From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B243CD11C2 for ; Fri, 5 Apr 2024 10:26:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6986E6B0146; Fri, 5 Apr 2024 06:26:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6485D6B0147; Fri, 5 Apr 2024 06:26:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 540CD6B0148; Fri, 5 Apr 2024 06:26:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 363DA6B0146 for ; Fri, 5 Apr 2024 06:26:27 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id DE223A0CCA for ; Fri, 5 Apr 2024 10:26:26 +0000 (UTC) X-FDA: 81975098772.02.B6AD741 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf24.hostedemail.com (Postfix) with ESMTP id CAA7D180019 for ; Fri, 5 Apr 2024 10:26:23 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=bINCfElL; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf24.hostedemail.com: domain of brauner@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712312784; a=rsa-sha256; cv=none; b=tVeaZmyLTMHAxbaBLYtcnQND54jn/axN2dXv7yvIb2qhSGVpF96TQQEO6zqB58JI51uqF9 6U5u8/p2Qcf/NqY3l6TmauhcaEWt9X56Bf2JHegUxOV3XD8tbRhxxYHPKxkufR1xnafL8H nqOqXk8QBH6dFgaJW1V6ZOPL4R9qdSo= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=bINCfElL; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf24.hostedemail.com: domain of brauner@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712312784; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bjZyXwk/pDkG60mGyOb2idMZanbOn9hFkk9u4/jzEQ8=; b=7cJs5a7C4m7eGhzSy2AflnuJ0RMMCvossXfcH7TbdE9SzbAPnvfejnpC1Dx2hzRBGfTVD4 8HHPjFVY1Cc8dk6V1xPAU7VE6xEfcM3IxUaPq/6EAluW81H6JMWd3NBmJyMhwlBCV+yRSx VSSqv158OAx4N7Ie7ZPkRzUvgfiyOZ8= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id EE5F5CE1D5B; Fri, 5 Apr 2024 10:26:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1883C433C7; Fri, 5 Apr 2024 10:26:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712312778; bh=qxvSkouKOtVZUfYflXrpgvGiCmviOJRnuWLFOMraY9Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bINCfElL0YOkSGUGgBWQU1PYTboFoNjPpGUmdkBGEcNqNV3v3DE8rR8UUBoVjXUKZ SF3gqSACH3hIVgkBpt7V3YnZNoH5beyWwUNr8Nq5rkP6D9jVf7JyAXA06DbOKRiFaP U7gqB7jS2VVMEbxMNgQUy66/yy6C+qwiHnB+GvSbRkRIQJhQdtWwzmtHEThe3JaVM2 EG6ZC1RLGavidNg6oLm80JqkS+AwnsNa4KT1En63HEr/HvHvWj+wWEiPysX4pQaFVc rG0fQXqGdn/eUccA8z41XKZgsx8EWC5GxnIb3Tcp/UWA0H6whhyugJB3UprYeVElyk dZMOI3E9EM+0w== Date: Fri, 5 Apr 2024 12:26:10 +0200 From: Christian Brauner To: Jan Kara Cc: kernel test robot , syzbot , Edward Adam Davis , "Gustavo A. R. Silva" , oe-lkp@lists.linux.dev, lkp@intel.com, Linux Memory Management List , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, amir73il@gmail.com, chuck.lever@oracle.com, jlayton@kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [linux-next:master] [fs] 1b43c46297: kernel_BUG_at_mm/usercopy.c Message-ID: <20240405-basisarbeit-kohlenkeller-676735d80a89@brauner> References: <202404031550.f3de0571-lkp@intel.com> <000000000000f075b9061520cbbe@google.com> <20240403-mundgerecht-klopapier-e921ceb787ca@brauner> <20240403110316.qtmypq2rtpueloga@quack3> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20240403110316.qtmypq2rtpueloga@quack3> X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: CAA7D180019 X-Stat-Signature: r1nxbki9xfa76jcjpzd4ri9964x7fhyw X-HE-Tag: 1712312783-236040 X-HE-Meta: U2FsdGVkX19n1MuXqh/1D4CQtsrHCz42b9mhkBjQ1KJvuIdhdecgvXMEnI7aouVhJWoTurkbcv11LC6tgG0EEZDgLYb7xdXgJPKyrREznEovxM36dwJlu+Jv1F36n5jdZ+u53LZDN58lS6JNaxcDz8d3viSIAIwXtDLz1UX84tymsO2lSz5AlQV4q795Saq8YFJmL2gVtdy4omDItRA8bBxYPYfYF2JqyBZUteOLyBu3Wra+cM7kMlciOriO0s6iqc4lNqFgcBtqAd8UFOW08MpZun2XjmYycM1tpB3XKn1DtOyZb1yaLq7SjKbBesHPYX0ROhFBgzqlrKyv9t2Qj4nvzYQB6iZcseWLw0Pp2/IHHr6n+gxjhXGM2fKoPvmH6l4wtp9M2dylBRf+c0aAyCPX0CtJrZDM9bPEkZIb7voNlbtIJjFg9ri2/3oUvPBPEpOlcMqB8+D/DyEi2bA22QS6AwTozIk8IdjtZu0SPIvK+bPen7XIJTjSRjO+n8szvgH+JIHwRaY3Fl+xBaUgyRMHFetW1zkNNqHBXb0RwD2qzzVnRWnVeKidWwNC7U2RABnD05TTvcR1/BXTsa9pCqeZrRkjkLWv9lrSJxDIivahKZzmXuER/0uRx/QOabH3u4ZMYq5y5wybpFpvlSRNrnEjLjiZiwEdIgkMzIudx/X5UZptKfo+Nw2PkGMI1f1wr935Ujk9IlECNmeGPyr/fwGpEUsXluoSZgPfkI5cores2Ldj8OK7wROprJm6ax5aK75iO5RMytKA8zHD+1ZC4ZpcU0LZvw8vyu9PFNi8Bn8r/d/3tFk5bfHUOb/OmmlelfibxRBsk0YKXMi/LFanklVCGwlgQ6O4HZBg2M6PaqM0AhVxsVv+FxwRQXf2Tl+ZxiWi7P/IaRINif7Pd1oY/SeyMrwZ7XNBcS+6fdNWEEnvzS8tkfomiEJzpOVagZ2oHtcwWkN59ncJ6Mq9oSL SU+sr25G vjfX0mTYcM6YOXW2FLJ44B8sxzlMHP8aK56VjFK7Qw1AkadFQadWO39TwKw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Apr 03, 2024 at 01:03:16PM +0200, Jan Kara wrote: > On Wed 03-04-24 10:46:19, Christian Brauner wrote: > > On Wed, Apr 03, 2024 at 02:54:14PM +0800, Edward Adam Davis wrote: > > > [Syzbot reported] > > > BUG: KASAN: slab-out-of-bounds in instrument_copy_from_user_before include/linux/instrumented.h:129 [inline] > > > BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x7b/0xe0 lib/usercopy.c:22 > > > Write of size 48 at addr ffff88802b8cbc88 by task syz-executor333/5090 > > > > > > CPU: 0 PID: 5090 Comm: syz-executor333 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 > > > Call Trace: > > > > > > __dump_stack lib/dump_stack.c:88 [inline] > > > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 > > > print_address_description mm/kasan/report.c:377 [inline] > > > print_report+0x169/0x550 mm/kasan/report.c:488 > > > kasan_report+0x143/0x180 mm/kasan/report.c:601 > > > kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 > > > instrument_copy_from_user_before include/linux/instrumented.h:129 [inline] > > > _copy_from_user+0x7b/0xe0 lib/usercopy.c:22 > > > copy_from_user include/linux/uaccess.h:183 [inline] > > > handle_to_path fs/fhandle.c:203 [inline] > > > do_handle_open+0x204/0x660 fs/fhandle.c:226 > > > do_syscall_64+0xfb/0x240 > > > entry_SYSCALL_64_after_hwframe+0x72/0x7a > > > [Fix] > > > When copying data to f_handle, the length of the copied data should not include > > > the length of "struct file_handle". > > > > > > Reported-by: syzbot+4139435cb1b34cf759c2@syzkaller.appspotmail.com > > > Signed-off-by: Edward Adam Davis > > > --- > > > fs/fhandle.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/fs/fhandle.c b/fs/fhandle.c > > > index 53ed54711cd2..8a7f86c2139a 100644 > > > --- a/fs/fhandle.c > > > +++ b/fs/fhandle.c > > > @@ -202,7 +202,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, > > > *handle = f_handle; > > > if (copy_from_user(&handle->f_handle, > > > &ufh->f_handle, > > > - struct_size(ufh, f_handle, f_handle.handle_bytes))) { > > > + f_handle.handle_bytes)) { > > > > Groan, of course. What a silly mistake. Thanks for the fix. > > I'll fold this into: > > Fixes: 1b43c4629756 ("fs: Annotate struct file_handle with __counted_by() and use struct_size()") > > because this hasn't hit mainline yet and it doesn't make sense to keep > > that bug around. > > > > Sorry, that'll mean we drop your patch but I'll give you credit in the > > commit log of the original patch. > > Indeed, I should have caught this during review. Sorry for that and thanks > for fixing this up quickly. Fwiw, it wasn't meant that way. I meant it's a silly mistake in the sense that it is so easy to miss because the patch looks so benign. The fact is that we will have to live with missing things like this once in a while and that is why we have testing bots as well. :)