* Re: Patch "io_uring: reexpand under-reexpanded iters" has been added to the 5.13-stable tree
[not found] <1631526315154131@kroah.com>
@ 2021-09-13 10:47 ` Greg KH
0 siblings, 0 replies; only message in thread
From: Greg KH @ 2021-09-13 10:47 UTC (permalink / raw)
To: linux-kernel
Cc: asml.silence, oswalpalash, sudipm.mukherjee,
syzbot+9671693590ef5aad8953, viro, stable-commits
On Mon, Sep 13, 2021 at 11:45:15AM +0200, gregkh@linuxfoundation.org wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> io_uring: reexpand under-reexpanded iters
>
> to the 5.13-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
> io_uring-reexpand-under-reexpanded-iters.patch
> and it can be found in the queue-5.13 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
>
> >From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
> From: Pavel Begunkov <asml.silence@gmail.com>
> Date: Mon, 23 Aug 2021 11:18:45 +0100
> Subject: io_uring: reexpand under-reexpanded iters
>
> From: Pavel Begunkov <asml.silence@gmail.com>
>
> commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
>
> [ 74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
> [ 74.212778] Read of size 8 at addr ffff888025dc78b8 by task
> syz-executor.0/828
> [ 74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
> 5.14.0-rc3-next-20210730 #1
> [ 74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
> [ 74.219033] Call Trace:
> [ 74.219683] dump_stack_lvl+0x8b/0xb3
> [ 74.220706] print_address_description.constprop.0+0x1f/0x140
> [ 74.224226] kasan_report.cold+0x7f/0x11b
> [ 74.226085] iov_iter_revert+0x809/0x900
> [ 74.227960] io_write+0x57d/0xe40
> [ 74.232647] io_issue_sqe+0x4da/0x6a80
> [ 74.242578] __io_queue_sqe+0x1ac/0xe60
> [ 74.245358] io_submit_sqes+0x3f6e/0x76a0
> [ 74.248207] __do_sys_io_uring_enter+0x90c/0x1a20
> [ 74.257167] do_syscall_64+0x3b/0x90
> [ 74.257984] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> old_size = iov_iter_count();
> ...
> iov_iter_revert(old_size - iov_iter_count());
>
> If iov_iter_revert() is done base on the initial size as above, and the
> iter is truncated and not reexpanded in the middle, it miscalculates
> borders causing problems. This trace is due to no one reexpanding after
> generic_write_checks().
>
> Now iters store how many bytes has been truncated, so reexpand them to
> the initial state right before reverting.
>
> Cc: stable@vger.kernel.org
> Reported-by: Palash Oswal <oswalpalash@gmail.com>
> Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> fs/io_uring.c | 2 ++
> 1 file changed, 2 insertions(+)
>
No, sorry, this breaks the build, now dropping.
greg k-h
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-09-13 10:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1631526315154131@kroah.com>
2021-09-13 10:47 ` Patch "io_uring: reexpand under-reexpanded iters" has been added to the 5.13-stable tree Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.