Hello,
syzbot found the following issue on:
HEAD commit: 33e02dc69afb Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ad18d0980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1526a8dc980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14f53ae4980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-33e02dc6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/573c88ac3233/vmlinux-33e02dc6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/760a52b9a00a/bzImage-33e02dc6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 3 PID: 5196 Comm: syz-executor259 Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa24/0x10b0 fs/splice.c:759
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 b1 04 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 1a 05 00 00 49 8b 54 24 08 4c 89 ee 4c 89 ff 83
RSP: 0018:ffffc900031b7930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8209a1a8
RDX: 0000000000000001 RSI: ffffffff8209a06c RDI: 0000000000000008
RBP: 000000000000003d R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 0000000000000000
R13: ffff888026d5a208 R14: 7fffffffffffefff R15: ffff88801e5c5800
FS: 00007f78cdfc16c0(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78ce0454d0 CR3: 0000000019dc8000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_splice_from fs/splice.c:941 [inline]
direct_splice_actor+0x19b/0x6d0 fs/splice.c:1164
splice_direct_to_actor+0x346/0xa40 fs/splice.c:1108
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x17e/0x250 fs/splice.c:1233
do_sendfile+0xaa8/0xdb0 fs/read_write.c:1295
__do_sys_sendfile64 fs/read_write.c:1362 [inline]
__se_sys_sendfile64 fs/read_write.c:1348 [inline]
__x64_sys_sendfile64+0x1da/0x220 fs/read_write.c:1348
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f78ce009d09
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f78cdfc1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f78ce091328 RCX: 00007f78ce009d09
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007f78ce091320 R08: 00007f78cdfc16c0 R09: 0000000000000000
R10: 0000000100000000 R11: 0000000000000246 R12: 00007f78ce09132c
R13: 0000000000000006 R14: 00007ffe98369ff0 R15: 00007ffe9836a0d8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa24/0x10b0 fs/splice.c:759
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 b1 04 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 1a 05 00 00 49 8b 54 24 08 4c 89 ee 4c 89 ff 83
RSP: 0018:ffffc900031b7930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8209a1a8
RDX: 0000000000000001 RSI: ffffffff8209a06c RDI: 0000000000000008
RBP: 000000000000003d R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 0000000000000000
R13: ffff888026d5a208 R14: 7fffffffffffefff R15: ffff88801e5c5800
FS: 00007f78cdfc16c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78ce05d0d8 CR3: 0000000019dc8000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 48 89 add %cl,-0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 1a 00 cmpb $0x0,(%rdx,%rbx,1)
c: 0f 85 b1 04 00 00 jne 0x4c3
12: 4d 8b 65 10 mov 0x10(%r13),%r12
16: 49 c7 45 10 00 00 00 movq $0x0,0x10(%r13)
1d: 00
1e: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 1a 00 cmpb $0x0,(%rdx,%rbx,1) <-- trapping instruction
2e: 0f 85 1a 05 00 00 jne 0x54e
34: 49 8b 54 24 08 mov 0x8(%r12),%rdx
39: 4c 89 ee mov %r13,%rsi
3c: 4c 89 ff mov %r15,%rdi
3f: 83 .byte 0x83
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 218e24b1ac40..1a3c31f3e63a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -392,6 +392,7 @@ ssize_t copy_splice_read(struct file *in, loff_t *ppos,
.offset = 0,
.len = chunk,
};
+ printk("buf: %p, ops: %p, %s\n", buf, buf->ops, __func__);
pipe->head++;
remain -= chunk;
}
@@ -498,6 +499,7 @@ static inline bool eat_empty_buffer(struct pipe_inode_info *pipe)
unsigned int mask = pipe->ring_size - 1;
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ printk("buf: %p, ops: %p, tail: %d %s\n", buf, buf->ops, tail, __func__);
if (unlikely(!buf->len)) {
pipe_buf_release(pipe, buf);
pipe->tail = tail+1;
@@ -755,8 +757,11 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
if (ret >= buf->len) {
ret -= buf->len;
- buf->len = 0;
- pipe_buf_release(pipe, buf);
+ printk("buf: %p, ops: %p, buf len: %d, tail: %d, ret: %d, tl: %llu, %s\n", buf, buf->ops, buf->len, tail, ret, sd.total_len, __func__);
+ if (buf->len) {
+ buf->len = 0;
+ pipe_buf_release(pipe, buf);
+ }
tail++;
pipe->tail = tail;
if (pipe->files)
@@ -1483,6 +1488,7 @@ static ssize_t iter_to_pipe(struct iov_iter *from,
put_page(pages[i]);
goto out;
}
+ printk("buf: %p, size: %lu, left: %lu, total: %lu, ret: %lu, %s\n", buf, buf.len, left, total, ret, __func__);
total += ret;
left -= size;
start = 0;
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=116d7244980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=127284e8980000
Note: testing is done by a robot and is best-effort only.
