Hi
When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found the following bug report.
commit: 4ebaab5fb428374552175aa39832abf5cedb916a
version: linux 5.12
git tree: kmsan
kernel config and full log can be found in the attached file.
========================================================
RAX: ffffffffffffffda RBX: 00007f2c1751ab80 RCX: 000000000047311b
RDX: 00007f2c1751aa90 RSI: 0000000000004c04 RDI: 0000000000000007
RBP: 00007f2c1751b6bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f2c1751aa90 R14: 00007ffd7003bbc0 R15: 00007f2c1751adc0
BUG: unable to handle page fault for address: ffffb3888825d000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1810067 P4D 1810067 PUD 1915067 PMD 144fc067 PTE 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 9990 Comm: executor Not tainted 5.12.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:64
Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6
f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 <f3> aa
4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01
RSP: 0018:ffffab888819b788 EFLAGS: 00010086
RAX: ffffb3888825d000 RBX: 0000000000001000 RCX: 0000000000001000
RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffffb3888825d000
RBP: ffffab888819b7b8 R08: fffffcd70000000f R09: ffffb3888825d000
R10: 0000000000000000 R11: 00000000ff000000 R12: 0000000000000000
R13: 0000000000008000 R14: 0000000000000000 R15: ffffab888825d000
FS: 00007f2c1751b700(0000) GS:ffff95d53fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffb3888825d000 CR3: 0000000010bf1006 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
kmsan_internal_unpoison_shadow+0x1d/0x70 mm/kmsan/kmsan.c:110
__msan_memset+0x64/0xb0 mm/kmsan/kmsan_instr.c:130
check_partition block/partitions/core.c:147 [inline]
blk_add_partitions+0x854/0x20d0 block/partitions/core.c:617
bdev_disk_changed+0x461/0x570 fs/block_dev.c:1272
loop_reread_partitions drivers/block/loop.c:655 [inline]
loop_set_status+0x13a9/0x1660 drivers/block/loop.c:1418
lo_ioctl+0x2189/0x3850 drivers/block/loop.c:1528
blkdev_ioctl+0xa10/0xdb0 block/ioctl.c:583
block_ioctl+0x163/0x1c0 fs/block_dev.c:1671
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x2c2/0x400 fs/ioctl.c:739
__x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:739
do_syscall_64+0xa2/0x120 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x47311b
Code: 0f 92 c0 84 c0 75 b0 49 8d 3c 1c e8 af 1d 04 00 85 c0 78 b1 48
83 c4 08 4c 89 e0 5b 41 5c c3 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2c1751a9b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2c1751ab80 RCX: 000000000047311b
RDX: 00007f2c1751aa90 RSI: 0000000000004c04 RDI: 0000000000000007
RBP: 00007f2c1751b6bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f2c1751aa90 R14: 00007ffd7003bbc0 R15: 00007f2c1751adc0
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffffb3888825d000
---[ end trace b11318950e5124cd ]---
RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:64
Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6
f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 <f3> aa
4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01
RSP: 0018:ffffab888819b788 EFLAGS: 00010086
RAX: ffffb3888825d000 RBX: 0000000000001000 RCX: 0000000000001000
RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffffb3888825d000
RBP: ffffab888819b7b8 R08: fffffcd70000000f R09: ffffb3888825d000
R10: 0000000000000000 R11: 00000000ff000000 R12: 0000000000000000
R13: 0000000000008000 R14: 0000000000000000 R15: ffffab888825d000
FS: 00007f2c1751b700(0000) GS:ffff95d53fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffb3888825d000 CR3: 0000000010bf1006 CR4: 0000000000770ef0
PKRU: 55555554
Following system call sequence (Syzlang format) can reproduce the crash:
# {"threaded":false, "collide":false, "repeat":true, "procs":1,
"slowdown":1, "sandbox":none, "fault":true, "fault_call":16,
"fault_nth":36, "leak":false, "tun":true, "netdev":true,
"resetnet":true, "cgroups":true, "binfmt_misc":true, "close_fds":true,
"devlinkpci":true, "usb":true, "vhci":true, "wifi":true,
"ieee802154":true, "sysctl":true, "tmpdir":true, "segv":true }
r0 = syz_open_dev$tty20(0xc, 0x4, 0x0)
ioctl$TCSETSF(r0, 0x5404, 0x0)
ioctl$EXT4_IOC_GROUP_ADD(r0, 0x40286608, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r0, 0x8010661b, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
ioctl$sock_SIOCSPGRP(r0, 0x8902, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(r0, 0x110, 0x2, 0x0, 0x0)
get_thread_area(0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$TIOCSETD(r0, 0x5423, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
ioctl$TCSETAW(r0, 0x5407, 0x0)
syz_read_part_table(0x462952aecc6dcb8e, 0x0, 0x0)
Using syz-execprog can run this reproduction program directly:
syz-execprog -procs 1 -slowdown 1 -fault_call 16 -fault_nth 36 -enable
tun -enable netdev -enable resetnet -enable cgroups -enable
binfmt-misc -enable close_fds -enable devlinkpci -enable usb -enable
vhci -enable wifi -enable ieee802154 -enable sysctl repro.prog