Hello,
syzbot found the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e43009e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=47a017c46edb25eff048
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in crc32_le_base+0x43c/0xd80 lib/crc32.c:197
crc32_body lib/crc32.c:110 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
crc32_le_base+0x43c/0xd80 lib/crc32.c:197
nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
nilfs_add_checksums_on_logs+0xbe4/0xf60 fs/nilfs2/segbuf.c:327
nilfs_segctor_do_construct+0x9eff/0xe050 fs/nilfs2/segment.c:2112
nilfs_segctor_construct+0x1eb/0xe30 fs/nilfs2/segment.c:2415
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline]
nilfs_segctor_thread+0xc3f/0x11d0 fs/nilfs2/segment.c:2606
kthread+0x3ed/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
__filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
pagecache_get_page+0x4a/0x1a0 mm/folio-compat.c:99
grab_cache_page_write_begin+0x55/0x70 mm/folio-compat.c:109
block_write_begin+0x4f/0x450 fs/buffer.c:2223
nilfs_write_begin+0xfc/0x200 fs/nilfs2/inode.c:261
generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
__generic_file_write_iter+0x20a/0x460 mm/filemap.c:4013
generic_file_write_iter+0x103/0x5b0 mm/filemap.c:4039
__kernel_write_iter+0x329/0x930 fs/read_write.c:517
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x593/0xcd0 fs/coredump.c:915
elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
do_coredump+0x32c9/0x4920 fs/coredump.c:764
get_signal+0x2185/0x2d10 kernel/signal.c:2890
arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
irqentry_exit+0x16/0x40 kernel/entry/common.c:412
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
CPU: 1 PID: 5307 Comm: segctord Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hello, I reproduced this bug.
If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <[email protected]>
Notice: I use the same config with syzbot dashboard.
kernel version: e326df53af0021f48a481ce9d489efda636c2dc6
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
with KMSAN enabled
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
=====================================================
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197
crc32_body lib/crc32.c:110 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
crc32_le_base+0x475/0xe70 lib/crc32.c:197
nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327
nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112
nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline]
nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606
kthread+0x422/0x5a0 kernel/kthread.c:388
ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211
filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974
__filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918
pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99
grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109
block_write_begin+0x5a/0x4a0 fs/buffer.c:2223
nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261
generic_perform_write+0x417/0xce0 mm/filemap.c:3927
__generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022
generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048
__kernel_write_iter+0x365/0xa00 fs/read_write.c:523
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x5d7/0xe00 fs/coredump.c:915
elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077
do_coredump+0x3bb6/0x4e60 fs/coredump.c:764
get_signal+0x28f7/0x30b0 kernel/signal.c:2890
arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225
irqentry_exit+0x16/0x40 kernel/entry/common.c:328
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.2-debian-1.16.2-1 04/01/2014
=====================================================
=* repro.c =*
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
#define MAX_FDS 30
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void setup_binderfs()
{
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
setup_binderfs();
loop();
exit(1);
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void close_fds()
{
for (int fd = 3; fd < MAX_FDS; fd++)
close(fd);
}
#define USLEEP_FORKED_CHILD (3 * 50 * 1000)
static long handle_clone_ret(long ret)
{
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}
static long syz_clone(volatile long flags, volatile long stack,
volatile long stack_len, volatile long ptid,
volatile long ctid, volatile long tls)
{
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
close_fds();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void)
{
syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140,
/*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
do_sandbox_none();
return 0;
}
Remember to run this repro.txt with the command: syz-execprog -repeat
0 ./repro.txt and wait for about 1minus, the bug triggered very
steady.
=* repro.txt =*
syz_mount_image$nilfs2(&(0x7f0000000000),
&(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1,
0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E")
r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async)
r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0)
cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async)
r2 = syz_open_procfs(0xffffffffffffffff,
&(0x7f0000000100)='mountinfo\x00') (async)
r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async)
ptrace(0x10, 0x0) (async)
r5 = syz_clone(0x80000000,
&(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c",
0xb3, &(0x7f0000000080), &(0x7f00000000c0),
&(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c")
fcntl$setown(r4, 0x8, r5) (async)
sendfile(r3, r2, 0x0, 0x100800001) (async)
sendfile(r0, r1, 0x0, 0x1000000201003)
and see also in
https://gist.github.com/xrivendell7/744812c87156085e12c7f617ef237875.
BTW, found in my personal observation, the syzlang reproducer can
trigger the bug more stably, so try to use the syz-execprog -repeat 0
/repro.txt to trigger this bug.
I hope it helps.
Best regards!
xingwei Lee
On Sun, Mar 3, 2024 at 2:46 PM xingwei lee wrote:
>
> Hello, I reproduced this bug.
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: xingwei lee <[email protected]>
>
> Notice: I use the same config with syzbot dashboard.
