From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CC36CD1288 for ; Wed, 3 Apr 2024 11:03:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 883B86B0085; Wed, 3 Apr 2024 07:03:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 80DF26B0088; Wed, 3 Apr 2024 07:03:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 687A96B0089; Wed, 3 Apr 2024 07:03:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 47B766B0085 for ; Wed, 3 Apr 2024 07:03:22 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id C6EBE40E92 for ; Wed, 3 Apr 2024 11:03:21 +0000 (UTC) X-FDA: 81967934202.01.13483AA Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf16.hostedemail.com (Postfix) with ESMTP id 6D66618001C for ; Wed, 3 Apr 2024 11:03:18 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="rm/vG5mK"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=W6zFCVQ0; spf=pass (imf16.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712142198; a=rsa-sha256; cv=none; b=xxynRX9Cf95XKJ74GoJbyDNpV+BgNFYKYemsqNU/ROlnIFVBjBqXcZdJf3N+lWJsBW/vfh /93HVF7SKJxwKN7Uri5iZJMBGAqUSXPnhav7sXyBZCSZ47Uaw2wTiZrktWVI0/gPH7ASpy HpgOV4chwegv50PuKJEspMbqSQ4+Uns= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="rm/vG5mK"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=W6zFCVQ0; spf=pass (imf16.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712142198; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=pcQEkiDoZSJwCrXrqPil+MhwkFDK8GbPO7YjAbOieLo=; b=Ba9NyDp7KgfqQ5SJc2kK6H8JO/nHSk2Ws2xoA34XX2RB9lKpiQTQi/ez93laHpzNJB3rhR qy6AZcCtRhu/IDk5phTEZLH/sAbULOmglFY7rpOe7T7+uDiVBo3H1Ygmr6FFAzFCic0cRN d0lOgicddg3/dAkHnHAUdF3VnYrCN5Y= Received: from imap2.dmz-prg2.suse.org (imap2.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id BC81035270; Wed, 3 Apr 2024 11:03:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1712142196; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pcQEkiDoZSJwCrXrqPil+MhwkFDK8GbPO7YjAbOieLo=; b=rm/vG5mKI5motS3wQle0dgofSHgXQain5VpuEGueEfffm/xtxpALt17FuuFyyMRw1NQPBs 84tWRZmmB1D/N4ikPyWKQTBhSmvdizwz58GYEjAyl4Y+3tPjGZvjAj9W5QWacOUUVC/GOD nrIJkqvL0yYoHBsOeR4Wzgtz/sT/8rE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1712142196; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pcQEkiDoZSJwCrXrqPil+MhwkFDK8GbPO7YjAbOieLo=; b=W6zFCVQ0QbqGZG82yh1ffhmB4224NDIE5PVvCEN6M6Q9+8oz1SnJEVwvqSIqcSEdVON0lp 1KVpt2Cy/S3nDlDw== Received: from imap2.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap2.dmz-prg2.suse.org (Postfix) with ESMTPS id AC29013357; Wed, 3 Apr 2024 11:03:16 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap2.dmz-prg2.suse.org with ESMTPSA id EiH8KXQ3DWaIGgAAn2gu4w (envelope-from ); Wed, 03 Apr 2024 11:03:16 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 6839EA0814; Wed, 3 Apr 2024 13:03:16 +0200 (CEST) Date: Wed, 3 Apr 2024 13:03:16 +0200 From: Jan Kara To: Christian Brauner Cc: kernel test robot , syzbot , Edward Adam Davis , "Gustavo A. R. Silva" , oe-lkp@lists.linux.dev, lkp@intel.com, Linux Memory Management List , Jan Kara , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, amir73il@gmail.com, chuck.lever@oracle.com, jlayton@kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [linux-next:master] [fs] 1b43c46297: kernel_BUG_at_mm/usercopy.c Message-ID: <20240403110316.qtmypq2rtpueloga@quack3> References: <202404031550.f3de0571-lkp@intel.com> <000000000000f075b9061520cbbe@google.com> <20240403-mundgerecht-klopapier-e921ceb787ca@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240403-mundgerecht-klopapier-e921ceb787ca@brauner> X-Rspamd-Action: no action X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 6D66618001C X-Stat-Signature: 1squ7wj34roiyt4c84dtrtbh5rcrxc8y X-Rspam-User: X-HE-Tag: 1712142198-617881 X-HE-Meta: U2FsdGVkX1/eTmRYuoQoEe26bfip33TWUhlfWJpG94jtYDS0TvBT83O8ixayOK6fQgDg9jSm358PXPOJIQ2TlppnWdjM+dbxA79XA0KP+Hlu4nCdIJOXCbFmJ50H3VX1op7Q/Ti7ojHiL2oyBUxBsAS0CXsb5G6Nuhf1Kion4RyqSlR2i+WLrPCAEo5lHUUZWk7Yn3mrFejFXve3mxO6AYhgcF3I1cq1yWKKkhUjdqP5eUZxA8kAaeUwOxVIE/DrLGhGdMAtiJsi+IHdQTJyJhJltSzldtu5iVX9MuYr+wAaU/NAmtrj6VdHO/MJj3qoF64aApoMith4zZkL7R1yJ8BnGrSp3Z0wB0EAqLYXuH1YgVrn+uNdfA+gT01yi+8wbWYwP5rrhJ6XtnE6w1fgl7nJfsx+N1dw1gjZ2CTwP89r9IBnPvgC2TlbrjILuF42HOzr0KXzcJ5lO1ncbFbR95Tjq4czzC296IATFCe6iU49Mcq9LXsuXFhWFlTJpC0U08+gmvXwy4nT+w8xMxLZVDanoQW/9ymHnUrh0NuPTI3TTLzLxFhdImPLZCT6G+2QjP6agqgQftpYrdV8CzA4dtYYlojH8skUGR3CBc4e174dbkJ6o+xIcCqFZKZ7/aPSff6ok/PQesf08CyE4e+tcDnJEC3IsgFnGXl2QMYblHOaD6gkJiviMC6gv0kZ0xhDRMOppISAMmrVgPEOlZBc7jxo47zK1JAU/sY/71xS/6If3+zAoCjc+E28LJSxj9sXXg2xj7SyytPZm0vS2pEfgrEFoaY9+nhSv3OQJXPgeH1F+EA3sx5Aa2Oo3K8fU0QS3K11l38L7pKTQjnp1zVCAh6/bkXGKhRV5sYZtdNiWfOB87b10RKehUsttkfH8NdnP2pMV0RKdMSNWV4YG9dP1Ujzrz3zHxoZ7XSqZ2SXFD2za8TpmvIvSZN5ozU6lM2OHOLjSs9cqhmWDmk9mQg bW7K9rL3 M3TmaVma5RquJk+vVM1gyO35l/Q/Bic6lLQtz6x1/los6rDW1GSdHRHjTdp6Z1HSNXc3Eh+jmH5mUy2hfh6gDALjvl/+nICL1Px3o+iGg9wWUsAI8Lpf212OsfWLY2QPnv+K+WXmYCwB8BTdrLuRjx/xh74M59ZfGSDT1eNdUQG2vpl3h2KO9GJhwbK+GuUvRfHyLHy3GejyLvJDu+UARdXntRFexcQMDRIEwlnj6kp0buRm3HIkyU4c0zEGwgyM2yDnKpGhVWr28OUrywzhsxSmbdfgP8xgb7pBFhRHi+mKEzyQkP7T2p4R/r240sgYEZxPAMnOJJqMdD5XVRWAGxRzKcngxMm56e7fuhfahJzGWsDjBzoom5ROVn1Uwetc/WF2eUhmAVOljk3vLoL5M8IV9Wugp8rdU91yX51vpaHVg+e9nCbBmC2+EvSWPIcsvfUfLlfYA3La0F5ExEUUmXVwc6UEV/TGhyUcc9h0x4ap8pEoa33WkbcltQw+3KD5dd4Te X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed 03-04-24 10:46:19, Christian Brauner wrote: > On Wed, Apr 03, 2024 at 02:54:14PM +0800, Edward Adam Davis wrote: > > [Syzbot reported] > > BUG: KASAN: slab-out-of-bounds in instrument_copy_from_user_before include/linux/instrumented.h:129 [inline] > > BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x7b/0xe0 lib/usercopy.c:22 > > Write of size 48 at addr ffff88802b8cbc88 by task syz-executor333/5090 > > > > CPU: 0 PID: 5090 Comm: syz-executor333 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 > > Call Trace: > > > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 > > print_address_description mm/kasan/report.c:377 [inline] > > print_report+0x169/0x550 mm/kasan/report.c:488 > > kasan_report+0x143/0x180 mm/kasan/report.c:601 > > kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 > > instrument_copy_from_user_before include/linux/instrumented.h:129 [inline] > > _copy_from_user+0x7b/0xe0 lib/usercopy.c:22 > > copy_from_user include/linux/uaccess.h:183 [inline] > > handle_to_path fs/fhandle.c:203 [inline] > > do_handle_open+0x204/0x660 fs/fhandle.c:226 > > do_syscall_64+0xfb/0x240 > > entry_SYSCALL_64_after_hwframe+0x72/0x7a > > [Fix] > > When copying data to f_handle, the length of the copied data should not include > > the length of "struct file_handle". > > > > Reported-by: syzbot+4139435cb1b34cf759c2@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis > > --- > > fs/fhandle.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/fhandle.c b/fs/fhandle.c > > index 53ed54711cd2..8a7f86c2139a 100644 > > --- a/fs/fhandle.c > > +++ b/fs/fhandle.c > > @@ -202,7 +202,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, > > *handle = f_handle; > > if (copy_from_user(&handle->f_handle, > > &ufh->f_handle, > > - struct_size(ufh, f_handle, f_handle.handle_bytes))) { > > + f_handle.handle_bytes)) { > > Groan, of course. What a silly mistake. Thanks for the fix. > I'll fold this into: > Fixes: 1b43c4629756 ("fs: Annotate struct file_handle with __counted_by() and use struct_size()") > because this hasn't hit mainline yet and it doesn't make sense to keep > that bug around. > > Sorry, that'll mean we drop your patch but I'll give you credit in the > commit log of the original patch. Indeed, I should have caught this during review. Sorry for that and thanks for fixing this up quickly. Honza -- Jan Kara SUSE Labs, CR