf7eapECJhAI14FGmZnFJKUkC2UsP7AueNVoncons5BToCZAJv4VkbMdf
X-Received: by 2002:a17:906:4154:: with SMTP id l20mr4244606ejk.68.1599861742455;
        Fri, 11 Sep 2020 15:02:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599861742; cv=none;
        d=google.com; s=arc-20160816;
        b=RvFQVa6FdDs7UT35tG6UWvgfAeUeeFx3EQnKmSV8N9tc1hFT4/6vHQf1N3uISEMQxr
         DSGD0OgvqvLSjD1YCzTgNwud4oDfvMrii2MP3NKAso+CaemUsDGlCLcp2SHHFfuP2PuE
         pkuN3qrT4B6np8hsg7aq1919PFycXAkPyIQAC8+Jd9a7yvEA+4HEik9jIiMa3f/xu+M9
         Cp7q4IPF05/obYQnsZjGSphCN2LP8EEdpvyfe2NzcvABkvZbddGaIWdCpgm4rWw9D9z7
         iszE4lVfnwqTmYi5h1ThbumxFCn/XxwVVRx4AR+yN6oq4wBrIAra3+wBmwJvozTPC+iV
         F8xQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:from:date:dkim-signature;
        bh=jr65qAjWonZpJu277jcIQGXrj5NFYpjfdQGASbMcApw=;
        b=pSKagFnUtA/5O5b+NLXDKk45ncSY3ga3c4uZbUyJdGh8uaalfRegVIp3POhAS5X3me
         SH6dw9mxtS/ZXhxh4BG8EVlG75/N2goWqDZxx1zE3EkrZrnipKkp2jfgQL/nWIygpM18
         czA85R0XuYwFO8IhRQKTBGBVctWJkmDa9RRkLX5BFD8A0vQ22M2yfMjOY14lnBLLxOKD
         SFYc3JsScYRGzCOIMafQhQrR0kPjYZ8pAzZ5xljRK1GI9ZJZR/OYa1Yys4qTK6UDJYut
         Kysmx5T1R7sqQSp0X5r20FFZDAce5OFO6NUjww33vVAYTSr9Ugnt9xSZgecMG5E88V9C
         cZmA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=PAx0hw+t;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q24si384302edi.78.2020.09.11.15.01.59;
        Fri, 11 Sep 2020 15:02:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=PAx0hw+t;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725876AbgIKV7P (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Fri, 11 Sep 2020 17:59:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38580 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725871AbgIKV7N (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 11 Sep 2020 17:59:13 -0400
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E965C061757
        for <linux-kernel@vger.kernel.org>; Fri, 11 Sep 2020 14:59:12 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id p65so9134806qtd.2
        for <linux-kernel@vger.kernel.org>; Fri, 11 Sep 2020 14:59:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=jr65qAjWonZpJu277jcIQGXrj5NFYpjfdQGASbMcApw=;
        b=PAx0hw+t/3ZbaZRgRxQmmfoZPvYgr6k/2qKOgxpqH4bRcPJY/OsTDUEcJaX9XFUITc
         JeT4Ba/PqCySsufq3RG7YDNQCSbbvDDo6xgTx3YV/Sb6aajkWBHTWurvTJAyifNNR6ZN
         XNoxCtzEv0bCfwsSJnsIcUoNtStX3MDBCrPRvQAtkYN4OIN82H7r6QT62GfVCJ31Lksg
         bbf+0jLWHSk0n1eZlz/Ag+bSz+3lUyNGTgUoS8c7d/NIqsJ0AAL+QlHvCF7dOk6p4Ufw
         NY0RBINgQ39tCILagkNBI2uilbB4GvQm67qVRW3SdqPHJjvp1Ca5WwyrgHn7k1DhWEh9
         l7Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=jr65qAjWonZpJu277jcIQGXrj5NFYpjfdQGASbMcApw=;
        b=inCG1PRP3z1ZbtA/3MZ2YIqIHC9gXb7p5+wCZOnc0rns1wBPhcI/D9RVykE36meh9N
         sSPNn0h7QW38vrXzDb+Ce0vdUtDheevdgQvWgtnVHNFIq4i0aXS0i/nqkmDUDJAGl4Io
         e2dSqF+DK7qOanOwAgfwi0QFcciGhXamOMdMDmZvFcIV0u4bdDKYwK+7gsT2SU1t1uYp
         gdT9gXk59iiSQaX1fNfRDzk50Rvwbq4V1e+U6QWC7f9EWvLxj1dpvlzycCUBFgmURClb
         M0ivbqYaWSdu+HpsuY7jBxEsVqYvSj83+IqAbwDLO6KzrQk364k0dRzHn2nhLQBu5LDO
         n4dQ==
X-Gm-Message-State: AOAM533O3DkhLBz+PwCkAUsYTjjM3BwMb5wa8kxyfCh3g+iYynd8iuNv
        /5yGcQg8/EHF+JuE3t4VwjgPsg==
X-Received: by 2002:aed:3e0e:: with SMTP id l14mr4123228qtf.150.1599861550657;
        Fri, 11 Sep 2020 14:59:10 -0700 (PDT)
Received: from lca.pw (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id p129sm4183033qkc.43.2020.09.11.14.59.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Sep 2020 14:59:10 -0700 (PDT)
Date:   Fri, 11 Sep 2020 17:59:04 -0400
From:   Qian Cai <cai@lca.pw>
To:     viro@zeniv.linux.org.uk
Cc:     torvalds@linux-foundation.org, vgoyal@redhat.com,
        miklos@szeredi.hu, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: slab-out-of-bounds in iov_iter_revert()
Message-ID: <20200911215903.GA16973@lca.pw>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Super easy to reproduce on today's mainline by just fuzzing for a few minutes
on virtiofs (if it ever matters). Any thoughts?

[  511.089112] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0xd8/0x3c0
iov_iter_revert at lib/iov_iter.c:1135
(inlined by) iov_iter_revert at lib/iov_iter.c:1080
[  511.092650] Read of size 8 at addr ffff88869e11dff8 by task trinity-c1/11868
[  511.096178] 
[  511.096897] CPU: 20 PID: 11868 Comm: trinity-c1 Not tainted 5.9.0-rc4+ #1
[  511.100257] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014
[  511.103999] Call Trace:
[  511.105002]  dump_stack+0x7c/0xb0
[  511.106329]  ? iov_iter_revert+0xd8/0x3c0
[  511.107915]  print_address_description.constprop.7+0x1e/0x230
[  511.110193]  ? kmsg_dump_rewind_nolock+0x59/0x59
[  511.112038]  ? _raw_write_lock_irqsave+0xe0/0xe0
[  511.113890]  ? iov_iter_revert+0xd8/0x3c0
[  511.115469]  ? iov_iter_revert+0xd8/0x3c0
[  511.117082]  kasan_report.cold.9+0x37/0x86
[  511.118711]  ? do_readv+0x20/0x1b0
[  511.120078]  ? iov_iter_revert+0xd8/0x3c0
[  511.122614]  iov_iter_revert+0xd8/0x3c0
[  511.124673]  generic_file_read_iter+0x139/0x220
[  511.127386]  fuse_file_read_iter+0x239/0x270 [fuse]
[  511.130229]  ? fuse_direct_IO+0x600/0x600 [fuse]
[  511.133491]  ? rwsem_optimistic_spin+0x3d0/0x3d0
[  511.137177]  ? wake_up_q+0x92/0xd0
[  511.139702]  ? kasan_unpoison_shadow+0x30/0x40
[  511.142518]  do_iter_readv_writev+0x307/0x350
[  511.144850]  ? no_seek_end_llseek_size+0x20/0x20
[  511.147155]  do_iter_read+0x13f/0x2e0
[  511.148696]  vfs_readv+0xcc/0x130
[  511.150118]  ? compat_rw_copy_check_uvector+0x1e0/0x1e0
[  511.152300]  ? enqueue_hrtimer+0x60/0x100
[  511.154043]  ? hrtimer_start_range_ns+0x32f/0x4c0
[  511.157561]  ? hrtimer_run_softirq+0x100/0x100
[  511.161514]  ? _raw_spin_lock_irq+0x7b/0xd0
[  511.164570]  ? _raw_write_unlock_irqrestore+0x20/0x20
[  511.167568]  ? hrtimer_active+0x71/0xa0
[  511.169331]  ? mutex_lock+0x8e/0xe0
[  511.171694]  ? __mutex_lock_slowpath+0x10/0x10
[  511.174580]  ? perf_call_bpf_enter.isra.21+0x110/0x110
[  511.177926]  ? __fget_light+0xa3/0x100
[  511.179916]  do_readv+0xc1/0x1b0
[  511.181331]  ? vfs_readv+0x130/0x130
[  511.182867]  ? ktime_get_coarse_real_ts64+0x4a/0x70
[  511.185455]  do_syscall_64+0x33/0x40