> kernel version: e326df53af0021f48a481ce9d489efda636c2dc6
> kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> with KMSAN enabled
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 240
>
> =====================================================
> BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
> BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
> BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197
> crc32_body lib/crc32.c:110 [inline]
> crc32_le_generic lib/crc32.c:179 [inline]
> crc32_le_base+0x475/0xe70 lib/crc32.c:197
> nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
> nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327
> nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112
> nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415
> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline]
> nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606
> kthread+0x422/0x5a0 kernel/kthread.c:388
> ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> Uninit was created at:
> __alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591
> alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133
> alloc_pages mm/mempolicy.c:2204 [inline]
> folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211
> filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974
> __filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918
> pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99
> grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109
> block_write_begin+0x5a/0x4a0 fs/buffer.c:2223
> nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261
> generic_perform_write+0x417/0xce0 mm/filemap.c:3927
> __generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022
> generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048
> __kernel_write_iter+0x365/0xa00 fs/read_write.c:523
> dump_emit_page fs/coredump.c:888 [inline]
> dump_user_range+0x5d7/0xe00 fs/coredump.c:915
> elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077
> do_coredump+0x3bb6/0x4e60 fs/coredump.c:764
> get_signal+0x28f7/0x30b0 kernel/signal.c:2890
> arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309
> exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225
> irqentry_exit+0x16/0x40 kernel/entry/common.c:328
> exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
> asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.16.2-debian-1.16.2-1 04/01/2014
> =====================================================
>
> =* repro.c =*
> #define _GNU_SOURCE
>
> #include <dirent.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <sched.h>
> #include <signal.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/mount.h>
> #include <sys/prctl.h>
> #include <sys/resource.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/time.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <time.h>
> #include <unistd.h>
>
> #include <linux/capability.h>
>
> static void sleep_ms(uint64_t ms)
> {
> usleep(ms * 1000);
> }
>
> static uint64_t current_time_ms(void)
> {
> struct timespec ts;
> if (clock_gettime(CLOCK_MONOTONIC, &ts))
> exit(1);
> return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
> }
>
> static bool write_file(const char* file, const char* what, ...)
> {
> char buf[1024];
> va_list args;
> va_start(args, what);
> vsnprintf(buf, sizeof(buf), what, args);
> va_end(args);
> buf[sizeof(buf) - 1] = 0;
> int len = strlen(buf);
> int fd = open(file, O_WRONLY | O_CLOEXEC);
> if (fd == -1)
> return false;
> if (write(fd, buf, len) != len) {
> int err = errno;
> close(fd);
> errno = err;
> return false;
> }
> close(fd);
> return true;
> }
>
> #define MAX_FDS 30
>
> static void setup_common()
> {
> if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
> }
> }
>
> static void setup_binderfs()
> {
> if (mkdir("/dev/binderfs", 0777)) {
> }
> if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
> }
> if (symlink("/dev/binderfs", "./binderfs")) {
> }
> }
>
> static void loop();
>
> static void sandbox_common()
> {
> prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> setsid();
> struct rlimit rlim;
> rlim.rlim_cur = rlim.rlim_max = (200 << 20);
> setrlimit(RLIMIT_AS, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 32 << 20;
> setrlimit(RLIMIT_MEMLOCK, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 136 << 20;
> setrlimit(RLIMIT_FSIZE, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
> setrlimit(RLIMIT_STACK, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 128 << 20;
> setrlimit(RLIMIT_CORE, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 256;
> setrlimit(RLIMIT_NOFILE, &rlim);
> if (unshare(CLONE_NEWNS)) {
> }
> if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
> }
> if (unshare(CLONE_NEWIPC)) {
> }
> if (unshare(0x02000000)) {
> }
> if (unshare(CLONE_NEWUTS)) {
> }
> if (unshare(CLONE_SYSVSEM)) {
> }
> typedef struct {
> const char* name;
> const char* value;
> } sysctl_t;
> static const sysctl_t sysctls[] = {
> {"/proc/sys/kernel/shmmax", "16777216"},
> {"/proc/sys/kernel/shmall", "536870912"},
> {"/proc/sys/kernel/shmmni", "1024"},
> {"/proc/sys/kernel/msgmax", "8192"},
> {"/proc/sys/kernel/msgmni", "1024"},
> {"/proc/sys/kernel/msgmnb", "1024"},
> {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
> };
> unsigned i;
> for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
> write_file(sysctls[i].name, sysctls[i].value);
> }
>
> static int wait_for_loop(int pid)
> {
> if (pid < 0)
> exit(1);
> int status = 0;
> while (waitpid(-1, &status, __WALL) != pid) {
> }
> return WEXITSTATUS(status);
> }
>
> static void drop_caps(void)
> {
> struct __user_cap_header_struct cap_hdr = {};
> struct __user_cap_data_struct cap_data[2] = {};
> cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
> cap_hdr.pid = getpid();
> if (syscall(SYS_capget, &cap_hdr, &cap_data))
> exit(1);
> const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
> cap_data[0].effective &= ~drop;
> cap_data[0].permitted &= ~drop;
> cap_data[0].inheritable &= ~drop;
> if (syscall(SYS_capset, &cap_hdr, &cap_data))
> exit(1);
> }
>
> static int do_sandbox_none(void)
> {
> if (unshare(CLONE_NEWPID)) {
> }
> int pid = fork();
> if (pid != 0)
> return wait_for_loop(pid);
> setup_common();
> sandbox_common();
> drop_caps();
> if (unshare(CLONE_NEWNET)) {
> }
> write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
> setup_binderfs();
> loop();
> exit(1);
> }
>
> static void kill_and_wait(int pid, int* status)
> {
> kill(-pid, SIGKILL);
> kill(pid, SIGKILL);
> for (int i = 0; i < 100; i++) {
> if (waitpid(-1, status, WNOHANG | __WALL) == pid)
> return;
> usleep(1000);
> }
> DIR* dir = opendir("/sys/fs/fuse/connections");
> if (dir) {
> for (;;) {
> struct dirent* ent = readdir(dir);
> if (!ent)
> break;
> if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
> continue;
> char abort[300];
> snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
> ent->d_name);
> int fd = open(abort, O_WRONLY);
> if (fd == -1) {
> continue;
> }
> if (write(fd, abort, 1) < 0) {
> }
> close(fd);
> }
> closedir(dir);
> } else {
> }
> while (waitpid(-1, status, __WALL) != pid) {
> }
> }
>
> static void setup_test()
> {
> prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> setpgrp();
> write_file("/proc/self/oom_score_adj", "1000");
> }
>
> static void close_fds()
> {
> for (int fd = 3; fd < MAX_FDS; fd++)
> close(fd);
