Re: Update bisect info and new repro code for "[syzbot] WARNING in _copy_from_iter"

[Pengfei Xu <pengfei.xu@intel.com>]

Hi Viro,

It's a soft remind: "_copy_from_iter" WARNING issue was still reproduced
in v6.2-rc2 mainline kernel in guest.
"
[   29.804009] sg_write: data in/out 131036/42 bytes for SCSI command 0xff-- guessing data in;
[   29.804009]    program repro not setting count and/or reply_len properly
[   29.806580] ------------[ cut here ]------------
[   29.807212] WARNING: CPU: 0 PID: 514 at lib/iov_iter.c:629 _copy_from_iter+0x130/0xa60
[   29.808295] Modules linked in:
[   29.808742] CPU: 0 PID: 514 Comm: repro Not tainted 6.2.0-rc2-88603b6dc419 #2
[   29.809931] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   29.811422] RIP: 0010:_copy_from_iter+0x130/0xa60
[   29.812072] Code: 41 5e 41 5f 5d c3 cc cc cc cc e8 5b 16 58 ff be 79 02 00 00 48 c7 c7 3c 55 94 83 e8 5a 18 7a ff e9 3f ff ff ff e8 40 16 58 ff <0f> 0b 31 db 5
[   29.814474] RSP: 0018:ffffc90000fdf988 EFLAGS: 00010246
[   29.815182] RAX: 0000000000000000 RBX: 0000000000001000 RCX: ffffffff81d40343
[   29.816120] RDX: 0000000000000000 RSI: ffff88800dfe4680 RDI: 0000000000000002
[   29.817224] RBP: ffffc90000fdfa18 R08: ffffc90000fdfa3f R09: 000000000000ffff
[   29.818177] R10: ffffea000049bc00 R11: 0000000000000000 R12: ffffc90000fdfad0
[   29.819119] R13: 0000000000000000 R14: ffffea000049b000 R15: 0000000000000000
[   29.820057] FS:  00007f9207ab6740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[   29.821161] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.821945] CR2: 0000000020000041 CR3: 000000000dd8a005 CR4: 0000000000770ef0
[   29.822890] PKRU: 55555554
[   29.823270] Call Trace:
[   29.823615]  <TASK>
[   29.823924]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   29.824597]  ? bio_add_hw_page+0x234/0x2e0
[   29.825228]  ? write_comp_data+0x2f/0x90
[   29.825782]  copy_page_from_iter+0x1aa/0x370
[   29.826377]  ? write_comp_data+0x2f/0x90
[   29.826928]  blk_rq_map_user_iov+0x531/0xa70
[   29.827550]  blk_rq_map_user+0x86/0xc0
[   29.828093]  blk_rq_map_user_io+0xbe/0xd0
[   29.828665]  sg_common_write.isra.22+0x5fd/0xb10
[   29.829390]  sg_write+0x43a/0x750
[   29.829894]  ? __lock_acquire+0xa26/0x1d30
[   29.830493]  ? write_comp_data+0x2f/0x90
[   29.831038]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   29.831685]  ? security_file_permission+0x177/0x340
[   29.832365]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   29.833348]  ? write_comp_data+0x2f/0x90
[   29.834039]  vfs_write+0x1b6/0x780
[   29.834533]  ? __pfx_sg_write+0x10/0x10
[   29.835074]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   29.835716]  ? write_comp_data+0x2f/0x90
[   29.836256]  ? write_comp_data+0x2f/0x90
[   29.836816]  ksys_write+0x9f/0x170
[   29.837346]  __x64_sys_write+0x27/0x30
[   29.838001]  do_syscall_64+0x3b/0x90
[   29.838530]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   29.839266] RIP: 0033:0x7f9207bdb59d
[   29.839766] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 8
[   29.842219] RSP: 002b:00007ffe7ecdd768 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   29.843335] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9207bdb59d
[   29.844277] RDX: 0000000000000058 RSI: 0000000020000080 RDI: 0000000000000003
[   29.845273] RBP: 00007ffe7ecdd780 R08: 002367732f766564 R09: 00007ffe7ecdd860
[   29.846288] R10: 000000000000000f R11: 0000000000000213 R12: 00000000004010a0
[   29.847228] R13: 00007ffe7ecdd860 R14: 0000000000000000 R15: 0000000000000000
[   29.848182]  </TASK>
[   29.848516] irq event stamp: 4703
[   29.848970] hardirqs last  enabled at (4711): [<ffffffff811d48a1>] __up_console_sem+0x91/0xb0
[   29.850278] hardirqs last disabled at (4720): [<ffffffff811d4886>] __up_console_sem+0x76/0xb0
[   29.851409] softirqs last  enabled at (4336): [<ffffffff82f9c213>] __do_softirq+0x323/0x48a
[   29.852533] softirqs last disabled at (4213): [<ffffffff81123152>] irq_exit_rcu+0xd2/0x100
[   29.853659] ---[ end trace 0000000000000000 ]---
"
Bisected and found that the bad commit is as below:
a41dad905e5a388f88435a517de102e9b2c8e43d
iov_iter: saner checks for attempt to copy to/from iterator

After revert above commit on top of v6.2-rc2 kernel, this issue was gone.

Reproduced code, bisect logs and kconfig info are in link:
https://github.com/xupengfe/syzkaller_logs/tree/main/221228_010310__copy_from_iter/230103_copy_from_iter_v6.2-rc2

I hope it's helpful.

Thanks!
BR.


On 2022-12-30 at 10:33:02 +0800, Pengfei Xu wrote:
> Hi Viro,
> 
> Related email link:
> https://lore.kernel.org/lkml/Y5WlLoCBcHbfKBD5@ZenIV/
> 
> syzbot link:
> https://syzkaller.appspot.com/bug?id=4694bd1c1c0019f067af5b6e14e8ef02431b6b34
> 
> 
> I reproduced on TGL-H with v6.2-rc1 kernel.
> 
> All reproduced code bisect info are in link:
> https://github.com/xupengfe/syzkaller_logs/tree/main/221228_010310__copy_from_iter
> 
> I hope it's helpful.
> 
> Thanks!
> BR.