From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16FDBC433DF for ; Mon, 24 Aug 2020 08:22:01 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id CBD98207D3 for ; Mon, 24 Aug 2020 08:22:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Z3Tbj7rB" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CBD98207D3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 599F06B0005; Mon, 24 Aug 2020 04:22:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 549976B0007; Mon, 24 Aug 2020 04:22:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 45F106B0008; Mon, 24 Aug 2020 04:22:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0054.hostedemail.com [216.40.44.54]) by kanga.kvack.org (Postfix) with ESMTP id 2F2346B0005 for ; Mon, 24 Aug 2020 04:22:00 -0400 (EDT) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id D7BEE181AEF10 for ; Mon, 24 Aug 2020 08:21:59 +0000 (UTC) X-FDA: 77184769158.30.stem54_1b0e92b27051 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin30.hostedemail.com (Postfix) with ESMTP id 9DB71180B3AA7 for ; Mon, 24 Aug 2020 08:21:59 +0000 (UTC) X-HE-Tag: stem54_1b0e92b27051 X-Filterd-Recvd-Size: 3148 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf22.hostedemail.com (Postfix) with ESMTP for ; Mon, 24 Aug 2020 08:21:59 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B55CB20738; Mon, 24 Aug 2020 08:21:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598257318; bh=g1S66EmQWAV+k+EayM/kYnCFQAJRtZEtgeJDF7d3p9Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Z3Tbj7rBibaJ+C2ENJxhgissd5Q6VtXGau2WFAyZ288dVyb2QTeqecv5ie+4DhmCU 1QpaiH6w1yRIkBiZck0QWdBsgT74JH7XBJJKoQJdaXec7TUoxx0fsurWUmFoELiwV3 C9Gzzp+J8BtGzJxudbb9cDUPUkR5bER2kaMCOhG4= Date: Mon, 24 Aug 2020 10:22:16 +0200 From: Greg KH To: Jiri Slaby Cc: syzbot , akpm@linux-foundation.org, jslaby@suse.cz, linux-kernel@vger.kernel.org, linux-mm@kvack.org, nico@fluxnic.net, syzkaller-bugs@googlegroups.com Subject: Re: KASAN: use-after-free Write in vcs_read Message-ID: <20200824082216.GC336539@kroah.com> References: <0000000000005d511305ad725632@google.com> <2e94ac46-7f0c-c322-d217-afe021214eaf@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2e94ac46-7f0c-c322-d217-afe021214eaf@kernel.org> X-Rspamd-Queue-Id: 9DB71180B3AA7 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam05 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Aug 24, 2020 at 10:03:54AM +0200, Jiri Slaby wrote: > On 22. 08. 20, 9:34, Jiri Slaby wrote: > > On 22. 08. 20, 9:31, syzbot wrote: > >> syzbot has bisected this issue to: > >> > >> commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e > >> Author: Jiri Slaby > >> Date: Tue Aug 18 08:57:05 2020 +0000 > >> > >> vc_screen: extract vcs_read_buf_header > > > > It's like 7th e-mail about the very same issue. Can it be > > suspended/acknowledged somehow? > > > >> Reported-by: syzbot+ad1f53726c3bd11180cb@syzkaller.appspotmail.com > > > > I haven't managed to find the root cause on Fri yet, I will chase it on > > Mon again. > > Ah, I see now. And the easiest way of handling this is simply revert the > commit now, re-think and redo during the next merge window. > > There are two issues with the patch: > 1) vcs_read rounds the 'count' up to an even number. So if we read odd > bytes from the header (3 in the reproducer), the second byte of > (2-byte/ushort) write to temporary con_buf won't fit. It is because with > the patch applied, we only subtract the real number read (3 bytes) and > not the whole header (4 bytes). > > 2) in this scenario, we perform unaligned accesses now. 2-byte/ushort > writes to odd addresses. Due to the same reason as above. > > So Greg, could you revert with the above reasoning? It reverts cleanly. > Or do you want me to send a revert? If you send a revert it is always easier for me to apply that :) thanks, greg k-h