> }
>
> #define USLEEP_FORKED_CHILD (3 * 50 * 1000)
>
> static long handle_clone_ret(long ret)
> {
> if (ret != 0) {
> return ret;
> }
> usleep(USLEEP_FORKED_CHILD);
> syscall(__NR_exit, 0);
> while (1) {
> }
> }
>
> static long syz_clone(volatile long flags, volatile long stack,
> volatile long stack_len, volatile long ptid,
> volatile long ctid, volatile long tls)
> {
> long sp = (stack + stack_len) & ~15;
> long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
> return handle_clone_ret(ret);
> }
>
> static void execute_one(void);
>
> #define WAIT_FLAGS __WALL
>
> static void loop(void)
> {
> int iter = 0;
> for (;; iter++) {
> int pid = fork();
> if (pid < 0)
> exit(1);
> if (pid == 0) {
> setup_test();
> execute_one();
> close_fds();
> exit(0);
> }
> int status = 0;
> uint64_t start = current_time_ms();
> for (;;) {
> if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
> break;
> sleep_ms(1);
> if (current_time_ms() - start < 5000)
> continue;
> kill_and_wait(pid, &status);
> break;
> }
> }
> }
>
> void execute_one(void)
> {
> syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140,
> /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
> }
> int main(void)
> {
> syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> /*offset=*/0ul);
> syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
> /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
> /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> /*offset=*/0ul);
> syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> /*offset=*/0ul);
> do_sandbox_none();
> return 0;
> }
>
>
> Remember to run this repro.txt with the command: syz-execprog -repeat
> 0 ./repro.txt and wait for about 1minus, the bug triggered very
> steady.
>
> =* repro.txt =*
> syz_mount_image$nilfs2(&(0x7f0000000000),
> &(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1,
> 0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E")
> r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async)
> r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0)
> cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async)
> r2 = syz_open_procfs(0xffffffffffffffff,
> &(0x7f0000000100)='mountinfo\x00') (async)
> r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0)
> r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async)
> ptrace(0x10, 0x0) (async)
> r5 = syz_clone(0x80000000,
> &(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c",
> 0xb3, &(0x7f0000000080), &(0x7f00000000c0),
> &(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c")
> fcntl$setown(r4, 0x8, r5) (async)
> sendfile(r3, r2, 0x0, 0x100800001) (async)
> sendfile(r0, r1, 0x0, 0x1000000201003)
>
>
> and see also in
> https://gist.github.com/xrivendell7/744812c87156085e12c7f617ef237875.
> BTW, found in my personal observation, the syzlang reproducer can
> trigger the bug more stably, so try to use the syz-execprog -repeat 0
> ./repro.txt to trigger this bug.
>
> I hope it helps.
> Best regards!
> xingwei Lee
Hi,
Please let me know if you can test one.
Does this issue still appear on 6.8-rc4 or later?
I'd like to isolate that the issue is still not fixed with the latest
fixes, but I need to do some trial and error to reestablish a testable
(bootable) KMSAN-enabled kernel config.
Thanks,
Ryusuke Konishi
Ryusuke Konishi <[email protected]> 于2024年3月3日周日 20:46写道:
>
> On Sun, Mar 3, 2024 at 2:46 PM xingwei lee wrote:
> >
> > Hello, I reproduced this bug.
> >
> > If you fix this issue, please add the following tag to the commit:
> > Reported-by: xingwei lee <[email protected]>
> >
> > Notice: I use the same config with syzbot dashboard.
> > kernel version: e326df53af0021f48a481ce9d489efda636c2dc6
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > with KMSAN enabled
> > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> >
> > =====================================================
> > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
> > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
> > BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197
> > crc32_body lib/crc32.c:110 [inline]
> > crc32_le_generic lib/crc32.c:179 [inline]
> > crc32_le_base+0x475/0xe70 lib/crc32.c:197
> > nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
> > nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327
> > nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112
> > nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415
> > nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline]
> > nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606
> > kthread+0x422/0x5a0 kernel/kthread.c:388
> > ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147
> > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> > Uninit was created at:
> > __alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591
> > alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133
> > alloc_pages mm/mempolicy.c:2204 [inline]
> > folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211
> > filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974
> > __filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918
> > pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99
> > grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109
> > block_write_begin+0x5a/0x4a0 fs/buffer.c:2223
> > nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261
> > generic_perform_write+0x417/0xce0 mm/filemap.c:3927
> > __generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022
> > generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048
> > __kernel_write_iter+0x365/0xa00 fs/read_write.c:523
> > dump_emit_page fs/coredump.c:888 [inline]
> > dump_user_range+0x5d7/0xe00 fs/coredump.c:915
> > elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077
> > do_coredump+0x3bb6/0x4e60 fs/coredump.c:764
> > get_signal+0x28f7/0x30b0 kernel/signal.c:2890
> > arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309
> > exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
> > exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> > irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225
> > irqentry_exit+0x16/0x40 kernel/entry/common.c:328
> > exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
> > asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> > CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > 1.16.2-debian-1.16.2-1 04/01/2014
> > =====================================================
> >
> > =* repro.c =*
> > #define _GNU_SOURCE
> >
> > #include <dirent.h>
> > #include <endian.h>
> > #include <errno.h>
> > #include <fcntl.h>
> > #include <sched.h>
> > #include <signal.h>
> > #include <stdarg.h>
> > #include <stdbool.h>
> > #include <stdint.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <sys/mount.h>
> > #include <sys/prctl.h>
> > #include <sys/resource.h>
> > #include <sys/stat.h>
> > #include <sys/syscall.h>
> > #include <sys/time.h>
> > #include <sys/types.h>
> > #include <sys/wait.h>
> > #include <time.h>
> > #include <unistd.h>
> >
> > #include <linux/capability.h>
> >
> > static void sleep_ms(uint64_t ms)
> > {
> > usleep(ms * 1000);
> > }
> >
> > static uint64_t current_time_ms(void)
> > {
> > struct timespec ts;
> > if (clock_gettime(CLOCK_MONOTONIC, &ts))
> > exit(1);
> > return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
> > }
> >
> > static bool write_file(const char* file, const char* what, ...)
