On 5/31/22 2:52 AM, Dmitry Vyukov wrote: > On Tue, 31 May 2022 at 10:45, Jens Axboe <axboe@xxxxxxxxx> wrote: >> >> On 5/31/22 1:55 AM, syzbot wrote: >>> Hello, >>> >>> syzbot found the following issue on: >>> >>> HEAD commit: 3b46e4e44180 Add linux-next specific files for 20220531 >>> git tree: linux-next >>> console output: https://syzkaller.appspot.com/x/log.txt?x=16e151f5f00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=ccb8d66fc9489ef >>> dashboard link: https://syzkaller.appspot.com/bug?extid=b6c9b65b6753d333d833 >>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 >>> >>> Unfortunately, I don't have any reproducer for this issue yet. >>> >>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>> Reported-by: syzbot+b6c9b65b6753d333d833@xxxxxxxxxxxxxxxxxxxxxxxxx >>> >>> ================================================================================ >>> ================================================================================ >>> UBSAN: array-index-out-of-bounds in fs/io_uring.c:8860:19 >>> index 75 is out of range for type 'io_op_def [47]' >> >> 'def' is just set here, it's not actually used after 'opcode' has been >> verified. > > An interesting thing about C is that now the compiler is within its > rights to actually remove the check that is supposed to validate the > index because indexing io_op_defs[opcode] implies that opcode is > already within bounds, otherwise the program already has undefined > behavior, so removing the check is that case is also OK ;) I did fix this up as I think it's just a bug waiting to happen anyway. -- Jens Axboe