[  511.188008]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  511.191314] RIP: 0033:0x7f11e9b4578d
[  511.193639] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08
[  511.202148] RSP: 002b:00007fff9b5eec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
[  511.205620] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007f11e9b4578d
[  511.210533] RDX: 0000000000000091 RSI: 0000000002c49450 RDI: 00000000000000e1
[  511.214992] RBP: 0000000000000013 R08: 000000008d8d8d8d R09: 00000000000002d2
[  511.218631] R10: 00000020845754a0 R11: 0000000000000246 R12: 0000000000000002
[  511.221595] R13: 00007f11ea227058 R14: 00007f11ea2356c0 R15: 00007f11ea227000
[  511.225949] 
[  511.227008] Allocated by task 11748:
[  511.229204]  kasan_save_stack+0x19/0x40
[  511.231404]  __kasan_kmalloc.constprop.8+0xc1/0xd0
[  511.234647]  perf_event_mmap+0x28f/0x5f0
[  511.237170]  mmap_region+0x1cc/0xa50
[  511.239192]  do_mmap+0x3e5/0x6a0
[  511.241337]  vm_mmap_pgoff+0x15f/0x1b0
[  511.243586]  ksys_mmap_pgoff+0x2d3/0x320
[  511.245903]  do_syscall_64+0x33/0x40
[  511.247914]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  511.250139] 
[  511.250797] Freed by task 11748:
[  511.252160]  kasan_save_stack+0x19/0x40
[  511.253775]  kasan_set_track+0x1c/0x30
[  511.255348]  kasan_set_free_info+0x1b/0x30
[  511.257072]  __kasan_slab_free+0x108/0x150
[  511.258785]  kfree+0x95/0x380
[  511.260050]  perf_event_mmap+0x4aa/0x5f0
[  511.261694]  mmap_region+0x1cc/0xa50
[  511.263198]  do_mmap+0x3e5/0x6a0
[  511.264564]  vm_mmap_pgoff+0x15f/0x1b0
[  511.266133]  ksys_mmap_pgoff+0x2d3/0x320
[  511.267773]  do_syscall_64+0x33/0x40
[  511.269276]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  511.272756] 
[  511.273583] The buggy address belongs to the object at ffff88869e11c000
[  511.273583]  which belongs to the cache kmalloc-4k of size 4096
[  511.281456] The buggy address is located 4088 bytes to the right of
[  511.281456]  4096-byte region [ffff88869e11c000, ffff88869e11d000)
[  511.288473] The buggy address belongs to the page:
[  511.291093] page:0000000073d20fbc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69e118
[  511.296681] head:0000000073d20fbc order:3 compound_mapcount:0 compound_pincount:0
[  511.301118] flags: 0x17ffffc0010200(slab|head)
[  511.303426] raw: 0017ffffc0010200 0000000000000000 0000000300000001 ffff888107c4ef80
[  511.307482] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[  511.310957] page dumped because: kasan: bad access detected
[  511.313233] 
[  511.313867] Memory state around the buggy address:
[  511.315849]  ffff88869e11de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  511.318933]  ffff88869e11df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  511.322715] >ffff88869e11df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  511.325993]                                                                 ^
[  511.330020]  ffff88869e11e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  511.334333]  ffff88869e11e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00