> > {
> > char buf[1024];
> > va_list args;
> > va_start(args, what);
> > vsnprintf(buf, sizeof(buf), what, args);
> > va_end(args);
> > buf[sizeof(buf) - 1] = 0;
> > int len = strlen(buf);
> > int fd = open(file, O_WRONLY | O_CLOEXEC);
> > if (fd == -1)
> > return false;
> > if (write(fd, buf, len) != len) {
> > int err = errno;
> > close(fd);
> > errno = err;
> > return false;
> > }
> > close(fd);
> > return true;
> > }
> >
> > #define MAX_FDS 30
> >
> > static void setup_common()
> > {
> > if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
> > }
> > }
> >
> > static void setup_binderfs()
> > {
> > if (mkdir("/dev/binderfs", 0777)) {
> > }
> > if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
> > }
> > if (symlink("/dev/binderfs", "./binderfs")) {
> > }
> > }
> >
> > static void loop();
> >
> > static void sandbox_common()
> > {
> > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> > setsid();
> > struct rlimit rlim;
> > rlim.rlim_cur = rlim.rlim_max = (200 << 20);
> > setrlimit(RLIMIT_AS, &rlim);
> > rlim.rlim_cur = rlim.rlim_max = 32 << 20;
> > setrlimit(RLIMIT_MEMLOCK, &rlim);
> > rlim.rlim_cur = rlim.rlim_max = 136 << 20;
> > setrlimit(RLIMIT_FSIZE, &rlim);
> > rlim.rlim_cur = rlim.rlim_max = 1 << 20;
> > setrlimit(RLIMIT_STACK, &rlim);
> > rlim.rlim_cur = rlim.rlim_max = 128 << 20;
> > setrlimit(RLIMIT_CORE, &rlim);
> > rlim.rlim_cur = rlim.rlim_max = 256;
> > setrlimit(RLIMIT_NOFILE, &rlim);
> > if (unshare(CLONE_NEWNS)) {
> > }
> > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
> > }
> > if (unshare(CLONE_NEWIPC)) {
> > }
> > if (unshare(0x02000000)) {
> > }
> > if (unshare(CLONE_NEWUTS)) {
> > }
> > if (unshare(CLONE_SYSVSEM)) {
> > }
> > typedef struct {
> > const char* name;
> > const char* value;
> > } sysctl_t;
> > static const sysctl_t sysctls[] = {
> > {"/proc/sys/kernel/shmmax", "16777216"},
> > {"/proc/sys/kernel/shmall", "536870912"},
> > {"/proc/sys/kernel/shmmni", "1024"},
> > {"/proc/sys/kernel/msgmax", "8192"},
> > {"/proc/sys/kernel/msgmni", "1024"},
> > {"/proc/sys/kernel/msgmnb", "1024"},
> > {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
> > };
> > unsigned i;
> > for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
> > write_file(sysctls[i].name, sysctls[i].value);
> > }
> >
> > static int wait_for_loop(int pid)
> > {
> > if (pid < 0)
> > exit(1);
> > int status = 0;
> > while (waitpid(-1, &status, __WALL) != pid) {
> > }
> > return WEXITSTATUS(status);
> > }
> >
> > static void drop_caps(void)
> > {
> > struct __user_cap_header_struct cap_hdr = {};
> > struct __user_cap_data_struct cap_data[2] = {};
> > cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
> > cap_hdr.pid = getpid();
> > if (syscall(SYS_capget, &cap_hdr, &cap_data))
> > exit(1);
> > const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
> > cap_data[0].effective &= ~drop;
> > cap_data[0].permitted &= ~drop;
> > cap_data[0].inheritable &= ~drop;
> > if (syscall(SYS_capset, &cap_hdr, &cap_data))
> > exit(1);
> > }
> >
> > static int do_sandbox_none(void)
> > {
> > if (unshare(CLONE_NEWPID)) {
> > }
> > int pid = fork();
> > if (pid != 0)
> > return wait_for_loop(pid);
> > setup_common();
> > sandbox_common();
> > drop_caps();
> > if (unshare(CLONE_NEWNET)) {
> > }
> > write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
> > setup_binderfs();
> > loop();
> > exit(1);
> > }
> >
> > static void kill_and_wait(int pid, int* status)
> > {
> > kill(-pid, SIGKILL);
> > kill(pid, SIGKILL);
> > for (int i = 0; i < 100; i++) {
> > if (waitpid(-1, status, WNOHANG | __WALL) == pid)
> > return;
> > usleep(1000);
> > }
> > DIR* dir = opendir("/sys/fs/fuse/connections");
> > if (dir) {
> > for (;;) {
> > struct dirent* ent = readdir(dir);
> > if (!ent)
> > break;
> > if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
> > continue;
> > char abort[300];
> > snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
> > ent->d_name);
> > int fd = open(abort, O_WRONLY);
> > if (fd == -1) {
> > continue;
> > }
> > if (write(fd, abort, 1) < 0) {
> > }
> > close(fd);
> > }
> > closedir(dir);
> > } else {
> > }
> > while (waitpid(-1, status, __WALL) != pid) {
> > }
> > }
> >
> > static void setup_test()
> > {
> > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> > setpgrp();
> > write_file("/proc/self/oom_score_adj", "1000");
> > }
> >
> > static void close_fds()
> > {
> > for (int fd = 3; fd < MAX_FDS; fd++)
> > close(fd);
> > }
> >
> > #define USLEEP_FORKED_CHILD (3 * 50 * 1000)
> >
> > static long handle_clone_ret(long ret)
> > {
> > if (ret != 0) {
> > return ret;
> > }
> > usleep(USLEEP_FORKED_CHILD);
> > syscall(__NR_exit, 0);
> > while (1) {
> > }
> > }
> >
> > static long syz_clone(volatile long flags, volatile long stack,
> > volatile long stack_len, volatile long ptid,
> > volatile long ctid, volatile long tls)
> > {
> > long sp = (stack + stack_len) & ~15;
> > long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
> > return handle_clone_ret(ret);
> > }
> >
> > static void execute_one(void);
> >
> > #define WAIT_FLAGS __WALL
> >
> > static void loop(void)
> > {
> > int iter = 0;
> > for (;; iter++) {
> > int pid = fork();
> > if (pid < 0)
> > exit(1);
> > if (pid == 0) {
> > setup_test();
> > execute_one();
> > close_fds();
> > exit(0);
> > }
> > int status = 0;
> > uint64_t start = current_time_ms();
> > for (;;) {
> > if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
> > break;
> > sleep_ms(1);
> > if (current_time_ms() - start < 5000)
> > continue;
> > kill_and_wait(pid, &status);
> > break;
> > }
> > }
> > }
> >
> > void execute_one(void)
> > {
> > syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140,
> > /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
> > }
> > int main(void)
> > {
> > syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> > /*offset=*/0ul);
> > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
> > /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
> > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> > /*offset=*/0ul);
> > syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
> > /*offset=*/0ul);
> > do_sandbox_none();
> > return 0;
> > }
> >
> >
> > Remember to run this repro.txt with the command: syz-execprog -repeat
> > 0 ./repro.txt and wait for about 1minus, the bug triggered very
> > steady.
> >
> > =* repro.txt =*
> > syz_mount_image$nilfs2(&(0x7f0000000000),
> > &(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1,
> > 0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E")
> > r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async)
> > r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0)
> > cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async)
> > r2 = syz_open_procfs(0xffffffffffffffff,
> > &(0x7f0000000100)='mountinfo\x00') (async)
> > r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0)
> > r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async)
> > ptrace(0x10, 0x0) (async)
> > r5 = syz_clone(0x80000000,
> > &(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c",
> > 0xb3, &(0x7f0000000080), &(0x7f00000000c0),
> > &(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c")
> > fcntl$setown(r4, 0x8, r5) (async)
> > sendfile(r3, r2, 0x0, 0x100800001) (async)
> > sendfile(r0, r1, 0x0, 0x1000000201003)
> >
> >
> > and see also in
> > https://gist.github.com/xrivendell7/744812c87156085e12c7f617ef237875.
> > BTW, found in my personal observation, the syzlang reproducer can
> > trigger the bug more stably, so try to use the syz-execprog -repeat 0
> > ./repro.txt to trigger this bug.
> >
> > I hope it helps.
> > Best regards!
> > xingwei Lee
>
> Hi,
>
> Please let me know if you can test one.
>
> Does this issue still appear on 6.8-rc4 or later?
Hi, sorry for the delayed response.
