Prateek, Mateusz, thanks for your participation!
On 03/23, Mateusz Guzik wrote:
>
> On Sun, Mar 23, 2025 at 8:47 PM Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
> >
> > OK, as expected.
> >
> > Dear syzbot, thank you.
> >
> > So far I think this is another problem revealed by aaec5a95d59615523db03dd5
> > ("pipe_read: don't wake up the writer if the pipe is still full").
> >
> > I am going to forget about this report for now and return to it later, when
> > all the pending pipe-related changes in vfs.git are merged.
> >
>
> How do you ask syzbot for all stacks?
Heh, I don't know.
> The reproducer *does* use pipes, but it is unclear to me if they play
> any role here
please see the reproducer,
https://syzkaller.appspot.com/x/repro.c?x=10d6a44c580000
res = syscall(__NR_pipe2, /*pipefd=*/0x400000001900ul, /*flags=*/0ul);
if (res != -1) {
r[2] = *(uint32_t*)0x400000001900;
r[3] = *(uint32_t*)0x400000001904;
}
then
res = syscall(__NR_dup, /*oldfd=*/r[3]);
if (res != -1)
r[4] = res;
so r[2] and r[4] are the read/write fd's.
then later
memcpy((void*)0x400000000280, "trans=fd,", 9);
...
memcpy((void*)0x400000000289, "rfdno", 5);
...
sprintf((char*)0x40000000028f, "0x%016llx", (long long)r[2]);
...
memcpy((void*)0x4000000002a2, "wfdno", 5);
...
sprintf((char*)0x4000000002a8, "0x%016llx", (long long)r[4]);
...
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x400000000000ul,
/*type=*/0x400000000040ul, /*flags=*/0ul, /*opts=*/0x400000000280ul);
so this pipe is actually used as "trans=fd".
> -- and notably we don't know if there is someone stuck
> in pipe code, resulting in not waking up the reported thread.
Yes, I am not familiar with 9p or netfs, so I don't know either.
Oleg.