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..4dd684184572 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,9 +751,9 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ while (ret > 0) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
- if (ret >= buf->len) {
+ if (ret >= (ssize_t)buf->len) {
ret -= buf->len;
buf->len = 0;
pipe_buf_release(pipe, buf);
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in iter_file_splice_write
netfs: Couldn't get user pages (rc=-14)
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 3 PID: 5391 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa28/0x10a0 fs/splice.c:759
Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 41 05 00 00 4d 8b 6e 10 49 c7 46 10 00 00 00 00 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 16 05 00 00 49 8b 55 08 4c 89 f6 4c 89 ff 41 83
RSP: 0018:ffffc90003927930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 7fffffffffffefff RCX: ffffffff8209a1ad
RDX: 0000000000000001 RSI: ffffffff8209a071 RDI: 0000000000000008
RBP: dffffc0000000000 R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 000000000000009d
R13: 0000000000000000 R14: ffff8880350b5a08 R15: ffff888020f01800
FS: 00007f607512b6c0(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000026be4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_splice_from fs/splice.c:941 [inline]
direct_splice_actor+0x19b/0x6d0 fs/splice.c:1164
splice_direct_to_actor+0x346/0xa40 fs/splice.c:1108
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x17e/0x250 fs/splice.c:1233
do_sendfile+0xaa8/0xdb0 fs/read_write.c:1295
__do_sys_sendfile64 fs/read_write.c:1362 [inline]
__se_sys_sendfile64 fs/read_write.c:1348 [inline]
__x64_sys_sendfile64+0x1da/0x220 fs/read_write.c:1348
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f607447cee9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f607512b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f60745abf80 RCX: 00007f607447cee9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007f60744c949e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f60745abf80 R15: 00007ffed559a608
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa28/0x10a0 fs/splice.c:759
Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 41 05 00 00 4d 8b 6e 10 49 c7 46 10 00 00 00 00 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 16 05 00 00 49 8b 55 08 4c 89 f6 4c 89 ff 41 83
RSP: 0018:ffffc90003927930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 7fffffffffffefff RCX: ffffffff8209a1ad
RDX: 0000000000000001 RSI: ffffffff8209a071 RDI: 0000000000000008
RBP: dffffc0000000000 R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 000000000000009d
R13: 0000000000000000 R14: ffff8880350b5a08 R15: ffff888020f01800
FS: 00007f607512b6c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60745a8000 CR3: 0000000026be4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 89 fa mov %rdi,%rdx
5: 48 c1 ea 03 shr $0x3,%rdx
9: 80 3c 2a 00 cmpb $0x0,(%rdx,%rbp,1)
d: 0f 85 41 05 00 00 jne 0x554
13: 4d 8b 6e 10 mov 0x10(%r14),%r13
17: 49 c7 46 10 00 00 00 movq $0x0,0x10(%r14)
1e: 00
1f: 49 8d 7d 08 lea 0x8(%r13),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 2a 00 cmpb $0x0,(%rdx,%rbp,1) <-- trapping instruction
2e: 0f 85 16 05 00 00 jne 0x54a
34: 49 8b 55 08 mov 0x8(%r13),%rdx
38: 4c 89 f6 mov %r14,%rsi
3b: 4c 89 ff mov %r15,%rdi
3e: 41 rex.B
3f: 83 .byte 0x83
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=161cfadc980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=138c6830980000
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..db66b8c5fe0d 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,21 +751,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ printk("ret: %ld, %s\n", ret, __func__);
+ while (ret > 0) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
- if (ret >= buf->len) {
- ret -= buf->len;
- buf->len = 0;
- pipe_buf_release(pipe, buf);
- tail++;
- pipe->tail = tail;
- if (pipe->files)
- sd.need_wakeup = true;
- } else {
- buf->offset += ret;
- buf->len -= ret;
+ if (buf->len > 0) {
+ if (ret >= (ssize_t)buf->len) {
+ ret -= buf->len;
+ buf->len = 0;
+ pipe_buf_release(pipe, buf);
+ tail++;
+ pipe->tail = tail;
+ if (pipe->files)
+ sd.need_wakeup = true;
+ } else {
+ buf->offset += ret;
+ buf->len -= ret;
+ ret = 0;
+ }
+ } else
ret = 0;
- }
}
}
done:
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15025ca4980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10592b58980000
Note: testing is done by a robot and is best-effort only.
