From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0695BC636D4 for ; Sun, 12 Feb 2023 16:04:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 570976B0073; Sun, 12 Feb 2023 11:04:29 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 51F946B0074; Sun, 12 Feb 2023 11:04:29 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3E7636B0075; Sun, 12 Feb 2023 11:04:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 2D3036B0073 for ; Sun, 12 Feb 2023 11:04:29 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id E5EC2C0657 for ; Sun, 12 Feb 2023 16:04:28 +0000 (UTC) X-FDA: 80459112216.20.191DD96 Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by imf28.hostedemail.com (Postfix) with ESMTP id 3D3E8C001C for ; Sun, 12 Feb 2023 16:04:27 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=appspotmail.com (policy=none); spf=pass (imf28.hostedemail.com: domain of 3Cg7pYwkbAO8jpqbRccViRggZU.XffXcVljViTfekVek.Tfd@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com designates 209.85.166.199 as permitted sender) smtp.mailfrom=3Cg7pYwkbAO8jpqbRccViRggZU.XffXcVljViTfekVek.Tfd@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676217867; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references; bh=uMdw4VNjkKTcp+sBTw6KN6DXlJ7EWhurhuyywUlLZ0s=; b=rD4QL+EX9d4lrC43G3pBisETISZUvHn8nEpiiHCWgUqDa01sYWIpsI0ThTp2WMY9gISnQg O+7SGYdhXjqO0ic2wpqy1sAup6PZNsw/avLTMuuM51bwLf8lEeFEte1atx0BXMOX+XL7aP hztMbmViqnNg0d23T6vpLwUUed5rn3g= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=appspotmail.com (policy=none); spf=pass (imf28.hostedemail.com: domain of 3Cg7pYwkbAO8jpqbRccViRggZU.XffXcVljViTfekVek.Tfd@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com designates 209.85.166.199 as permitted sender) smtp.mailfrom=3Cg7pYwkbAO8jpqbRccViRggZU.XffXcVljViTfekVek.Tfd@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676217867; a=rsa-sha256; cv=none; b=4sikke+oTtCHyjQuq7TwJkQP+kgYHfyaIXxGpXV1f2sEd6X40bH3uuhLryNyHGXTEwQPt6 E/R+yg6ujoC7TKJA0VXNWfQcB7tGO/s+x0U/x/DoWkP/0uoKm7AVO/ObJ39FiiWY5FJXkw xcbXAB5nwfLx5fnbz5d/lMXcf4uOsF8= Received: by mail-il1-f199.google.com with SMTP id b4-20020a92c564000000b00313942dcd86so8042089ilj.12 for ; Sun, 12 Feb 2023 08:04:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uMdw4VNjkKTcp+sBTw6KN6DXlJ7EWhurhuyywUlLZ0s=; b=nuzg5/jk5GRnsV8yDucrEXI01EM1Q+8WSV4whPKMBWVdbElWjcGRpcMN8m7u+jfDVH PbbHAQ8yPMCLjQVfH1cWoql08U00atF2fQqLVFsZHJJ8rw3vLaNMj2SBK0xteL7RJE3i ujXln67YGEMqejKwYw6c88APNVmK/HgJ8kRbQufbwjCkeGd9TT4gp1gUbUtof17uiaLT 6OphLDeobNdmpq4CUPsxB5R0bVEis1KoC5ylINhxjvRJ3H8NaEhLBJ22ZRrM9R+H0Be5 dOr6zxY70Axx9rQ+feUVtv9OgBE0XAtImrL560jXdv/aDMMkvgwBdK/JkcdOcJQMDURd IjMg== X-Gm-Message-State: AO0yUKX/wIsGoGeR6Od2Sr3DyocsJaotUMXiTh/QMkZxuZ8HeWk/nYOT V7dPB8w3OR5Q3L1mR2dZHmpPCmYyFEfYkEApRko3enEkZOmX X-Google-Smtp-Source: AK7set8C7eOycha6Ttc3nwbfME05mwAqy7SvHEBO10twvw3kXJiXqj6V/JSxp46HxPZwwNDInj8vq17cBx/4POup3ry2DVB0gSW0 MIME-Version: 1.0 X-Received: by 2002:a92:1811:0:b0:313:c7f2:40be with SMTP id 17-20020a921811000000b00313c7f240bemr12770410ily.26.1676217866477; Sun, 12 Feb 2023 08:04:26 -0800 (PST) Date: Sun, 12 Feb 2023 08:04:26 -0800 In-Reply-To: <9552a45f-6a26-e7fa-aa63-3c74a7d17261@gmail.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000007f69b605f482e2ee@google.com> Subject: Re: [syzbot] BUG: bad usercopy in io_openat2_prep From: syzbot To: akpm@linux-foundation.org, asml.silence@gmail.com, io-uring@vger.kernel.org, kees@kernel.org, keescook@chromium.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 3D3E8C001C X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: ofbeda4kupk966kds3uge9uzprk3jfup X-HE-Tag: 1676217867-707865 X-HE-Meta: U2FsdGVkX19I1m+sHMh9yBNV975S7fSzniFqRQlKg1Zu21B6aB7M1TkkzkJ1XXqXlKjPj6/R+n+V9OvFiMwkYtm+qYp8whFa9MllQauvcDn9rY+9dPoc7+F1TUDE40cyob2PWvso5KqMgJ/vuhH28Xc8SmnXDLf/+xRm8fZNyQUbVvSQ/qMkUB61cKoHmmdrtXF5dAKrnyImVWEArdvinWYOyOl0pw7O6ewYT66n164mckyzMl+EvJDY7sgvTDtIjKR6Kkd/jM/Xyeli94xMWPqcRyi6O4bzofE2vnZn8s6jD+E1Ortle6DZifcyUeZ1aeBEXL84XgaUYhJ+3N2JfF2qxwLvO0xqkA+Q7Wvf9FF2JI/MdILFrI/7g3QoljIPcQHqaagvj97vR9M3fc3he+UNWsVAA6nXANiGDihEztqgTtIOw/Woq79IDivg8SAuabIDM6smI1X+aVKaRc4L7Igzh+awPTTAezhLWz5Vci7pHaExZmln/aujF/cbY8qT9TPrXYEp/OOBsstSjOsPqo2puYWoiL1pn+DtvjpnDdgXe1ZXNHWh+kD0hxoKuMJlviYWnErfEnh0sv5Cvo5MB/RYgbORdSPwxaZjgSNgnBKXTVKgDWBnDjpIkuPHvK6c/n5H+7YDbdIIwCxCpas9dDbQ3F6+qmH9krZzkp+Vk17bGzqS5Na6oWNZvwTxkmstmmfz7h52QTxDD0+kiLbAR27Y/Pnp+Y7zR1x8rGBkZiopeGbK8j3IXAnXK2pXIBUgGEOfSQfiVMXLccOj73O1Pp+vxcoP/t0KRS0L7wsVP+Qc0Pe0OyEdefdWIahfrncuDzKWN1nVEcbwavuqy6z3LGhTsNSXobpsE1rIpYNRhlXbe4U63Jn/3xppBeURPbkMODSqLuoGjOSLmljWxxwD7CCFzeUTTDTD3IzEbKK9eM7POwibb04qPFnUTCkn3MiT/8S5iVWXxNMOfLQXlVv K51qiPOc 5OA8HXgUx9/PA1ifLsBtWLgJHx2oelyYo9iL31lpwyhH+wgDT3Ju1z1qNDVyhVh8yfbhpvkCUNdVHJVzfckytRTHJ+is/BeB9h0Y3tXDbweSmKYJVOLlPAQLUrB5WIarI5RBXMts3gsrAHFh4SXW1NUkebmOe1FijFMXA5HutQy6dF4QMtETzWu/MtxtFXpZzVhqGqVGqvBjF0E/tGBjDLSYUUreCJu26X1fCC0M+XXAXTSOrEeDPYL/tR/71n5jhT6FRaslD8cTWi2H2dM0dy16ly/x2goHVSarufKXxWGGq/XGFI0+zRuSASljRoM1HSfWrM3430X9URduCAZZXAUf5OL/6vmuEn5E7py/QZyYGc9qcZ5AhMjLSaE2XxDnJHsYUFNkv8eMV7MOF/MkxeNH1mnB78rAqWJpc6wp0Y3K9pLpjn8PmVfUJdGsloMnm32w8GfMnxk4qb5LbGBu8cql+fwTeJBxRk9BKLzjfW+LIdbq+Ukh9LQvbvdLcV0ZLmNAl7oOCpBe/49wng7Xn1E8rz4jIMN77SZTC4d9rbDIHTg91zsDt97dwT6nPWy4kk7NmhqPb2skgOSin+OYgp6u7WjyRb4HfBxJGoYfPgkZ4oMWK9LmI2lbLcfr2YnUPcBi5BccyDzhXOjaQQt1tiVdjcO/6aOkKcZgYgHuyd+VQrWAXZ++9cKsmuRIcz6e/2GLfXNTIGP/IgruihI4KJliaA0miLxsxEWKeqVXeClNeglZd+1QcwgVomaqaQ8FyLMEBct6YHaUkPQFp8OfV/xybLOBEUQD39YV05ubQ7XilzMy4oIfM+dWJCZuPgYp6fha5wxZ76dXOldTHZIgY7CDAc2t2bk5NZAX2bGcSQu33hHHrJOZxpB+wJaEggt/UyejjgOMRJ0iMWU75Oj7m7jlC+ni6I7i46PKRhgbbvQTMJB2GvsDUT6K4+CTnlUF9EuiJ6BxgWHIk5LQJK0OcZAeFlVbM ZHJGoFmU 4OyiCZcAFyfvxPoEcoIjA0DUkumlI28kGc+uEJLTn2E= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: BUG: bad usercopy in io_openat2_prep usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4995 Comm: syz-executor.0 Not tainted 6.2.0-rc6-syzkaller-00050-gfbe870a72fd1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 lr : usercopy_abort+0x90/0x94 sp : ffff800012dd3be0 x29: ffff800012dd3bf0 x28: 000000000000001c x27: ffff0000d0e13400 x26: 00000000200000c0 x25: ffff80000cf51000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc0003108280 x21: ffff0000c420a118 x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000000000 x17: 0000000000000000 x16: ffff0000d0e13df8 x15: ffff80000dbd1118 x14: ffff0000d0e13400 x13: 00000000ffffffff x12: ffff0000d0e13400 x11: ff808000081bd5b0 x10: 0000000000000000 x9 : 4c3aa38d2e853f00 x8 : 4c3aa38d2e853f00 x7 : ffff800008162dbc x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000005d Call trace: usercopy_abort+0x90/0x94 __check_heap_object+0xa8/0x100 __check_object_size+0x208/0x6b8 io_openat2_prep+0xcc/0x2f0 io_submit_sqes+0x330/0xba8 __arm64_sys_io_uring_enter+0x168/0x9b0 invoke_syscall+0x64/0x178 el0_svc_common+0xbc/0x180 do_el0_svc+0x48/0x150 el0_svc+0x58/0x14c el0t_64_sync_handler+0x84/0xf0 el0t_64_sync+0x190/0x194 Code: 911d2800 aa0903e1 f90003e8 94e6d3da (d4210000) ---[ end trace 0000000000000000 ]--- Tested on: commit: fbe870a7 io_uring,audit: don't log IORING_OP_MADVISE git tree: https://git.kernel.dk/linux.git for-6.3/io_uring console output: https://syzkaller.appspot.com/x/log.txt?x=17241257480000 kernel config: https://syzkaller.appspot.com/x/.config?x=22fc000172595f28 dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: arm64 Note: no patches were applied.