I test my reproducer in the linux 6.8-rc4 with KMSAN kernel config for
one hours, it doesn’t trigger any crash or report as follows:
[ 315.607028][ T37] audit: type=1804 audit(1709708422.469:31293):
pid=86478 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 315.608038][T86480] 884-0[86480]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2,
socke)
[ 315.611270][T86480] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 320.575680][ T37] kauditd_printk_skb: 1253 callbacks suppressed
[ 320.575689][ T37] audit: type=1804 audit(1709708427.439:32130):
pid=88573 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.576419][T88575] 884-0[88575]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14
[ 320.576695][ T37] audit: type=1804 audit(1709708427.439:32131):
pid=88574 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.579042][T88575] likely on CPU 0 (core 0, socket 0)
[ 320.584184][T88575] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 320.593832][ T37] audit: type=1804 audit(1709708427.459:32132):
pid=88578 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.594549][T88580] 884-0[88580]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 1 (core 1,
socke)
[ 320.596256][ T37] audit: type=1804 audit(1709708427.459:32133):
pid=88579 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.597901][T88580] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 320.610954][ T37] audit: type=1804 audit(1709708427.479:32134):
pid=88583 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.611700][T88585] 884-0[88585]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2,
socke)
[ 320.613455][ T37] audit: type=1804 audit(1709708427.479:32135):
pid=88584 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 320.615959][T88585] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 320.628571][ T37] audit: type=1804 audit(1709708427.489:32136):
pid=88588 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.582663][ T37] kauditd_printk_skb: 1280 callbacks suppressed
[ 325.582673][ T37] audit: type=1804 audit(1709708432.449:32990):
pid=90727 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.583320][T90729] 884-0[90729]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14
[ 325.583460][ T37] audit: type=1804 audit(1709708432.449:32991):
pid=90728 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.585838][T90729] likely on CPU 1 (core 1, socket 0)
[ 325.590985][T90729] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 325.599620][ T37] audit: type=1804 audit(1709708432.459:32992):
pid=90732 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.601818][T90734] 884-0[90734]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14
[ 325.601827][ T37] audit: type=1804 audit(1709708432.459:32993):
pid=90733 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.603945][T90734] likely on CPU 2 (core 2, socket 0)
[ 325.607037][T90734] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 325.617928][ T37] audit: type=1804 audit(1709708432.479:32994):
pid=90737 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.618862][T90739] 884-0[90739]: segfault at 5c7ade ip
00000000005c7ade sp 00000000200001f8 error 14
[ 325.620190][ T37] audit: type=1804 audit(1709708432.479:32995):
pid=90738 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
[ 325.623238][T90739] likely on CPU 0 (core 0, socket 0)
[ 325.623803][T90739] Code: Unable to access opcode bytes at 0x5c7ab4.
[ 325.632693][ T37] audit: type=1804 audit(1709708432.499:32996):
pid=90742 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
It’s seems this issue have been fixed.
>
> I'd like to isolate that the issue is still not fixed with the latest
> fixes, but I need to do some trial and error to reestablish a testable
> (bootable) KMSAN-enabled kernel config.
>
> Thanks,
> Ryusuke Konishi
On Wed, Mar 6, 2024 at 4:07 PM xingwei lee wrote:
> On 3 Mar 2024, at 20:45, Ryusuke Konishi <[email protected]> wrote:
>
> Hi, sorry for the delayed response.
>
> I test my reproducer in the linux 6.8-rc4 with KMSAN kernel config for one hours, it doesn’t trigger any crash or report as follows:
>
> [ 315.607028][ T37] audit: type=1804 audit(1709708422.469:31293): pid=86478 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 315.608038][T86480] 884-0[86480]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke)
> [ 315.611270][T86480] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 320.575680][ T37] kauditd_printk_skb: 1253 callbacks suppressed
> [ 320.575689][ T37] audit: type=1804 audit(1709708427.439:32130): pid=88573 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.576419][T88575] 884-0[88575]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> [ 320.576695][ T37] audit: type=1804 audit(1709708427.439:32131): pid=88574 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.579042][T88575] likely on CPU 0 (core 0, socket 0)
> [ 320.584184][T88575] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 320.593832][ T37] audit: type=1804 audit(1709708427.459:32132): pid=88578 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.594549][T88580] 884-0[88580]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 1 (core 1, socke)
> [ 320.596256][ T37] audit: type=1804 audit(1709708427.459:32133): pid=88579 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.597901][T88580] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 320.610954][ T37] audit: type=1804 audit(1709708427.479:32134): pid=88583 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.611700][T88585] 884-0[88585]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke)
> [ 320.613455][ T37] audit: type=1804 audit(1709708427.479:32135): pid=88584 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 320.615959][T88585] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 320.628571][ T37] audit: type=1804 audit(1709708427.489:32136): pid=88588 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.582663][ T37] kauditd_printk_skb: 1280 callbacks suppressed
> [ 325.582673][ T37] audit: type=1804 audit(1709708432.449:32990): pid=90727 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.583320][T90729] 884-0[90729]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> [ 325.583460][ T37] audit: type=1804 audit(1709708432.449:32991): pid=90728 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.585838][T90729] likely on CPU 1 (core 1, socket 0)
> [ 325.590985][T90729] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 325.599620][ T37] audit: type=1804 audit(1709708432.459:32992): pid=90732 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.601818][T90734] 884-0[90734]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> [ 325.601827][ T37] audit: type=1804 audit(1709708432.459:32993): pid=90733 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.603945][T90734] likely on CPU 2 (core 2, socket 0)
> [ 325.607037][T90734] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 325.617928][ T37] audit: type=1804 audit(1709708432.479:32994): pid=90737 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.618862][T90739] 884-0[90739]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> [ 325.620190][ T37] audit: type=1804 audit(1709708432.479:32995): pid=90738 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> [ 325.623238][T90739] likely on CPU 0 (core 0, socket 0)
> [ 325.623803][T90739] Code: Unable to access opcode bytes at 0x5c7ab4.
> [ 325.632693][ T37] audit: type=1804 audit(1709708432.499:32996): pid=90742 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
>
> It’s seems this issue have been fixed.
>
> I'd like to isolate that the issue is still not fixed with the latest
> fixes, but I need to do some trial and error to reestablish a testable
> (bootable) KMSAN-enabled kernel config.
>
> Thanks,
> Ryusuke Konishi
>
>
> I hope it helps.
> Best regards
> xingwei Lee
Thank you!
That helps a lot.
