From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D60B1C43603 for ; Thu, 5 Dec 2019 07:45:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AD95524648 for ; Thu, 5 Dec 2019 07:45:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575531945; bh=ifbaeIoJpLRIvxZ4GbFj0GwuxwpkNX2lyM72QJGHXeI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=TlactPoJYxmNU+cM/CBLtLoecn2wIwlZsXVBO1s4GRS6UXCEI5xlKEZln2nEolvgp TYxUNCmyp723jXgdV75AL3CJNcT9xzdw2jIf2IcUPPPtmi1T38jjwrai/VKvkb1Fmu iFVg5F5N85HFh+Mc7FM0WZjAx4yTweIe6c3jmhK0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728821AbfLEHpl (ORCPT ); Thu, 5 Dec 2019 02:45:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:41384 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726059AbfLEHpl (ORCPT ); Thu, 5 Dec 2019 02:45:41 -0500 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D0B09205F4; Thu, 5 Dec 2019 07:45:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575531941; bh=ifbaeIoJpLRIvxZ4GbFj0GwuxwpkNX2lyM72QJGHXeI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YSqXt3Zi8p11o6bjxCkGZ09oHU42ylrGURXipbaQh9jJlV04nJ+el7v4gLvbVzzwL xRemKqPXiO1xzqZgKMV8yjUj7Vssd7Pk1ESjnSShxlyIZ7U0lmYCRJWyBzLRTYNCon kkm16HQeVq/2sEuIOIoGTGHS5LkhZd6Pw/jUnx3s= Date: Wed, 4 Dec 2019 23:45:39 -0800 From: Eric Biggers To: dhowells@redhat.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, syzbot Subject: Re: KASAN: slab-out-of-bounds Write in pipe_write Message-ID: <20191205074539.GB3237@sol.localdomain> References: <000000000000a6324b0598b2eb59@google.com> <000000000000d6c9870598bdf090@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000000000000d6c9870598bdf090@google.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Hi David, On Mon, Dec 02, 2019 at 11:54:00AM -0800, syzbot wrote: > syzbot has bisected this bug to: > > commit a194dfe6e6f6f7205eea850a420f2bc6a1541209 > Author: David Howells > Date: Fri Sep 20 15:32:19 2019 +0000 > > pipe: Rearrange sequence in pipe_write() to preallocate slot > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16085abce00000 > start commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel... > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=15085abce00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=11085abce00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c > dashboard link: https://syzkaller.appspot.com/bug?extid=838eb0878ffd51f27c41 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146a9f86e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1791d82ae00000 > > Reported-by: syzbot+838eb0878ffd51f27c41@syzkaller.appspotmail.com > Fixes: a194dfe6e6f6 ("pipe: Rearrange sequence in pipe_write() to > preallocate slot") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > It looks like the 'mask' variable in pipe_write() is not being updated after the pipe mutex was dropped in pipe_wait(), to take into account the pipe size possibly having been changed in the mean time. BTW, I see that the pipe changes were not in linux-next before being sent to Linus. Please do this next time so that syzbot can find the obvious bugs before they reach mainline. It's annoying having my system crash on latest mainline during normal use, due to a bug easily found in < 1 day by an automated system. - Eric