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..8ec408c40755 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -715,6 +715,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* build the vector */
left = sd.total_len;
+ printk("total len: %lu, %s\n", left, __func__);
for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
size_t this_len = buf->len;
@@ -751,9 +752,16 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ printk("ret: %ld, nbufs: %d, %s\n", ret, nbufs, __func__);
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
- if (ret >= buf->len) {
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
+ printk("buf len: %lu, %s\n", buf->len, __func__);
+ if (ret >= (ssize_t)buf->len) {
ret -= buf->len;
buf->len = 0;
pipe_buf_release(pipe, buf);
@@ -766,6 +774,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
buf->len -= ret;
ret = 0;
}
+ n++;
}
}
done:
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1f33f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17a34a52980000
Note: testing is done by a robot and is best-effort only.
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..cf5d417b5f66 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,9 +751,15 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
- if (ret >= buf->len) {
+ printk("ret: %ld, nbufs: %d, buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n, __func__);
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
+ if (ret >= (ssize_t)buf->len) {
ret -= buf->len;
buf->len = 0;
pipe_buf_release(pipe, buf);
@@ -766,6 +772,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
buf->len -= ret;
ret = 0;
}
+ n++;
}
}
done:
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13612b3f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15794fe0980000
Note: testing is done by a robot and is best-effort only.
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a6b44c10b08c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,16 +751,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
- if (ret >= buf->len) {
+ printk("ret: %d, nbufs: %d, buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n, __func__);
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
+ if (ret >= (ssize_t)buf->len) {
ret -= buf->len;
+ printk("ret: %d, nbufs: %d, buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n, __func__);
buf->len = 0;
pipe_buf_release(pipe, buf);
tail++;
pipe->tail = tail;
if (pipe->files)
sd.need_wakeup = true;
+ BUG_ON(1);
} else {
buf->offset += ret;
buf->len -= ret;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
] Freeing unused kernel image (initmem) memory: 26000K
[ 21.902015][ T1] Write protecting the kernel read-only data: 204800k
[ 21.915990][ T1] Freeing unused kernel image (rodata/data gap) memory: 1740K
[ 22.001150][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 22.010555][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 22.014380][ T1] Run /sbin/init as init process
[ 22.270925][ T1] SELinux: Class mctp_socket not defined in policy.
[ 22.273265][ T1] SELinux: Class anon_inode not defined in policy.
[ 22.275479][ T1] SELinux: Class io_uring not defined in policy.
[ 22.277605][ T1] SELinux: Class user_namespace not defined in policy.
[ 22.279958][ T1] SELinux: the above unknown classes and permissions will be denied
[ 22.376641][ T1] SELinux: policy capability network_peer_controls=1
[ 22.379248][ T1] SELinux: policy capability open_perms=1
[ 22.381279][ T1] SELinux: policy capability extended_socket_class=1
[ 22.383632][ T1] SELinux: policy capability always_check_network=0
[ 22.386099][ T1] SELinux: policy capability cgroup_seclabel=1
[ 22.388512][ T1] SELinux: policy capability nnp_nosuid_transition=1
[ 22.391006][ T1] SELinux: policy capability genfs_seclabel_symlinks=0
[ 22.393353][ T1] SELinux: policy capability ioctl_skip_cloexec=0
[ 22.395753][ T1] SELinux: policy capability userspace_initial_context=0
[ 22.493592][ T39] audit: type=1403 audit(1716387584.398:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 22.539716][ T4655] mount (4655) used greatest stack depth: 23344 bytes left
[ 22.566408][ T4656] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
[ 22.681935][ T4659] mount (4659) used greatest stack depth: 23128 bytes left
Starting syslogd: [ 22.942320][ T39] audit: type=1400 audit(1716387584.848:3): avc: denied { read write } for pid=4672 comm="syslogd" path="/dev/null" dev="devtmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
OK
[ 22.970689][ T39] audit: type=1400 audit(1716387584.878:4): avc: denied { read } for pid=4672 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 22.979560][ T39] audit: type=1400 audit(1716387584.878:5): avc: denied { search } for pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 22.987816][ T39] audit: type=1400 audit(1716387584.878:6): avc: denied { write } for pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
