Hello,
syzbot found the following issue on:
HEAD commit: ddce02aa9c40 net: kmsan: check sk_buffs passed to __netdev..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1200559b880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1429f86b132e6d40
dashboard link: https://syzkaller.appspot.com/bug?extid=6450929faa7a97cd42d1
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project.git 610139d2d9ce6746b3c617fb3e2f7886272d26ff), GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40435685a7d7/disk-ddce02aa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4960172e71de/vmlinux-ddce02aa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5d91bc515d95/bzImage-ddce02aa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in reiserfs_new_inode+0x193a/0x24e0 fs/reiserfs/inode.c:2050
reiserfs_new_inode+0x193a/0x24e0 fs/reiserfs/inode.c:2050
reiserfs_create+0x738/0xe60 fs/reiserfs/namei.c:668
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x28e9/0x5600 fs/namei.c:3710
do_filp_open+0x249/0x660 fs/namei.c:3740
do_sys_openat2+0x1f0/0x910 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_creat fs/open.c:1402 [inline]
__se_sys_creat fs/open.c:1396 [inline]
__ia32_sys_creat+0xed/0x160 fs/open.c:1396
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
__alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578
alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x1b5/0x1010 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3117 [inline]
reiserfs_alloc_inode+0x5e/0x140 fs/reiserfs/super.c:642
alloc_inode+0x83/0x440 fs/inode.c:259
iget5_locked+0xa5/0x200 fs/inode.c:1241
reiserfs_fill_super+0x212b/0x3a00 fs/reiserfs/super.c:2053
mount_bdev+0x508/0x840 fs/super.c:1401
get_super_block+0x49/0x60 fs/reiserfs/super.c:2601
legacy_get_tree+0x10c/0x280 fs/fs_context.c:610
vfs_get_tree+0xa1/0x500 fs/super.c:1531
do_new_mount+0x694/0x1580 fs/namespace.c:3040
path_mount+0x71a/0x1eb0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x734/0x840 fs/namespace.c:3568
__ia32_sys_mount+0xdf/0x140 fs/namespace.c:3568
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
CPU: 0 PID: 3857 Comm: syz-executor.2 Not tainted 6.1.0-rc6-syzkaller-63553-gddce02aa9c40 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following issue on:
HEAD commit: 861deac3b092 Linux 6.7-rc7
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12057ecee80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6450929faa7a97cd42d1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14836ca1e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159e1e16e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0ea60ee8ed32/disk-861deac3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d69fdc33021/vmlinux-861deac3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f0158750d452/bzImage-861deac3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/dcd887118b46/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
REISERFS warning (device loop0): vs-13060 reiserfs_update_sd_size: stat data of object [1 2 0x0 SD] (nlink == 1) not found (pos 2)
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
=====================================================
BUG: KMSAN: uninit-value in reiserfs_new_inode+0x16cd/0x20f0 fs/reiserfs/inode.c:2044
reiserfs_new_inode+0x16cd/0x20f0 fs/reiserfs/inode.c:2044
reiserfs_create+0x674/0xcb0 fs/reiserfs/namei.c:666
xattr_create fs/reiserfs/xattr.c:70 [inline]
xattr_lookup+0x3ee/0x5e0 fs/reiserfs/xattr.c:413
reiserfs_xattr_set_handle+0xe7/0x21b0 fs/reiserfs/xattr.c:535
reiserfs_xattr_set+0x670/0x7f0 fs/reiserfs/xattr.c:635
trusted_set+0x112/0x190 fs/reiserfs/xattr_trusted.c:31
__vfs_setxattr+0x7aa/0x8b0 fs/xattr.c:201
__vfs_setxattr_noperm+0x24f/0xa30 fs/xattr.c:235
__vfs_setxattr_locked+0x441/0x480 fs/xattr.c:296
vfs_setxattr+0x294/0x650 fs/xattr.c:322
do_setxattr fs/xattr.c:630 [inline]
setxattr+0x45f/0x540 fs/xattr.c:653
path_setxattr+0x1f5/0x3c0 fs/xattr.c:672
__do_sys_setxattr fs/xattr.c:688 [inline]
__se_sys_setxattr fs/xattr.c:684 [inline]
__x64_sys_setxattr+0xf7/0x180 fs/xattr.c:684
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x421/0x1570 mm/slub.c:2070
___slab_alloc+0x13db/0x33d0 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc_lru+0x552/0x970 mm/slub.c:3509
alloc_inode_sb include/linux/fs.h:2937 [inline]
reiserfs_alloc_inode+0x62/0x150 fs/reiserfs/super.c:642
alloc_inode+0x83/0x440 fs/inode.c:261
iget5_locked+0xa9/0x210 fs/inode.c:1271
reiserfs_fill_super+0x2109/0x39d0 fs/reiserfs/super.c:2053
mount_bdev+0x3d7/0x560 fs/super.c:1650
get_super_block+0x4d/0x60 fs/reiserfs/super.c:2601
legacy_get_tree+0x110/0x290 fs/fs_context.c:662
vfs_get_tree+0xa5/0x520 fs/super.c:1771
do_new_mount+0x68d/0x1550 fs/namespace.c:3337
path_mount+0x73d/0x1f20 fs/namespace.c:3664
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount+0x725/0x810 fs/namespace.c:3863
__x64_sys_mount+0xe4/0x140 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5006 Comm: syz-executor185 Not tainted 6.7.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
please test uninit-value in reiserfs_new_inode
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 861deac3b092
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 994d6e6995ab..3a824fb170d5 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -638,6 +638,10 @@ static int reiserfs_create(struct mnt_idmap *idmap, struct inode *dir,
if (retval)
return retval;
+#ifdef DISPLACE_NEW_PACKING_LOCALITIES
+ REISERFS_I(dir)->new_packing_locality = 0;
+#endif
+
if (!(inode = new_inode(dir->i_sb))) {
return -ENOMEM;
}
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 861deac3 Linux 6.7-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1343c061e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6450929faa7a97cd42d1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1141c9a1e80000
Note: testing is done by a robot and is best-effort only.
Before creating a new inode, it is necessary to initialize the "new packing
locality" tag of the dir.
Signed-off-by: Edward Adam Davis <[email protected]>
---
fs/reiserfs/namei.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 994d6e6995ab..3a824fb170d5 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -638,6 +638,10 @@ static int reiserfs_create(struct mnt_idmap *idmap, struct inode *dir,
if (retval)
return retval;
+#ifdef DISPLACE_NEW_PACKING_LOCALITIES
+ REISERFS_I(dir)->new_packing_locality = 0;
+#endif
+
if (!(inode = new_inode(dir->i_sb))) {
return -ENOMEM;
}
--
2.43.0