Regards,
Ryusuke Konishi
On Wed, Mar 6, 2024 at 4:20 PM Ryusuke Konishi wrote:
>
> On Wed, Mar 6, 2024 at 4:07 PM xingwei lee wrote:
> > On 3 Mar 2024, at 20:45, Ryusuke Konishi <[email protected]> wrote:
> >
> > Hi, sorry for the delayed response.
> >
> > I test my reproducer in the linux 6.8-rc4 with KMSAN kernel config for one hours, it doesn’t trigger any crash or report as follows:
> >
> > [ 315.607028][ T37] audit: type=1804 audit(1709708422.469:31293): pid=86478 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 315.608038][T86480] 884-0[86480]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke)
> > [ 315.611270][T86480] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 320.575680][ T37] kauditd_printk_skb: 1253 callbacks suppressed
> > [ 320.575689][ T37] audit: type=1804 audit(1709708427.439:32130): pid=88573 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.576419][T88575] 884-0[88575]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> > [ 320.576695][ T37] audit: type=1804 audit(1709708427.439:32131): pid=88574 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.579042][T88575] likely on CPU 0 (core 0, socket 0)
> > [ 320.584184][T88575] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 320.593832][ T37] audit: type=1804 audit(1709708427.459:32132): pid=88578 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.594549][T88580] 884-0[88580]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 1 (core 1, socke)
> > [ 320.596256][ T37] audit: type=1804 audit(1709708427.459:32133): pid=88579 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.597901][T88580] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 320.610954][ T37] audit: type=1804 audit(1709708427.479:32134): pid=88583 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.611700][T88585] 884-0[88585]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke)
> > [ 320.613455][ T37] audit: type=1804 audit(1709708427.479:32135): pid=88584 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 320.615959][T88585] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 320.628571][ T37] audit: type=1804 audit(1709708427.489:32136): pid=88588 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.582663][ T37] kauditd_printk_skb: 1280 callbacks suppressed
> > [ 325.582673][ T37] audit: type=1804 audit(1709708432.449:32990): pid=90727 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.583320][T90729] 884-0[90729]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> > [ 325.583460][ T37] audit: type=1804 audit(1709708432.449:32991): pid=90728 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.585838][T90729] likely on CPU 1 (core 1, socket 0)
> > [ 325.590985][T90729] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 325.599620][ T37] audit: type=1804 audit(1709708432.459:32992): pid=90732 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.601818][T90734] 884-0[90734]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> > [ 325.601827][ T37] audit: type=1804 audit(1709708432.459:32993): pid=90733 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.603945][T90734] likely on CPU 2 (core 2, socket 0)
> > [ 325.607037][T90734] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 325.617928][ T37] audit: type=1804 audit(1709708432.479:32994): pid=90737 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.618862][T90739] 884-0[90739]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14
> > [ 325.620190][ T37] audit: type=1804 audit(1709708432.479:32995): pid=90738 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> > [ 325.623238][T90739] likely on CPU 0 (core 0, socket 0)
> > [ 325.623803][T90739] Code: Unable to access opcode bytes at 0x5c7ab4.
> > [ 325.632693][ T37] audit: type=1804 audit(1709708432.499:32996): pid=90742 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0
> >
> > It’s seems this issue have been fixed.
> >
> > I'd like to isolate that the issue is still not fixed with the latest
> > fixes, but I need to do some trial and error to reestablish a testable
> > (bootable) KMSAN-enabled kernel config.
> >
> > Thanks,
> > Ryusuke Konishi
> >
> >
> > I hope it helps.
> > Best regards
> > xingwei Lee
>
> Thank you!
> That helps a lot.
>
> Regards,
> Ryusuke Konishi
Ahh. Looking at the February 28th syzbot crash, it appears that this
issue still exists in recent -rc releases.
So I'm going to investigate without closing it.
Regards,
Ryusuke Konishi
syzbot has found a reproducer for the following issue on:
HEAD commit: e8b0ccb2a787 Merge tag '9p-for-6.9-rc3' of https://github...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=115eb623180000
kernel config: https://syzkaller.appspot.com/x/.config?x=5112b3f484393436
dashboard link: https://syzkaller.appspot.com/bug?extid=47a017c46edb25eff048
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156679a1180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f27ef6180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf4b0d1e3b2d/disk-e8b0ccb2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/422cac6cc940/vmlinux-e8b0ccb2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a4df48e199b/bzImage-e8b0ccb2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/69e1e69e7522/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in crc32_le_base+0x43c/0xd80 lib/crc32.c:197
crc32_body lib/crc32.c:110 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
crc32_le_base+0x43c/0xd80 lib/crc32.c:197
nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
nilfs_add_checksums_on_logs+0xb80/0xe40 fs/nilfs2/segbuf.c:327
nilfs_segctor_do_construct+0x9876/0xdeb0 fs/nilfs2/segment.c:2078
nilfs_segctor_construct+0x1eb/0xe30 fs/nilfs2/segment.c:2381
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2489 [inline]
nilfs_segctor_thread+0xc50/0x11e0 fs/nilfs2/segment.c:2573