Starting acpid: [ 22.996353][ T39] audit: type=1400 audit(1716387584.878:7): avc: denied { add_name } for pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 23.005839][ T39] audit: type=1400 audit(1716387584.878:8): avc: denied { create } for pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.013760][ T39] audit: type=1400 audit(1716387584.878:9): avc: denied { append open } for pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.022478][ T39] audit: type=1400 audit(1716387584.878:10): avc: denied { getattr } for pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.032435][ T39] audit: type=1400 audit(1716387584.938:11): avc: denied { use } for pid=4674 comm="acpid" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:acpid_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 23.362610][ T4689] udevd[4689]: starting version 3.2.11
[ 23.521131][ T4690] udevd[4690]: starting eudev-3.2.11
[ 23.522449][ T4689] udevd (4689) used greatest stack depth: 21488 bytes left
done
Starting system message bus: [ 30.837568][ T39] kauditd_printk_skb: 13 callbacks suppressed
[ 30.837584][ T39] audit: type=1400 audit(1716387592.738:25): avc: denied { use } for pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
[ 30.851952][ T39] audit: type=1400 audit(1716387592.738:26): avc: denied { read write } for pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:root_t tclass=chr_file permissive=1
[ 30.880042][ T39] audit: type=1400 audit(1716387592.788:27): avc: denied { search } for pid=4894 comm="dbus-daemon" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.893529][ T39] audit: type=1400 audit(1716387592.798:28): avc: denied { write } for pid=4894 comm="dbus-daemon" name="dbus" dev="tmpfs" ino=1471 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.902587][ T39] audit: type=1400 audit(1716387592.798:29): avc: denied { add_name } for pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.911419][ T39] audit: type=1400 audit(1716387592.798:30): avc: denied { create } for pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
done[ 30.920385][ T39] audit: type=1400 audit(1716387592.798:31): avc: denied { setattr } for pid=4894 comm="dbus-daemon" name="system_bus_socket" dev="tmpfs" ino=1472 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
[ 30.930297][ T39] audit: type=1400 audit(1716387592.808:32): avc: denied { create } for pid=4894 comm="dbus-daemon" name="messagebus.pid" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 30.939028][ T39] audit: type=1400 audit(1716387592.808:33): avc: denied { write open } for pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 30.948572][ T39] audit: type=1400 audit(1716387592.808:34): avc: denied { getattr } for pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
[ 31.870098][ T4918] ret: 114, nbufs: 16, buf len: 114, n: 0, iter_file_splice_write
[ 31.872828][ T4918] ret: 0, nbufs: 16, buf len: 114, n: 1, iter_file_splice_write
[ 31.875479][ T4918] ------------[ cut here ]------------
[ 31.877625][ T4918] kernel BUG at fs/splice.c:772!
[ 31.879642][ T4918] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 31.882144][ T4918] CPU: 2 PID: 4918 Comm: cat Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
[ 31.886067][ T4918] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 31.890166][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[ 31.892847][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[ 31.900759][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[ 31.903148][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[ 31.906429][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[ 31.909550][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[ 31.912529][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[ 31.915665][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[ 31.918807][ T4918] FS: 00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[ 31.921822][ T4918] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.924602][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[ 31.927480][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 31.930220][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 31.933091][ T4918] Call Trace:
[ 31.934542][ T4918] <TASK>
[ 31.935639][ T4918] ? show_regs+0x8c/0xa0
[ 31.937245][ T4918] ? die+0x36/0xa0
[ 31.938912][ T4918] ? do_trap+0x232/0x430
[ 31.940376][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.942133][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.944212][ T4918] ? do_error_trap+0xf4/0x230
[ 31.946283][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.948819][ T4918] ? handle_invalid_op+0x34/0x40
[ 31.950675][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.952589][ T4918] ? exc_invalid_op+0x2e/0x50
[ 31.954493][ T4918] ? asm_exc_invalid_op+0x1a/0x20
[ 31.956421][ T4918] ? page_cache_pipe_buf_release+0x110/0x2f0
[ 31.958569][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.960765][ T4918] ? __pfx_iter_file_splice_write+0x10/0x10
[ 31.963016][ T4918] ? __pfx_lock_acquire+0x10/0x10
[ 31.964920][ T4918] ? __pfx_iter_file_splice_write+0x10/0x10
[ 31.967141][ T4918] direct_splice_actor+0x19b/0x6d0
[ 31.969069][ T4918] splice_direct_to_actor+0x346/0xa40
[ 31.971093][ T4918] ? __pfx_direct_splice_actor+0x10/0x10
[ 31.973209][ T4918] ? __pfx_splice_direct_to_actor+0x10/0x10
