On 8/1/21 1:10 AM, Pavel Begunkov wrote:
> On 7/31/21 7:21 PM, Sudip Mukherjee wrote:
>> Hi Jens, Pavel,
>>
>> We had been running syzkaller on v5.10.y and a "KASAN:
>> stack-out-of-bounds in iov_iter_revert" was being reported on it. I
>> got some time to check that today and have managed to get a syzkaller
>> reproducer. I dont have a C reproducer which I can share but I can use
>> the syz-reproducer to reproduce this with v5.14-rc3 and also with
>> next-20210730.
>
> Can you try out the diff below? Not a full-fledged fix, but need to
> check a hunch.
>
> If that's important, I was using this branch:
> git://git.kernel.dk/linux-block io_uring-5.14
Or better this one, just in case it ooopses on warnings.
diff --git a/fs/io_uring.c b/fs/io_uring.c
index bf548af0426c..12284616854b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3316,6 +3316,11 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
/* no retry on NONBLOCK nor RWF_NOWAIT */
if (req->flags & REQ_F_NOWAIT)
goto done;
+ if (iter->truncated) {
+ printk("truncated rd: %i\n", (int)iter->truncated);
+ iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+ iter->truncated = 0;
+ }
/* some cases will consume bytes even on error returns */
iov_iter_revert(iter, io_size - iov_iter_count(iter));
ret = 0;
@@ -3455,6 +3460,11 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
kiocb_done(kiocb, ret2, issue_flags);
} else {
copy_iov:
+ if (iter->truncated) {
+ printk("truncated wr: %i\n", (int)iter->truncated);
+ iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+ iter->truncated = 0;
+ }
/* some cases will consume bytes even on error returns */
iov_iter_revert(iter, io_size - iov_iter_count(iter));
ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
diff --git a/include/linux/uio.h b/include/linux/uio.h
index 82c3c3e819e0..eff06d139fd4 100644
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -30,6 +30,7 @@ enum iter_type {
struct iov_iter {
u8 iter_type;
bool data_source;
+ u16 truncated;
size_t iov_offset;
size_t count;
union {
@@ -254,8 +255,10 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
* conversion in assignement is by definition greater than all
* values of size_t, including old i->count.
*/
- if (i->count > count)
+ if (i->count > count) {
+ i->truncated += i->count - count;
i->count = count;
+ }
}
/*
@@ -264,6 +267,8 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
*/
static inline void iov_iter_reexpand(struct iov_iter *i, size_t count)
{
+ WARN_ON_ONCE(i->count > count);
+ i->truncated -= count - i->count;
i->count = count;
}
