Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
MIME-Version: 1.0
References: <000000000000f0b26205e04a183b@google.com> <3d3c6b5f-84cd-cb25-812e-dac77e02ddbf@kernel.dk>
 <e0867860-12c6-e958-07de-cfbcf644b9fe@icloud.com> <bcac089a-36e5-0d85-1ec3-b683dac68b4f@kernel.dk>
 <CACT4Y+aqriNp1F5CJofqaxNMM+-3cxNR2nY0tHEtb4YDqDuHtg@mail.gmail.com> <7c582099-0eef-6689-203a-606cb2f69391@kernel.dk>
In-Reply-To: <7c582099-0eef-6689-203a-606cb2f69391@kernel.dk>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 31 May 2022 11:14:04 +0200
Message-ID: <CACT4Y+bEKD7fREyiTst2oA7rjTz3u3LWLe23QmSBAQ=Piir3Ww@mail.gmail.com>
Subject: Re: [syzbot] UBSAN: array-index-out-of-bounds in io_submit_sqes
To:     Jens Axboe <axboe@kernel.dk>
Cc:     Hao Xu <haoxu.linux@icloud.com>,
        syzbot <syzbot+b6c9b65b6753d333d833@syzkaller.appspotmail.com>,
        asml.silence@gmail.com, io-uring@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Tue, 31 May 2022 at 11:07, Jens Axboe <axboe@kernel.dk> wrote:
>
> On 5/31/22 3:05 AM, Dmitry Vyukov wrote:
> > On Tue, 31 May 2022 at 11:01, Jens Axboe <axboe@kernel.dk> wrote:
> >>
> >> On 5/31/22 3:00 AM, Hao Xu wrote:
> >>> On 5/31/22 16:45, Jens Axboe wrote:
> >>>> On 5/31/22 1:55 AM, syzbot wrote:
> >>>>> Hello,
> >>>>>
> >>>>> syzbot found the following issue on:
> >>>>>
> >>>>> HEAD commit:    3b46e4e44180 Add linux-next specific files for 20220531
> >>>>> git tree:       linux-next
> >>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=16e151f5f00000
> >>>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=ccb8d66fc9489ef
> >>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=b6c9b65b6753d333d833
> >>>>> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >>>>>
> >>>>> Unfortunately, I don't have any reproducer for this issue yet.
> >>>>>
> >>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >>>>> Reported-by: syzbot+b6c9b65b6753d333d833@syzkaller.appspotmail.com
> >>>>>
> >>>>> ================================================================================
> >>>>> ================================================================================
> >>>>> UBSAN: array-index-out-of-bounds in fs/io_uring.c:8860:19
> >>>>> index 75 is out of range for type 'io_op_def [47]'
> >>>>
> >>>> 'def' is just set here, it's not actually used after 'opcode' has been
> >>>> verified.
> >>>>
> >>>
> >>> Maybe we can move it to be below the opcode check to comfort UBSAN.
> >>
> >> Yeah that's what I did, just rebased it to get rid of it:
> >>
> >> https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.19&id=fcde59feb1affb6d56aecadc3868df4631480da5
> >
> > If you are rebasing it, please add the following tag so that the bug
> > is closed later:
> >
> > Tested-by: syzbot+b6c9b65b6753d333d833@syzkaller.appspotmail.com
>
> Sorry, missed that, would be a bit confusing?

Why confusing? It tested it, no?

> 5.20 branch is rebased
> on top of that too. Can we just do:
>
> #syz fix: io_uring: add io_op_defs 'def' pointer in req init and issue
>
> ?

In most cases it will work. However, there is no way to distinguish
unfixed and fixed versions of the patch based on the title.
So if the unfixed version manages to reach all syzbot builds, it will
close the bug at that point. And then can start reporting duplicates
since the bug is still present. But practically unlikely to happen.
The tag allows to distinguish unfixed and fixed versions of the patch,
so it will work reliably w/o possible duplicates.