[ 31.975456][ T4918] ? __fsnotify_parent+0x27d/0x9d0
[ 31.977400][ T4918] ? __pfx___might_resched+0x10/0x10
[ 31.979416][ T4918] do_splice_direct+0x17e/0x250
[ 31.981880][ T4918] ? __pfx_do_splice_direct+0x10/0x10
[ 31.983926][ T4918] ? avc_policy_seqno+0x9/0x20
[ 31.985751][ T4918] ? __pfx_direct_file_splice_eof+0x10/0x10
[ 31.987982][ T4918] do_sendfile+0xaa8/0xdb0
[ 31.989672][ T4918] ? __pfx_do_sendfile+0x10/0x10
[ 31.991574][ T4918] ? do_user_addr_fault+0x6d7/0x1010
[ 31.993526][ T4918] __x64_sys_sendfile64+0x1da/0x220
[ 31.995516][ T4918] ? __pfx___x64_sys_sendfile64+0x10/0x10
[ 31.997677][ T4918] do_syscall_64+0xcf/0x260
[ 31.999401][ T4918] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 32.001652][ T4918] RIP: 0033:0x7f39affffefa
[ 32.003356][ T4918] Code: ff 76 13 83 f8 a1 74 03 f7 d8 c3 4c 89 d2 4c 89 c6 e9 49 fe ff ff 31 c0 c3 0f 1f 80 00 00 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fe 6e 0d 00 f7 d8 64 89 01 48
[ 32.010454][ T4918] RSP: 002b:00007fffa16e8068 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[ 32.013594][ T4918] RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f39affffefa
[ 32.016570][ T4918] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
[ 32.019528][ T4918] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[ 32.022555][ T4918] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000000003
[ 32.025553][ T4918] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 32.028586][ T4918] </TASK>
[ 32.029791][ T4918] Modules linked in:
[ 32.031452][ T4918] ---[ end trace 0000000000000000 ]---
[ 32.033862][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[ 32.036610][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[ 32.045466][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[ 32.048320][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[ 32.050899][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[ 32.054095][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[ 32.057263][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[ 32.060607][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[ 32.063406][ T4918] FS: 00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[ 32.066421][ T4918] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.068828][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[ 32.071717][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 32.074503][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 32.077572][ T4918] Kernel panic - not syncing: Fatal exception
[ 32.080225][ T4918] Kernel Offset: disabled
[ 32.081708][ T4918] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4079149403=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at ef5d53ed7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ef5d53ed7e3c7d30481a88301f680e37a5cc4775\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=164efe44980000
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=179a8cec980000
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a7d59b2f1804 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,18 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ while (ret > 0) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ printk("ret: %d, nbufs: %d, buf len: %u, m: %u, t: %u,ring size: %u, %s\n", ret, nbufs, buf->len, mask, tail, pipe->ring_size, __func__);
+ if (pipe->ring_size <= mask) {
+ ret = -EPIPE;
+ printk("oooh, %s\n", __func__);
+ break;
+ }
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
ret -= buf->len;
buf->len = 0;
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12096df0980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f9903c980000
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..35a99fdabe9c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,18 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ while (ret > 0) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ printk("ret: %d, nbufs: %d, buf len: %u, m: %u, t: %u,ring size: %u, bufs len: %d, %s\n", ret, nbufs, buf->len, mask, tail, pipe->ring_size, ARRAY_SIZE(pipe->bufs), __func__);
+ if (ARRAY_SIZE(pipe->bufs) <= mask) {
+ ret = -EPIPE;
+ printk("oooh, %s\n", __func__);
+ break;
+ }
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
ret -= buf->len;
buf->len = 0;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
/include/linux/build_bug.h:16:51: error: negative width in bit-field '<anonymous>'
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16f52fa2980000
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a38709405e54 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,16 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ printk("ret: %ld, nbufs: %d, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, %s\n",
+ ret, nbufs, buf->len, mask, tail, pipe->ring_size, tail & mask, __func__);
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
ret -= buf->len;
buf->len = 0;
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17d87942980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=133e9f7c980000
Note: testing is done by a robot and is best-effort only.
