On Thu, Dec 26, 2019 at 02:06:01PM -0800, syzbot wrote: > syzbot has bisected this bug to: > > commit 6dc4f100c175dd0511ae8674786e7c9006cdfbfa > Author: Ming Lei <ming.lei@xxxxxxxxxx> > Date: Fri Feb 15 11:13:19 2019 +0000 > > block: allow bio_for_each_segment_all() to iterate over multi-page bvec > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1674423ee00000 > start commit: 46cf053e Linux 5.5-rc3 > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=1574423ee00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=1174423ee00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ed9d672709340e35 > dashboard link: https://syzkaller.appspot.com/bug?extid=2b9e54155c8c25d8d165 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152bdc56e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159c489ee00000 > > Reported-by: syzbot+2b9e54155c8c25d8d165@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 6dc4f100c175 ("block: allow bio_for_each_segment_all() to iterate > over multi-page bvec") Looks this syzbot test triggers bio truncate(guard_bio_eod()), and the truncated bytes is bigger than the last bvec, which length is overflowed by 'bvec->bv_len -= truncated_bytes'. Finally bio_for_each_segment_all() trigger the issue. Will figure out one patch to fix it. Thanks, Ming
