On 8/3/21 11:34 AM, Pavel Begunkov wrote: > On 8/3/21 8:47 AM, Sudip Mukherjee wrote: >> On Mon, Aug 2, 2021 at 12:55 PM Pavel Begunkov <asml.silence@xxxxxxxxx> wrote: >>> On 8/1/21 9:28 PM, Sudip Mukherjee wrote: >>>> On Sun, Aug 1, 2021 at 9:52 AM Pavel Begunkov <asml.silence@xxxxxxxxx> wrote: >>>>> On 8/1/21 1:10 AM, Pavel Begunkov wrote: >>>>>> On 7/31/21 7:21 PM, Sudip Mukherjee wrote: >>>>>>> Hi Jens, Pavel, >>>>>>> >>>>>>> We had been running syzkaller on v5.10.y and a "KASAN: >>>>>>> stack-out-of-bounds in iov_iter_revert" was being reported on it. I >>>>>>> got some time to check that today and have managed to get a syzkaller >>>>>>> reproducer. I dont have a C reproducer which I can share but I can use >>>>>>> the syz-reproducer to reproduce this with v5.14-rc3 and also with >>>>>>> next-20210730. >>>>>> >>>>>> Can you try out the diff below? Not a full-fledged fix, but need to >>>>>> check a hunch. >>>>>> >>>>>> If that's important, I was using this branch: >>>>>> git://git.kernel.dk/linux-block io_uring-5.14 >>>>> >>>>> Or better this one, just in case it ooopses on warnings. >>>> >>>> I tested this one on top of "git://git.kernel.dk/linux-block >>>> io_uring-5.14" and the issue was still seen, but after the BUG trace I >>>> got lots of "truncated wr" message. The trace is: >>> >>> That's interesting, thanks >>> Can you share the syz reproducer? >> >> Unfortunately I dont have a C reproducer, but this is the reproducer >> for syzkaller: > > Thanks. Maybe I'm not perfectly familiar with syz, but were there > any options? Like threaded, collide, etc.? Never mind, reproduced the issue. fwiw, I was too optimistic with u16 in the diff, but if replaced with size_t, it solves the out-of-bounds bug, but it has another issue. In any case, need to patch it up, thanks -- Pavel Begunkov