please test null ptr in iter_file_splice_write
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..2881e9a7e491 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,10 +751,19 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
+ printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n",
+ ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
ret -= buf->len;
+ printk("ret: %ld, %s\n", ret, __func__);
buf->len = 0;
pipe_buf_release(pipe, buf);
tail++;
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17ccd634980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13fec2b2980000
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..2df64a29c568 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,16 +745,30 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
if (ret <= 0)
break;
+ printk("ret: %ld, total len: %lu, %s\n", ret, sd.total_len, __func__);
+ if (ret > sd.total_len) {
+ ret = -EINVAL;
+ goto done;
+ }
sd.num_spliced += ret;
sd.total_len -= ret;
*ppos = sd.pos;
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
+ printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n",
+ ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
ret -= buf->len;
+ printk("ret: %ld, %s\n", ret, __func__);
buf->len = 0;
pipe_buf_release(pipe, buf);
tail++;
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=135ad634980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=117d5142980000
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..c6d812684d4e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,16 +745,30 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
if (ret <= 0)
break;
+ printk("ret: %ld, total len: %lu, %s\n", ret, sd.total_len, __func__);
+ if (ret > sd.total_len) {
+ ret = -EINVAL;
+ goto done;
+ }
sd.num_spliced += ret;
sd.total_len -= ret;
*ppos = sd.pos;
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n",
+ ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
ret -= buf->len;
+ printk("ret: %ld, %s\n", ret, __func__);
buf->len = 0;
pipe_buf_release(pipe, buf);
tail++;
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 1121601536d1..f7c32835b094 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -510,6 +510,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
netfs_end_io_write(inode);
if (ret > 0)
ret = generic_write_sync(iocb, ret);
+ printk("ret: %ld, %s\n", ret, __func__);
return ret;
}
EXPORT_SYMBOL(netfs_file_write_iter);
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..8157b4e6d7b3 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -190,6 +190,7 @@ ssize_t netfs_unbuffered_write_iter(struct kiocb *iocb, struct iov_iter *from)
FSCACHE_INVAL_DIO_WRITE);
ret = netfs_unbuffered_write_iter_locked(iocb, from, NULL);
out:
+ printk("ret: %ld, %s\n", ret, __func__);
netfs_end_io_direct(inode);
return ret;
}
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17bad634980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17736ab2980000
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..abf45d6184a5 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,14 +745,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
if (ret <= 0)
break;
+ printk("ret: %zd, total len: %zu, %s\n", ret, sd.total_len, __func__);
+ if (ret > sd.total_len) {
+ ret = -EINVAL;
+ goto done;
+ }
sd.num_spliced += ret;
sd.total_len -= ret;
*ppos = sd.pos;
/* dismiss the fully eaten buffers, adjust the partial one */
tail = pipe->tail;
- while (ret) {
+ n = 0;
+ while (ret > 0 && n < nbufs) {
struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+ n++;
+ if (!buf->len) {
+ tail++;
+ continue;
+ }
if (ret >= buf->len) {
ret -= buf->len;
buf->len = 0;
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 1121601536d1..f7c32835b094 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -510,6 +510,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
netfs_end_io_write(inode);
if (ret > 0)
ret = generic_write_sync(iocb, ret);
+ printk("ret: %ld, %s\n", ret, __func__);
return ret;
}
EXPORT_SYMBOL(netfs_file_write_iter);
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..ecd57c4d0ecb 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -69,6 +69,7 @@ static ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov
*/
if (async || user_backed_iter(iter)) {
n = netfs_extract_user_iter(iter, len, &wreq->iter, 0);
+ printk("ret: %zd, %s\n", n, __func__);
if (n < 0) {
ret = n;
goto out;
@@ -190,6 +191,7 @@ ssize_t netfs_unbuffered_write_iter(struct kiocb *iocb, struct iov_iter *from)
FSCACHE_INVAL_DIO_WRITE);
ret = netfs_unbuffered_write_iter_locked(iocb, from, NULL);
out:
+ printk("ret: %zd, %s\n", ret, __func__);
netfs_end_io_direct(inode);
return ret;
}
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=110c280c980000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f2c0fc980000
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..d74761fb1876 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -69,7 +69,7 @@ static ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov
*/
if (async || user_backed_iter(iter)) {
n = netfs_extract_user_iter(iter, len, &wreq->iter, 0);
- if (n < 0) {
+ if (n <= 0) {
ret = n;
goto out;
}
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17192b3f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17f2f392980000
Note: testing is done by a robot and is best-effort only.