syzbot


KASAN: stack-out-of-bounds Read in iov_iter_revert

Status: closed as invalid on 2022/04/06 16:19
Reported-by: syzbot+775b1afb276f6280a6f4@syzkaller.appspotmail.com
First crash: 885d, last: 732d
Cause bisection: failed (error log, bisect log)
  
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in iov_iter_revert fs io-uring C error 14 942d 959d 20/26 fixed on 2021/11/10 00:50
linux-4.19 KASAN: stack-out-of-bounds Read in iov_iter_revert C error 26 427d 986d 0/1 upstream: reported C repro on 2021/07/16 11:05
android-54 KASAN: stack-out-of-bounds Read in iov_iter_revert C 37 1268d 1317d 0/2 auto-obsoleted due to no activity on 2023/04/16 21:56
linux-4.14 KASAN: stack-out-of-bounds Read in iov_iter_revert xfs C error 8 425d 928d 0/1 upstream: reported C repro on 2021/09/12 17:39
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2022/03/27 11:05 16m bisect fix android12-5.10-lts job log (0) log
2022/02/25 05:25 18m bisect fix android12-5.10-lts job log (0) log
2022/01/26 02:48 18m bisect fix android12-5.10-lts job log (0) log
2021/12/27 02:15 18m bisect fix android12-5.10-lts job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x269/0xa30 lib/iov_iter.c:1144
Read of size 8 at addr ffffc9000022ef38 by task syz-executor921/366

CPU: 0 PID: 366 Comm: syz-executor921 Not tainted 5.10.75-syzkaller-01082-g234d53d2bb60 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x8d/0x3d0 mm/kasan/report.c:233
 __kasan_report+0x142/0x220 mm/kasan/report.c:419
 kasan_report+0x51/0x70 mm/kasan/report.c:436
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 iov_iter_revert+0x269/0xa30 lib/iov_iter.c:1144
 io_write+0xaf1/0xf80 fs/io_uring.c:3615
 io_issue_sqe+0x1397/0xfc10 fs/io_uring.c:6030
 __io_queue_sqe+0x2cf/0x2fa0 fs/io_uring.c:6352
 io_queue_sqe+0x295/0x1180 fs/io_uring.c:6418
 io_submit_sqe+0x385/0xfd0 fs/io_uring.c:6487
 io_submit_sqes+0x1050/0x2da0 fs/io_uring.c:6715
 __do_sys_io_uring_enter fs/io_uring.c:9110 [inline]
 __se_sys_io_uring_enter+0x322/0x12b0 fs/io_uring.c:9052
 __x64_sys_io_uring_enter+0xe5/0x100 fs/io_uring.c:9052
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fad2a468a59
Code: 28 c3 e8 1a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb1010af8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fad2a468a59
RDX: 0000000000000000 RSI: 0000000000007cdc RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcb1010b20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000


addr ffffc9000022ef38 is located in stack of task syz-executor921/366 at offset 24 in frame:
 io_write+0x0/0xf80 include/trace/events/io_uring.h:360

this frame has 3 objects:
 [32, 160) 'inline_vecs'
 [192, 200) 'iovec'
 [224, 264) '__iter'

Memory state around the buggy address:
 ffffc9000022ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000022ee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000022ef00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
                                     

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/10/26 19:43 android12-5.10-lts 234d53d2bb60 d50eb50a .config console log report syz C ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/10/25 22:24 android12-5.10-lts 234d53d2bb60 c1132b49 .config console log report syz C ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/27 01:38 android12-5.10-lts 76698ea35fd3 63eeac02 .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/24 17:05 android12-5.10-lts 76698ea35fd3 545ab074 .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/16 07:44 android12-5.10-lts 76698ea35fd3 75b04091 .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/06 07:23 android12-5.10-lts 76698ea35fd3 4c1be0be .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/05 05:08 android12-5.10-lts 76698ea35fd3 4c1be0be .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/11/04 21:06 android12-5.10-lts 76698ea35fd3 4c1be0be .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/10/29 22:55 android12-5.10-lts 4944ec82ebb9 2353a3ec .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
2021/10/25 22:09 android12-5.10-lts 234d53d2bb60 c1132b49 .config console log report info ci2-android-5-10 KASAN: stack-out-of-bounds Read in iov_iter_revert
* Struck through repros no longer work on HEAD.