Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2264727pxp; Mon, 21 Mar 2022 15:19:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7yu9d3B9cfj5Mtv+EYebzrDFsAsXgCAl8bUgBPtWY1oBcMIMBi7zDKgv5L/Xrtilb/k8b X-Received: by 2002:a05:6a00:338e:b0:4fa:9015:af50 with SMTP id cm14-20020a056a00338e00b004fa9015af50mr10650771pfb.57.1647901172725; Mon, 21 Mar 2022 15:19:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647901172; cv=none; d=google.com; s=arc-20160816; b=w4bM5H1JH87ixQqN6sj5y28k5hTPbZfqdmv5hAuuXbFoagLzszwHIf02W/K2u7cBv6 Hi346/JCC8qIT77Iv9zFFxPepmbfr0LaJRDyx+yyrTZUjfXCsYNZp6rPY6pLzuZulB+b FuUHaFFA79lIsBGC12Lwm4MbJoZ/HPL5hpUEyNOAf8a4Aal61fTKN/ZVQEU9BxCjGjfo YI8W9CUz5henTj/gIJEQYROzsDPNTicAdMkhFMQTj7m4M84VroxoemIRa78gYP8Kw96p e5KVQ98joNqsR1JCI22cVyMWUzOnLyyY/TPjD/Rs1gvniTBW6p76yqS+rrz9Iblbvc4W LnjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6M9A0WIuuZ057gEzZKiFSzsLSlTpKDKfjD1GlgCB9CE=; b=Wo255t5kKPpJvBqhtgUqKmiOtVD0p47lxYTpRd/3GRwGGj3U0aeOO/Bb4NjBR6zOy7 M/30rqEwJ7i99wxhq/dytqcvNcM99geXSyi8558NvrQ19chjZG21CQH8a1YldqZfihwn AfxuiSjyRU8cYj1ERylM3ABQhl9kdnSKKK+d2fB8NnOg+S0JlopkM2UtdzMzmLPFVAbo Qn2CP0QeLO6NFvuHIjE0zF50ERhywD9YwjFNtckSJixCl+V24+BGVTb9ie3FMI84vzAc tGtvhG5Bns4qq7ZQNy+ZoCpyfjVqm3UufqgZjpAijOIAU56kjizbQZKLTN4ZRQdAWX+5 n7sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=piAbwEWC; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id x188-20020a6331c5000000b003821ef6f3bcsi12976401pgx.365.2022.03.21.15.19.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 15:19:32 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=piAbwEWC; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0169E3268F6; Mon, 21 Mar 2022 14:36:47 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346461AbiCUKyT (ORCPT + 99 others); Mon, 21 Mar 2022 06:54:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241272AbiCUKyR (ORCPT ); Mon, 21 Mar 2022 06:54:17 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 681051342D6 for ; Mon, 21 Mar 2022 03:52:52 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id l7-20020a05600c1d0700b0038c99618859so1021530wms.2 for ; Mon, 21 Mar 2022 03:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=6M9A0WIuuZ057gEzZKiFSzsLSlTpKDKfjD1GlgCB9CE=; b=piAbwEWCjL9ukjYtu0giFREnXQqItrQcYX3HfR0cni57nObUnfSY2htlHqjEx0rHKG /sZW4S28Q1MJtMRDLeUNl8TD+lGRTWiqU3A5q+hZPHew6Bvcz9+xxeAY0ag7s48zvWBa riK22HfJqquDk1BApTCXzjGVt/MLZKJ5ULzw3EUxyxE5Eax9pVdSdkRgTHU2P/yfDwkV 7A84JbXMqMw1xQoitHCiXvDs7w6+qjairdrWBNrJGhoeh+R9IpCZJ15lsHGga5DMuFzZ Kpf3Bb4j1aNYOLkaVH5w/HDCLMHS/Scz4jB1MYADD/2XGk1Qe/P074HLiVVr+SodPwfm MPAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=6M9A0WIuuZ057gEzZKiFSzsLSlTpKDKfjD1GlgCB9CE=; b=0Sjxmq7WarSwUSRfVKTUd7Oly3XXNEREfAdAgThsYCuHkQPZi3yi45utK2dzVU5YeD Gm1o4mXga5mjjMLMmFjix6fVBgaoDzF+yrCD/3f6Y5HikAx0GB1RXNIGkcsOiJAx1GMX xmQJfRT3RF+g1vYfEpBgf2e2loALFH+NfXEo8ZURv9R0SvhNtBoXSAuyddbBmP3HjRHf IlCnvVJVnBqaE5sxTIcwV/isfslsm6thgxARK1JrKgurAUKrf6KsW+UV1bSFWwRg4MXA zlHxmSY8JNgGJvbSh+7KzZy7t95qcyjUVlGs6saG3O4ci987liEN2x1VK8oIGpAtY44G jZFA== X-Gm-Message-State: AOAM532Wr8m+Vi3PztE8U7nwMvW922fxLxhRiGuV7MJiY03ofHWL0zLp 7winL5SZhjMpH2OTVyUfOG+92Q== X-Received: by 2002:a05:600c:3548:b0:389:f649:7c40 with SMTP id i8-20020a05600c354800b00389f6497c40mr26325552wmq.153.1647859970945; Mon, 21 Mar 2022 03:52:50 -0700 (PDT) Received: from google.com (cpc155339-bagu17-2-0-cust87.1-3.cable.virginm.net. [86.27.177.88]) by smtp.gmail.com with ESMTPSA id j16-20020a05600c191000b0038ca3500494sm6163327wmq.27.2022.03.21.03.