kthread+0x3e2/0x540 kernel/kthread.c:388
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
Uninit was stored to memory at:
memcpy_from_iter lib/iov_iter.c:73 [inline]
iterate_bvec include/linux/iov_iter.h:122 [inline]
iterate_and_advance2 include/linux/iov_iter.h:249 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
__copy_from_iter lib/iov_iter.c:249 [inline]
copy_page_from_iter_atomic+0x12b7/0x2b60 lib/iov_iter.c:481
generic_perform_write+0x4c1/0xc60 mm/filemap.c:3982
__generic_file_write_iter+0x20a/0x460 mm/filemap.c:4069
generic_file_write_iter+0x103/0x5b0 mm/filemap.c:4095
__kernel_write_iter+0x68b/0xc40 fs/read_write.c:523
dump_emit_page fs/coredump.c:890 [inline]
dump_user_range+0x8dc/0xee0 fs/coredump.c:951
elf_core_dump+0x520f/0x59c0 fs/binfmt_elf.c:2077
do_coredump+0x32d5/0x4920 fs/coredump.c:764
get_signal+0x267e/0x2d00 kernel/signal.c:2896
arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x72/0x7a
Uninit was created at:
__alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
alloc_pages_mpol+0x299/0x990 mm/mempolicy.c:2264
alloc_pages+0x1bf/0x1e0 mm/mempolicy.c:2335
dump_user_range+0x4a/0xee0 fs/coredump.c:935
elf_core_dump+0x520f/0x59c0 fs/binfmt_elf.c:2077
do_coredump+0x32d5/0x4920 fs/coredump.c:764
get_signal+0x267e/0x2d00 kernel/signal.c:2896
arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x72/0x7a
CPU: 0 PID: 5014 Comm: segctord Not tainted 6.9.0-rc2-syzkaller-00207-ge8b0ccb2a787 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
On Sat, Apr 6, 2024 at 8:00 PM syzbot
<[email protected]> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: e8b0ccb2a787 Merge tag '9p-for-6.9-rc3' of https://github..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=115eb623180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5112b3f484393436
> dashboard link: https://syzkaller.appspot.com/bug?extid=47a017c46edb25eff048
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156679a1180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f27ef6180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cf4b0d1e3b2d/disk-e8b0ccb2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/422cac6cc940/vmlinux-e8b0ccb2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/9a4df48e199b/bzImage-e8b0ccb2.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/69e1e69e7522/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> =====================================================
> BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
> BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
> BUG: KMSAN: uninit-value in crc32_le_base+0x43c/0xd80 lib/crc32.c:197
> crc32_body lib/crc32.c:110 [inline]
> crc32_le_generic lib/crc32.c:179 [inline]
> crc32_le_base+0x43c/0xd80 lib/crc32.c:197
> nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
> nilfs_add_checksums_on_logs+0xb80/0xe40 fs/nilfs2/segbuf.c:327
> nilfs_segctor_do_construct+0x9876/0xdeb0 fs/nilfs2/segment.c:2078
> nilfs_segctor_construct+0x1eb/0xe30 fs/nilfs2/segment.c:2381
> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2489 [inline]
> nilfs_segctor_thread+0xc50/0x11e0 fs/nilfs2/segment.c:2573
> kthread+0x3e2/0x540 kernel/kthread.c:388
> ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
>
> Uninit was stored to memory at:
> memcpy_from_iter lib/iov_iter.c:73 [inline]
> iterate_bvec include/linux/iov_iter.h:122 [inline]
> iterate_and_advance2 include/linux/iov_iter.h:249 [inline]
> iterate_and_advance include/linux/iov_iter.h:271 [inline]
> __copy_from_iter lib/iov_iter.c:249 [inline]
> copy_page_from_iter_atomic+0x12b7/0x2b60 lib/iov_iter.c:481
> generic_perform_write+0x4c1/0xc60 mm/filemap.c:3982
> __generic_file_write_iter+0x20a/0x460 mm/filemap.c:4069
> generic_file_write_iter+0x103/0x5b0 mm/filemap.c:4095
> __kernel_write_iter+0x68b/0xc40 fs/read_write.c:523
> dump_emit_page fs/coredump.c:890 [inline]
> dump_user_range+0x8dc/0xee0 fs/coredump.c:951
> elf_core_dump+0x520f/0x59c0 fs/binfmt_elf.c:2077
> do_coredump+0x32d5/0x4920 fs/coredump.c:764
> get_signal+0x267e/0x2d00 kernel/signal.c:2896
> arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
> syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
> do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
> entry_SYSCALL_64_after_hwframe+0x72/0x7a
>
> Uninit was created at:
> __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
> alloc_pages_mpol+0x299/0x990 mm/mempolicy.c:2264
> alloc_pages+0x1bf/0x1e0 mm/mempolicy.c:2335
> dump_user_range+0x4a/0xee0 fs/coredump.c:935
> elf_core_dump+0x520f/0x59c0 fs/binfmt_elf.c:2077
> do_coredump+0x32d5/0x4920 fs/coredump.c:764
> get_signal+0x267e/0x2d00 kernel/signal.c:2896
> arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
> syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
> do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
> entry_SYSCALL_64_after_hwframe+0x72/0x7a
>
> CPU: 0 PID: 5014 Comm: segctord Not tainted 6.9.0-rc2-syzkaller-00207-ge8b0ccb2a787 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> =====================================================
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
#syz fix: x86: call instrumentation hooks from copy_mc.c
This is one of the false positive warnings that the memory dumped by
elf_core_dump() was mixed into the file system side via
copy_mc_to_kernel() of x86, which was called with the following call
path and did not support KMSAN until recently:
elf_core_dump
dump_user_range
dump_page_copy
copy_mc_to_kernel
dump_emit_page
...
Given the syzbot CPU information, we can confirm that the x86 ERMS
feature flag is set, a condition that is affected by the issue.
The above commit, which was merged during the merge window for v6.10,
made copy_mc_to_kernel() on x86 KMSAN-compatible and should have fixed
this issue.
Ryusuke Konishi