Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp217255pxb;
        Thu, 12 Aug 2021 14:48:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw6ZuxrGmjR6qFzyGum8g5j5R+12V0xKLMcbCPc4ONT2o3+VQmhZ2/0d1evC62GiMkH09zK
X-Received: by 2002:a50:cc0b:: with SMTP id m11mr7932816edi.96.1628804909617;
        Thu, 12 Aug 2021 14:48:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628804909; cv=none;
        d=google.com; s=arc-20160816;
        b=P0OiyaoFEY5pAiwzDi52ePkLmHjgpsN61ox81me27WZgWdJu5nLIkpPY2bJIMt1CkF
         8Wac0C1FCJ71zWaCUGNXTGZ47bYild7zS18Z2/yf6GF6G56pC0khzBnqUqX93vNpCyfj
         weGI2XEzeUFMPRmoJFQwtCKuJ60U7dmOpQlp0dF49rUevG7qNNaLj7L80zUVJ1VjkUxO
         uIjz0gmrczkMKFAh4SrHT8xjiepA9D49nMynJPjZ1Op6C7L0uRVD7j+VnriHBCujrn48
         UfEh/85L/7nhBX01qTh5XB8Q25XxwoSen+dygeLq5HHXapVhy2mbf8kcpMRLnNp2YtW3
         XF9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=syTDIp7PiP+AZjzDYgWMScbh9JnkTpS8wJ/cVx+Gs1M=;
        b=WYghTLvHqtVvUXq6yAa3eG7eMcJhMM1HKGYindEjIULpQLE51gNkMoOhLnd6ax5BYL
         KqDPWDJN2YXupTFQzFbOwYuU9uLT8WVKYgpk/c3tumQA5jFA0muGacZt/we0exGkmPco
         2wPZoIFIpSb7YzmxdosMAt8UY5K6b0ypuZ/Pty4kfqwkqpdUKJ7jEBV5oNyYMv2xfw6b
         4Irk64IFnnpMMGkDyUb6c2uTETkLtGebmE27XyBcfS+YnYOdNt9NdA3shOrDdmLzqxdh
         XP7s6MbUDkoid0KClzG2gQH7iADVzcnvNmdBrG0ODBUyk3XoPwwGg3Qt/VqNNLUJlNaQ
         dqBg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Q5WRUJ3m;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k5si3813051edv.339.2021.08.12.14.48.00;
        Thu, 12 Aug 2021 14:48:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Q5WRUJ3m;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237823AbhHLUl5 (ORCPT <rfc822;lishoy@gmail.com> + 99 others);
        Thu, 12 Aug 2021 16:41:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50028 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237746AbhHLUly (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 12 Aug 2021 16:41:54 -0400
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 324E9C0617A8;
        Thu, 12 Aug 2021 13:41:28 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id l18so10096648wrv.5;
        Thu, 12 Aug 2021 13:41:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=syTDIp7PiP+AZjzDYgWMScbh9JnkTpS8wJ/cVx+Gs1M=;
        b=Q5WRUJ3myVlg59GgTCXeJx00IHuP+JQt6euiBQoSPgwLoiKHe3doy6cRbgODFU/zbt
         PctWu5EoqQPnZ0mNq9RaPWIpQXlRPIBciLriVDOig46D28yNGrx9VKSy9P17IkS2W5J5
         JAR7qTrrQC7JKQJkuP3ev6nXOdoAh0hHFJzb9AteZ2hTrze331Caa7QXhfIDo/TyJCg4
         fnX7mksG50YGQ7BQHOSv5JBgzgQ1wR4y6riU4BAEGj9HVcePywbIS2Oi47aaHRp5j2vn
         Gvglw1UrNz2crqp4JP+jOA62ymhtF/HJIVc/7NfDNULlebqNwdkIJbNDYlntlCh6qAO/
         B1Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=syTDIp7PiP+AZjzDYgWMScbh9JnkTpS8wJ/cVx+Gs1M=;
        b=Z2v+oGEtdafqxOTWUDwCO1q6IXkSM9jW0Ke2eOeb0PVc6IQ5phTb7q61uOi236BRQX
         6DWSD9alKMEG5rpspE73aum7FytQHHfqXnnGt7VQ4Cx6iFQTUQ6Lxzo3ZGGHxGO/lgO1
         KN8Y4gUO9NHGSa7hFIzKow7TcDLENIbLlsfrkoOZeDmW9RnLocMmGB12maHrlrIbH+MD
         alebtErpYg+ctacjWyiuntGy+o1iPKtAbDlhyigGqCA4wQP0IpzbiVchbYj5I5sCjvjK
         LmynYFeHYVxyXlcYvWDYfdXf4y2hgn45LN589BefXGpWprtmaTzIVXnFvn/yjSKMJjcc
         xiog==
X-Gm-Message-State: AOAM533Zu7dzehVxDHLzEB2kaXttikK4w98Ne5St22XY5mH5bKvGkHLe
        AlaBTVu/mqAfJmksJ/IZSeM=
X-Received: by 2002:adf:9d92:: with SMTP id p18mr5984751wre.20.1628800886867;
        Thu, 12 Aug 2021 13:41:26 -0700 (PDT)
Received: from localhost.localdomain ([148.252.132.210])
        by smtp.gmail.com with ESMTPSA id i10sm10296556wmq.21.2021.08.12.13.41.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Aug 2021 13:41:26 -0700 (PDT)
From:   Pavel Begunkov <asml.silence@gmail.com>
To:     Jens Axboe <axboe@kernel.dk>, io-uring@vger.kernel.org,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Cc:     Palash Oswal <oswalpalash@gmail.com>,
        Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
        linux-kernel@vger.kernel.org,
        syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com,
        asml.silence@gmail.com
Subject: [PATCH v2 2/2] io_uring: don't retry with truncated iter
Date:   Thu, 12 Aug 2021 21:40:47 +0100
Message-Id: <71d0711b4e28d01cd06e2c96db5adf0b766ac27f.1628780390.git.asml.silence@gmail.com>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <cover.1628780390.git.asml.silence@gmail.com>
References: <cover.1628780390.git.asml.silence@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[   74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
[   74.212778] Read of size 8 at addr ffff888025dc78b8 by task
syz-executor.0/828
[   74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
5.14.0-rc3-next-20210730 #1
[   74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   74.219033] Call Trace:
[   74.219683]  dump_stack_lvl+0x8b/0xb3
[   74.220706]  print_address_description.constprop.0+0x1f/0x140
[   74.224226]  kasan_report.cold+0x7f/0x11b
[   74.226085]  iov_iter_revert+0x809/0x900
[   74.227960]  io_write+0x57d/0xe40
[   74.232647]  io_issue_sqe+0x4da/0x6a80
[   74.242578]  __io_queue_sqe+0x1ac/0xe60
[   74.245358]  io_submit_sqes+0x3f6e/0x76a0
[   74.248207]  __do_sys_io_uring_enter+0x90c/0x1a20
[   74.257167]  do_syscall_64+0x3b/0x90
[   74.257984]  entry_SYSCALL_64_after_hwframe+0x44/0xae

old_size = iov_iter_count();
...
iov_iter_revert(old_size - iov_iter_count());

If iov_iter_revert() is done base on the initial size as above, and the
iter is truncated and not reexpanded in the middle, it miscalculates
borders causing problems. This trace is due to no one reexpanding after
generic_write_checks().

Avoid reverting truncated iterators, so io_uring would fail requests
with EAGAIN instead of retrying them.

Cc: stable@vger.kernel.org
Reported-by: Palash Oswal <oswalpalash@gmail.com>
Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index efd818419014..2e168051262d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2462,6 +2462,16 @@ static void kiocb_end_write(struct io_kiocb *req)
 	}
 }
 
+static inline bool io_check_truncated(struct iov_iter *i, size_t len)
+{
+	if (unlikely(i->truncated)) {
+		if (iov_iter_count(i) != len)
+			return false;
+		i->truncated = false;
+	}
+	return true;
+}
+
 #ifdef CONFIG_BLOCK
 static bool io_resubmit_prep(struct io_kiocb *req)
 {
@@ -2469,6 +2479,8 @@ static bool io_resubmit_prep(struct io_kiocb *req)
 
 	if (!rw)
 		return !io_req_prep_async(req);
+	if (!io_check_truncated(&rw->iter, req->result))
+		return false;
 	/* may have left rw->iter inconsistent on -EIOCBQUEUED */
 	iov_iter_revert(&rw->iter, req->result - iov_iter_count(&rw->iter));
 	return true;
@@ -3328,6 +3340,8 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 		/* no retry on NONBLOCK nor RWF_NOWAIT */
 		if (req->flags & REQ_F_NOWAIT)
 			goto done;
+		if (!io_check_truncated(iter, io_size))
+			goto done;
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = 0;
@@ -3467,6 +3481,8 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 		kiocb_done(kiocb, ret2, issue_flags);
 	} else {
 copy_iov:
+		if (!io_check_truncated(iter, io_size))
+			goto done;
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
-- 
2.32.0