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 03:52:50 -0700 (PDT) Date: Mon, 21 Mar 2022 10:52:48 +0000 From: Lee Jones To: Pavel Begunkov Cc: Jens Axboe , syzbot , io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Greg Kroah-Hartman Subject: Re: [syzbot] KASAN: stack-out-of-bounds Read in iov_iter_revert Message-ID: References: <6f7d4c1d-f923-3ab1-c525-45316b973c72@gmail.com> <00000000000047f3b805c962affb@google.com> <0b4a5ff8-12e5-3cc7-8971-49e576444c9a@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 15 Dec 2021, Pavel Begunkov wrote: > On 12/15/21 08:06, Lee Jones wrote: > > On Tue, 09 Nov 2021, Lee Jones wrote: > > > > > On Mon, 08 Nov 2021, Jens Axboe wrote: > > > > On 11/8/21 8:29 AM, Pavel Begunkov wrote: > > > > > On 11/3/21 17:01, Lee Jones wrote: > > > > > > Good afternoon Pavel, > > > > > > > > > > > > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > > > > > > > > > > > > > Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com > > > > > > > > > > > > > > Tested on: > > > > > > > > > > > > > > commit: bff2c168 io_uring: don't retry with truncated iter > > > > > > > git tree: https://github.com/isilence/linux.git truncate > > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=730106bfb5bf8ace > > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9671693590ef5aad8953 > > > > > > > compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1 > > > > > > > > > > > > > > Note: testing is done by a robot and is best-effort only. > > > > > > > > > > > > As you can see in the 'dashboard link' above this bug also affects > > > > > > android-5-10 which is currently based on v5.10.75. > > > > > > > > > > > > I see that the back-port of this patch failed in v5.10.y: > > > > > > > > > > > > https://lore.kernel.org/stable/163152589512611@kroah.com/ > > > > > > > > > > > > And after solving the build-error by back-porting both: > > > > > > > > > > > > 2112ff5ce0c11 iov_iter: track truncated size > > > > > > 89c2b3b749182 io_uring: reexpand under-reexpanded iters > > > > > > > > > > > > I now see execution tripping the WARN() in iov_iter_revert(): > > > > > > > > > > > > if (WARN_ON(unroll > MAX_RW_COUNT)) > > > > > > return > > > > > > > > > > > > Am I missing any additional patches required to fix stable/v5.10.y? > > > > > > > > > > Is it the same syz test? There was a couple more patches for > > > > > IORING_SETUP_IOPOLL, but strange if that's not the case. > > > > > > > > > > > > > > > fwiw, Jens decided to replace it with another mechanism shortly > > > > > after, so it may be a better idea to backport those. Jens, > > > > > what do you think? > > > > > > > > > > > > > > > commit 8fb0f47a9d7acf620d0fd97831b69da9bc5e22ed > > > > > Author: Jens Axboe > > > > > Date: Fri Sep 10 11:18:36 2021 -0600 > > > > > > > > > > iov_iter: add helper to save iov_iter state > > > > > > > > > > commit cd65869512ab5668a5d16f789bc4da1319c435c4 > > > > > Author: Jens Axboe > > > > > Date: Fri Sep 10 11:19:14 2021 -0600 > > > > > > > > > > io_uring: use iov_iter state save/restore helpers > > > > > > > > Yes, I think backporting based on the save/restore setup is the > > > > sanest way by far. > > > > > > Would you be kind enough to attempt to send these patches to Stable? > > > > > > When I tried to back-port them, the second one gave me trouble. And > > > without the in depth knowledge of the driver/subsystem that you guys > > > have, I found it almost impossible to resolve all of the conflicts: > > > > Any movement on this chaps? > > > > Not sure I am able to do this back-port without your help. > > Apologies, slipped from my attention, we'll backport it, > and thanks for the reminder Looks as though these are still missing from Stable. Is this still your plan? -- Lee Jones [李琼斯] Principal Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog