[syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    33e02dc69afb Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ad18d0980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1526a8dc980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14f53ae4980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-33e02dc6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/573c88ac3233/vmlinux-33e02dc6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/760a52b9a00a/bzImage-33e02dc6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 3 PID: 5196 Comm: syz-executor259 Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa24/0x10b0 fs/splice.c:759
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 b1 04 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 1a 05 00 00 49 8b 54 24 08 4c 89 ee 4c 89 ff 83
RSP: 0018:ffffc900031b7930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8209a1a8
RDX: 0000000000000001 RSI: ffffffff8209a06c RDI: 0000000000000008
RBP: 000000000000003d R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 0000000000000000
R13: ffff888026d5a208 R14: 7fffffffffffefff R15: ffff88801e5c5800
FS:  00007f78cdfc16c0(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78ce0454d0 CR3: 0000000019dc8000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0x19b/0x6d0 fs/splice.c:1164
 splice_direct_to_actor+0x346/0xa40 fs/splice.c:1108
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x17e/0x250 fs/splice.c:1233
 do_sendfile+0xaa8/0xdb0 fs/read_write.c:1295
 __do_sys_sendfile64 fs/read_write.c:1362 [inline]
 __se_sys_sendfile64 fs/read_write.c:1348 [inline]
 __x64_sys_sendfile64+0x1da/0x220 fs/read_write.c:1348
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f78ce009d09
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f78cdfc1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f78ce091328 RCX: 00007f78ce009d09
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007f78ce091320 R08: 00007f78cdfc16c0 R09: 0000000000000000
R10: 0000000100000000 R11: 0000000000000246 R12: 00007f78ce09132c
R13: 0000000000000006 R14: 00007ffe98369ff0 R15: 00007ffe9836a0d8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa24/0x10b0 fs/splice.c:759
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 b1 04 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 1a 05 00 00 49 8b 54 24 08 4c 89 ee 4c 89 ff 83
RSP: 0018:ffffc900031b7930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8209a1a8
RDX: 0000000000000001 RSI: ffffffff8209a06c RDI: 0000000000000008
RBP: 000000000000003d R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 0000000000000000
R13: ffff888026d5a208 R14: 7fffffffffffefff R15: ffff88801e5c5800
FS:  00007f78cdfc16c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78ce05d0d8 CR3: 0000000019dc8000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 48 89             	add    %cl,-0x77(%rax)
   3:	fa                   	cli
   4:	48 c1 ea 03          	shr    $0x3,%rdx
   8:	80 3c 1a 00          	cmpb   $0x0,(%rdx,%rbx,1)
   c:	0f 85 b1 04 00 00    	jne    0x4c3
  12:	4d 8b 65 10          	mov    0x10(%r13),%r12
  16:	49 c7 45 10 00 00 00 	movq   $0x0,0x10(%r13)
  1d:	00
  1e:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 1a 00          	cmpb   $0x0,(%rdx,%rbx,1) <-- trapping instruction
  2e:	0f 85 1a 05 00 00    	jne    0x54e
  34:	49 8b 54 24 08       	mov    0x8(%r12),%rdx
  39:	4c 89 ee             	mov    %r13,%rsi
  3c:	4c 89 ff             	mov    %r15,%rdi
  3f:	83                   	.byte 0x83


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 218e24b1ac40..1a3c31f3e63a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -392,6 +392,7 @@ ssize_t copy_splice_read(struct file *in, loff_t *ppos,
 			.offset	= 0,
 			.len	= chunk,
 		};
+		printk("buf: %p, ops: %p, %s\n", buf, buf->ops, __func__);
 		pipe->head++;
 		remain -= chunk;
 	}
@@ -498,6 +499,7 @@ static inline bool eat_empty_buffer(struct pipe_inode_info *pipe)
 	unsigned int mask = pipe->ring_size - 1;
 	struct pipe_buffer *buf = &pipe->bufs[tail & mask];
 
+	printk("buf: %p, ops: %p, tail: %d %s\n", buf, buf->ops, tail, __func__);
 	if (unlikely(!buf->len)) {
 		pipe_buf_release(pipe, buf);
 		pipe->tail = tail+1;
@@ -755,8 +757,11 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
 			if (ret >= buf->len) {
 				ret -= buf->len;
-				buf->len = 0;
-				pipe_buf_release(pipe, buf);
+				printk("buf: %p, ops: %p, buf len: %d, tail: %d, ret: %d, tl: %llu, %s\n", buf, buf->ops, buf->len, tail, ret, sd.total_len, __func__);
+				if (buf->len) {
+					buf->len = 0;
+					pipe_buf_release(pipe, buf);
+				}
 				tail++;
 				pipe->tail = tail;
 				if (pipe->files)
@@ -1483,6 +1488,7 @@ static ssize_t iter_to_pipe(struct iov_iter *from,
 					put_page(pages[i]);
 				goto out;
 			}
+			printk("buf: %p, size: %lu, left: %lu, total: %lu, ret: %lu, %s\n", buf, buf.len, left, total, ret, __func__);
 			total += ret;
 			left -= size;
 			start = 0;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=116d7244980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=127284e8980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..4dd684184572 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,9 +751,9 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		while (ret > 0) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
+			if (ret >= (ssize_t)buf->len) {
 				ret -= buf->len;
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in iter_file_splice_write

netfs: Couldn't get user pages (rc=-14)
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 3 PID: 5391 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa28/0x10a0 fs/splice.c:759
Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 41 05 00 00 4d 8b 6e 10 49 c7 46 10 00 00 00 00 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 16 05 00 00 49 8b 55 08 4c 89 f6 4c 89 ff 41 83
RSP: 0018:ffffc90003927930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 7fffffffffffefff RCX: ffffffff8209a1ad
RDX: 0000000000000001 RSI: ffffffff8209a071 RDI: 0000000000000008
RBP: dffffc0000000000 R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 000000000000009d
R13: 0000000000000000 R14: ffff8880350b5a08 R15: ffff888020f01800
FS:  00007f607512b6c0(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000026be4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0x19b/0x6d0 fs/splice.c:1164
 splice_direct_to_actor+0x346/0xa40 fs/splice.c:1108
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x17e/0x250 fs/splice.c:1233
 do_sendfile+0xaa8/0xdb0 fs/read_write.c:1295
 __do_sys_sendfile64 fs/read_write.c:1362 [inline]
 __se_sys_sendfile64 fs/read_write.c:1348 [inline]
 __x64_sys_sendfile64+0x1da/0x220 fs/read_write.c:1348
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f607447cee9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f607512b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f60745abf80 RCX: 00007f607447cee9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007f60744c949e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f60745abf80 R15: 00007ffed559a608
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
RIP: 0010:iter_file_splice_write+0xa28/0x10a0 fs/splice.c:759
Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 41 05 00 00 4d 8b 6e 10 49 c7 46 10 00 00 00 00 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 16 05 00 00 49 8b 55 08 4c 89 f6 4c 89 ff 41 83
RSP: 0018:ffffc90003927930 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 7fffffffffffefff RCX: ffffffff8209a1ad
RDX: 0000000000000001 RSI: ffffffff8209a071 RDI: 0000000000000008
RBP: dffffc0000000000 R08: 0000000000000006 R09: 0000000000000000
R10: 7fffffffffffefff R11: 0000000000000001 R12: 000000000000009d
R13: 0000000000000000 R14: ffff8880350b5a08 R15: ffff888020f01800
FS:  00007f607512b6c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60745a8000 CR3: 0000000026be4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	48 89 fa             	mov    %rdi,%rdx
   5:	48 c1 ea 03          	shr    $0x3,%rdx
   9:	80 3c 2a 00          	cmpb   $0x0,(%rdx,%rbp,1)
   d:	0f 85 41 05 00 00    	jne    0x554
  13:	4d 8b 6e 10          	mov    0x10(%r14),%r13
  17:	49 c7 46 10 00 00 00 	movq   $0x0,0x10(%r14)
  1e:	00
  1f:	49 8d 7d 08          	lea    0x8(%r13),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 2a 00          	cmpb   $0x0,(%rdx,%rbp,1) <-- trapping instruction
  2e:	0f 85 16 05 00 00    	jne    0x54a
  34:	49 8b 55 08          	mov    0x8(%r13),%rdx
  38:	4c 89 f6             	mov    %r14,%rsi
  3b:	4c 89 ff             	mov    %r15,%rdi
  3e:	41                   	rex.B
  3f:	83                   	.byte 0x83


Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=161cfadc980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=138c6830980000

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..db66b8c5fe0d 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,21 +751,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		printk("ret: %ld, %s\n", ret, __func__);
+		while (ret > 0) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
-				ret -= buf->len;
-				buf->len = 0;
-				pipe_buf_release(pipe, buf);
-				tail++;
-				pipe->tail = tail;
-				if (pipe->files)
-					sd.need_wakeup = true;
-			} else {
-				buf->offset += ret;
-				buf->len -= ret;
+			if (buf->len > 0) {
+				if (ret >= (ssize_t)buf->len) {
+					ret -= buf->len;
+					buf->len = 0;
+					pipe_buf_release(pipe, buf);
+					tail++;
+					pipe->tail = tail;
+					if (pipe->files)
+						sd.need_wakeup = true;
+				} else {
+					buf->offset += ret;
+					buf->len -= ret;
+					ret = 0;
+				}
+			} else
 				ret = 0;
-			}
 		}
 	}
 done:

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15025ca4980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10592b58980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..8ec408c40755 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -715,6 +715,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* build the vector */
 		left = sd.total_len;
+		printk("total len: %lu, %s\n", left, __func__);
 		for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
 			size_t this_len = buf->len;
@@ -751,9 +752,16 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		printk("ret: %ld, nbufs: %d, %s\n", ret, nbufs, __func__);
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
+			printk("buf len: %lu, %s\n", buf->len, __func__);
+			if (ret >= (ssize_t)buf->len) {
 				ret -= buf->len;
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
@@ -766,6 +774,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 				buf->len -= ret;
 				ret = 0;
 			}
+			n++;
 		}
 	}
 done:

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1f33f180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17a34a52980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..cf5d417b5f66 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,9 +751,15 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
+			printk("ret: %ld, nbufs: %d,  buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n,  __func__);
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
+			if (ret >= (ssize_t)buf->len) {
 				ret -= buf->len;
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
@@ -766,6 +772,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 				buf->len -= ret;
 				ret = 0;
 			}
+			n++;
 		}
 	}
 done:

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13612b3f180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15794fe0980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a6b44c10b08c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,16 +751,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
+			printk("ret: %d, nbufs: %d,  buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n,  __func__);
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
+			if (ret >= (ssize_t)buf->len) {
 				ret -= buf->len;
+				printk("ret: %d, nbufs: %d,  buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n,  __func__);
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
 				tail++;
 				pipe->tail = tail;
 				if (pipe->files)
 					sd.need_wakeup = true;
+				BUG_ON(1);
 			} else {
 				buf->offset += ret;
 				buf->len -= ret;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

] Freeing unused kernel image (initmem) memory: 26000K
[   21.902015][    T1] Write protecting the kernel read-only data: 204800k
[   21.915990][    T1] Freeing unused kernel image (rodata/data gap) memory: 1740K
[   22.001150][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   22.010555][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   22.014380][    T1] Run /sbin/init as init process
[   22.270925][    T1] SELinux:  Class mctp_socket not defined in policy.
[   22.273265][    T1] SELinux:  Class anon_inode not defined in policy.
[   22.275479][    T1] SELinux:  Class io_uring not defined in policy.
[   22.277605][    T1] SELinux:  Class user_namespace not defined in policy.
[   22.279958][    T1] SELinux: the above unknown classes and permissions will be denied
[   22.376641][    T1] SELinux:  policy capability network_peer_controls=1
[   22.379248][    T1] SELinux:  policy capability open_perms=1
[   22.381279][    T1] SELinux:  policy capability extended_socket_class=1
[   22.383632][    T1] SELinux:  policy capability always_check_network=0
[   22.386099][    T1] SELinux:  policy capability cgroup_seclabel=1
[   22.388512][    T1] SELinux:  policy capability nnp_nosuid_transition=1
[   22.391006][    T1] SELinux:  policy capability genfs_seclabel_symlinks=0
[   22.393353][    T1] SELinux:  policy capability ioctl_skip_cloexec=0
[   22.395753][    T1] SELinux:  policy capability userspace_initial_context=0
[   22.493592][   T39] audit: type=1403 audit(1716387584.398:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[   22.539716][ T4655] mount (4655) used greatest stack depth: 23344 bytes left
[   22.566408][ T4656] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
[   22.681935][ T4659] mount (4659) used greatest stack depth: 23128 bytes left
Starting syslogd: [   22.942320][   T39] audit: type=1400 audit(1716387584.848:3): avc:  denied  { read write } for  pid=4672 comm="syslogd" path="/dev/null" dev="devtmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
OK
[   22.970689][   T39] audit: type=1400 audit(1716387584.878:4): avc:  denied  { read } for  pid=4672 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[   22.979560][   T39] audit: type=1400 audit(1716387584.878:5): avc:  denied  { search } for  pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   22.987816][   T39] audit: type=1400 audit(1716387584.878:6): avc:  denied  { write } for  pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
Starting acpid: [   22.996353][   T39] audit: type=1400 audit(1716387584.878:7): avc:  denied  { add_name } for  pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   23.005839][   T39] audit: type=1400 audit(1716387584.878:8): avc:  denied  { create } for  pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.013760][   T39] audit: type=1400 audit(1716387584.878:9): avc:  denied  { append open } for  pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.022478][   T39] audit: type=1400 audit(1716387584.878:10): avc:  denied  { getattr } for  pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.032435][   T39] audit: type=1400 audit(1716387584.938:11): avc:  denied  { use } for  pid=4674 comm="acpid" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:acpid_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   23.362610][ T4689] udevd[4689]: starting version 3.2.11
[   23.521131][ T4690] udevd[4690]: starting eudev-3.2.11
[   23.522449][ T4689] udevd (4689) used greatest stack depth: 21488 bytes left
done
Starting system message bus: [   30.837568][   T39] kauditd_printk_skb: 13 callbacks suppressed
[   30.837584][   T39] audit: type=1400 audit(1716387592.738:25): avc:  denied  { use } for  pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
[   30.851952][   T39] audit: type=1400 audit(1716387592.738:26): avc:  denied  { read write } for  pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:root_t tclass=chr_file permissive=1
[   30.880042][   T39] audit: type=1400 audit(1716387592.788:27): avc:  denied  { search } for  pid=4894 comm="dbus-daemon" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.893529][   T39] audit: type=1400 audit(1716387592.798:28): avc:  denied  { write } for  pid=4894 comm="dbus-daemon" name="dbus" dev="tmpfs" ino=1471 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.902587][   T39] audit: type=1400 audit(1716387592.798:29): avc:  denied  { add_name } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.911419][   T39] audit: type=1400 audit(1716387592.798:30): avc:  denied  { create } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
done[   30.920385][   T39] audit: type=1400 audit(1716387592.798:31): avc:  denied  { setattr } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" dev="tmpfs" ino=1472 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
[   30.930297][   T39] audit: type=1400 audit(1716387592.808:32): avc:  denied  { create } for  pid=4894 comm="dbus-daemon" name="messagebus.pid" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1

[   30.939028][   T39] audit: type=1400 audit(1716387592.808:33): avc:  denied  { write open } for  pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   30.948572][   T39] audit: type=1400 audit(1716387592.808:34): avc:  denied  { getattr } for  pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
[   31.870098][ T4918] ret: 114, nbufs: 16,  buf len: 114, n: 0, iter_file_splice_write
[   31.872828][ T4918] ret: 0, nbufs: 16,  buf len: 114, n: 1, iter_file_splice_write
[   31.875479][ T4918] ------------[ cut here ]------------
[   31.877625][ T4918] kernel BUG at fs/splice.c:772!
[   31.879642][ T4918] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   31.882144][ T4918] CPU: 2 PID: 4918 Comm: cat Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
[   31.886067][ T4918] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   31.890166][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[   31.892847][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[   31.900759][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[   31.903148][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[   31.906429][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[   31.909550][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[   31.912529][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[   31.915665][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[   31.918807][ T4918] FS:  00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[   31.921822][ T4918] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.924602][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[   31.927480][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   31.930220][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   31.933091][ T4918] Call Trace:
[   31.934542][ T4918]  <TASK>
[   31.935639][ T4918]  ? show_regs+0x8c/0xa0
[   31.937245][ T4918]  ? die+0x36/0xa0
[   31.938912][ T4918]  ? do_trap+0x232/0x430
[   31.940376][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.942133][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.944212][ T4918]  ? do_error_trap+0xf4/0x230
[   31.946283][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.948819][ T4918]  ? handle_invalid_op+0x34/0x40
[   31.950675][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.952589][ T4918]  ? exc_invalid_op+0x2e/0x50
[   31.954493][ T4918]  ? asm_exc_invalid_op+0x1a/0x20
[   31.956421][ T4918]  ? page_cache_pipe_buf_release+0x110/0x2f0
[   31.958569][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.960765][ T4918]  ? __pfx_iter_file_splice_write+0x10/0x10
[   31.963016][ T4918]  ? __pfx_lock_acquire+0x10/0x10
[   31.964920][ T4918]  ? __pfx_iter_file_splice_write+0x10/0x10
[   31.967141][ T4918]  direct_splice_actor+0x19b/0x6d0
[   31.969069][ T4918]  splice_direct_to_actor+0x346/0xa40
[   31.971093][ T4918]  ? __pfx_direct_splice_actor+0x10/0x10
[   31.973209][ T4918]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   31.975456][ T4918]  ? __fsnotify_parent+0x27d/0x9d0
[   31.977400][ T4918]  ? __pfx___might_resched+0x10/0x10
[   31.979416][ T4918]  do_splice_direct+0x17e/0x250
[   31.981880][ T4918]  ? __pfx_do_splice_direct+0x10/0x10
[   31.983926][ T4918]  ? avc_policy_seqno+0x9/0x20
[   31.985751][ T4918]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   31.987982][ T4918]  do_sendfile+0xaa8/0xdb0
[   31.989672][ T4918]  ? __pfx_do_sendfile+0x10/0x10
[   31.991574][ T4918]  ? do_user_addr_fault+0x6d7/0x1010
[   31.993526][ T4918]  __x64_sys_sendfile64+0x1da/0x220
[   31.995516][ T4918]  ? __pfx___x64_sys_sendfile64+0x10/0x10
[   31.997677][ T4918]  do_syscall_64+0xcf/0x260
[   31.999401][ T4918]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   32.001652][ T4918] RIP: 0033:0x7f39affffefa
[   32.003356][ T4918] Code: ff 76 13 83 f8 a1 74 03 f7 d8 c3 4c 89 d2 4c 89 c6 e9 49 fe ff ff 31 c0 c3 0f 1f 80 00 00 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fe 6e 0d 00 f7 d8 64 89 01 48
[   32.010454][ T4918] RSP: 002b:00007fffa16e8068 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   32.013594][ T4918] RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f39affffefa
[   32.016570][ T4918] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
[   32.019528][ T4918] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   32.022555][ T4918] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000000003
[   32.025553][ T4918] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   32.028586][ T4918]  </TASK>
[   32.029791][ T4918] Modules linked in:
[   32.031452][ T4918] ---[ end trace 0000000000000000 ]---
[   32.033862][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[   32.036610][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[   32.045466][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[   32.048320][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[   32.050899][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[   32.054095][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[   32.057263][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[   32.060607][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[   32.063406][ T4918] FS:  00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[   32.066421][ T4918] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   32.068828][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[   32.071717][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   32.074503][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   32.077572][ T4918] Kernel panic - not syncing: Fatal exception
[   32.080225][ T4918] Kernel Offset: disabled
[   32.081708][ T4918] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4079149403=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at ef5d53ed7
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ef5d53ed7e3c7d30481a88301f680e37a5cc4775\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=164efe44980000


Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179a8cec980000

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a7d59b2f1804 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,18 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		while (ret > 0) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			printk("ret: %d, nbufs: %d,  buf len: %u, m: %u, t: %u,ring size: %u, %s\n", ret, nbufs, buf->len, mask, tail, pipe->ring_size, __func__);
+			if (pipe->ring_size <= mask) {
+				ret = -EPIPE;
+				printk("oooh, %s\n", __func__);
+				break;
+			}
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
 				ret -= buf->len;
 				buf->len = 0;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12096df0980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f9903c980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..35a99fdabe9c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,18 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		while (ret > 0) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			printk("ret: %d, nbufs: %d,  buf len: %u, m: %u, t: %u,ring size: %u, bufs len: %d, %s\n", ret, nbufs, buf->len, mask, tail, pipe->ring_size, ARRAY_SIZE(pipe->bufs), __func__);
+			if (ARRAY_SIZE(pipe->bufs) <= mask) {
+				ret = -EPIPE;
+				printk("oooh, %s\n", __func__);
+				break;
+			}
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
 				ret -= buf->len;
 				buf->len = 0;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

./include/linux/build_bug.h:16:51: error: negative width in bit-field '<anonymous>'


Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16f52fa2980000

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..a38709405e54 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,8 +751,16 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			printk("ret: %ld, nbufs: %d,  buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, %s\n", 
+				ret, nbufs, buf->len, mask, tail, pipe->ring_size, tail & mask, __func__);
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
 				ret -= buf->len;
 				buf->len = 0;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17d87942980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=133e9f7c980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[Edward Adam Davis]

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..2881e9a7e491 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,10 +751,19 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
+				printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n", 
+					ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
 				ret -= buf->len;
+				printk("ret: %ld, %s\n", ret, __func__);
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
 				tail++;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17ccd634980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13fec2b2980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..2df64a29c568 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,16 +745,30 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		if (ret <= 0)
 			break;
 
+		printk("ret: %ld, total len: %lu, %s\n", ret, sd.total_len, __func__);
+		if (ret > sd.total_len) {
+			ret = -EINVAL;
+			goto done;
+		}
 		sd.num_spliced += ret;
 		sd.total_len -= ret;
 		*ppos = sd.pos;
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
+				printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n", 
+					ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
 				ret -= buf->len;
+				printk("ret: %ld, %s\n", ret, __func__);
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
 				tail++;

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=135ad634980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=117d5142980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..c6d812684d4e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,16 +745,30 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		if (ret <= 0)
 			break;
 
+		printk("ret: %ld, total len: %lu, %s\n", ret, sd.total_len, __func__);
+		if (ret > sd.total_len) {
+			ret = -EINVAL;
+			goto done;
+		}
 		sd.num_spliced += ret;
 		sd.total_len -= ret;
 		*ppos = sd.pos;
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n", 
+					ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
 				ret -= buf->len;
+				printk("ret: %ld, %s\n", ret, __func__);
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
 				tail++;
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 1121601536d1..f7c32835b094 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -510,6 +510,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
 	netfs_end_io_write(inode);
 	if (ret > 0)
 		ret = generic_write_sync(iocb, ret);
+	printk("ret: %ld, %s\n", ret, __func__);
 	return ret;
 }
 EXPORT_SYMBOL(netfs_file_write_iter);
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..8157b4e6d7b3 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -190,6 +190,7 @@ ssize_t netfs_unbuffered_write_iter(struct kiocb *iocb, struct iov_iter *from)
 			   FSCACHE_INVAL_DIO_WRITE);
 	ret = netfs_unbuffered_write_iter_locked(iocb, from, NULL);
 out:
+	printk("ret: %ld, %s\n", ret, __func__);
 	netfs_end_io_direct(inode);
 	return ret;
 }

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17bad634980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17736ab2980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..abf45d6184a5 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -745,14 +745,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		if (ret <= 0)
 			break;
 
+		printk("ret: %zd, total len: %zu, %s\n", ret, sd.total_len, __func__);
+		if (ret > sd.total_len) {
+			ret = -EINVAL;
+			goto done;
+		}
 		sd.num_spliced += ret;
 		sd.total_len -= ret;
 		*ppos = sd.pos;
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
 				ret -= buf->len;
 				buf->len = 0;
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 1121601536d1..f7c32835b094 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -510,6 +510,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
 	netfs_end_io_write(inode);
 	if (ret > 0)
 		ret = generic_write_sync(iocb, ret);
+	printk("ret: %ld, %s\n", ret, __func__);
 	return ret;
 }
 EXPORT_SYMBOL(netfs_file_write_iter);
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..ecd57c4d0ecb 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -69,6 +69,7 @@ static ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov
 		 */
 		if (async || user_backed_iter(iter)) {
 			n = netfs_extract_user_iter(iter, len, &wreq->iter, 0);
+			printk("ret: %zd, %s\n", n, __func__);
 			if (n < 0) {
 				ret = n;
 				goto out;
@@ -190,6 +191,7 @@ ssize_t netfs_unbuffered_write_iter(struct kiocb *iocb, struct iov_iter *from)
 			   FSCACHE_INVAL_DIO_WRITE);
 	ret = netfs_unbuffered_write_iter_locked(iocb, from, NULL);
 out:
+	printk("ret: %zd, %s\n", ret, __func__);
 	netfs_end_io_direct(inode);
 	return ret;
 }

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=110c280c980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14f2c0fc980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [syzbot] [fs?] general protection fault in iter_file_splice_write
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..d74761fb1876 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -69,7 +69,7 @@ static ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov
 		 */
 		if (async || user_backed_iter(iter)) {
 			n = netfs_extract_user_iter(iter, len, &wreq->iter, 0);
-			if (n < 0) {
+			if (n <= 0) {
 				ret = n;
 				goto out;
 			}

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com

Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17192b3f180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17f2f392980000

Note: testing is done by a robot and is best-effort only.

[PATCH] netfs: if extracting pages from user iterator fails return 0

[Lizhi Xu]

When extracting the pages from a user iterator fails, netfs_extract_user_iter()
will return 0, this situation will result in an abnormal and oversized return 
value for netfs_unbuffered_writer_locked() (for example, 9223372036854775807).

Therefore, when the number of extracted pages is 0, set ret to 0 and jump to out.

Reported-and-tested-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 fs/netfs/direct_write.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 608ba6416919..d74761fb1876 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -69,7 +69,7 @@ static ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov
 		 */
 		if (async || user_backed_iter(iter)) {
 			n = netfs_extract_user_iter(iter, len, &wreq->iter, 0);
-			if (n < 0) {
+			if (n <= 0) {
 				ret = n;
 				goto out;
 			}
-- 
2.43.0

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

syzbot has bisected this issue to:

commit 2df86547b23dabcd02ab000a24ed7813606c269f
Author: David Howells <dhowells@redhat.com>
Date:   Fri Mar 8 12:36:05 2024 +0000

    netfs: Cut over to using new writeback code

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=148b014b980000
start commit:   5189dafa4cf9 Merge tag 'nfsd-6.11-1' of git://git.kernel.o..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=168b014b980000
console output: https://syzkaller.appspot.com/x/log.txt?x=128b014b980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8a2eef9745ade09
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16828c5d980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=103c7805980000

Reported-by: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com
Fixes: 2df86547b23d ("netfs: Cut over to using new writeback code")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[syzbot]

syzbot suspects this issue was fixed by commit:

commit a3de58b12ce074ec05b8741fa28d62ccb1070468
Author: David Howells <dhowells@redhat.com>
Date:   Thu Aug 14 21:45:50 2025 +0000

    netfs: Fix unbuffered write error handling

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=162dc142580000
start commit:   5189dafa4cf9 Merge tag 'nfsd-6.11-1' of git://git.kernel.o..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8a2eef9745ade09
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16828c5d980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=103c7805980000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: netfs: Fix unbuffered write error handling

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

[David Howells]

#syz fix: netfs: Fix unbuffered write error handling