Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4572835imu; Tue, 15 Jan 2019 02:17:55 -0800 (PST) X-Google-Smtp-Source: ALg8bN5PjtwKiIhdTqfkk6ewbQnCUN96CinPUt/mAkBzmnDNe9rd/m/98kpUd95ebS/OksvNPwE+ X-Received: by 2002:a17:902:4:: with SMTP id 4mr3370442pla.20.1547547475534; Tue, 15 Jan 2019 02:17:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547547475; cv=none; d=google.com; s=arc-20160816; b=w/J3KP0RKxCsS5wAzNAr5cEgjDmXifjal0l8Wy1HB0vA7uNYFhVWAvCey2XXzlwuLP 5ExD0uRUgICQGBesITKGrfrw22VrBkdVHeaRNtbehbB1GoJGgus2Pq2Rsqw0uwrFmiIP oZCNXyAJhCKqJ8LNOa8wyftmZpv6cbm5XZWa7sQeSvsCzwoLh+7TfEvSiH7t3P2x7Ow6 cPEunO8irKdoIuSfDvmWxa7aXvDyPtgQdWADtsYisYAi62LgRhd5I9WxucfzfvzCVLG/ F5zU1bGWZo1sAgO36r+MRoVOsSzesRj8LksrsRiFZa9ypEr0Nia+Z1lv/fI1LgpnU5P3 jdDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject; bh=3soo2zXXEsAUGQTSn/XKo/T95oMR2WN7I70JsnvNftA=; b=wxsf4cHmotJvDfbjTHQaCFcA4ffaNjy69B3XOBbwjePP/tFvCst7ftUl7Q36SPmrSm tIwxfHJbZmt66BVnI90r9YVBofA9ddwHHiXKCMqNoZriOyCrwt+c/DdGJ0mDFKKxCGMz hJQEYDbdciQs0/LL/swdjEwn6pw3yZ48SriCzy6hwsmeqLUHTG+5YoXUjwC9ZAxqM6v2 TYNGnVAtCmCDp5c36VjsNyRKBgwDCgH7hcXrntAgmxW7Oibmu9AAz5/1KIyIAn7UqNsu oMVMf2e9T4lqtoWMJSnt1Fx1iHfKQ2+Qe4DsDJdFrSjSDhp0zpqoVdJwl8qyEc+hEC+T wASQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g71si2818759pgc.419.2019.01.15.02.17.40; Tue, 15 Jan 2019 02:17:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727986AbfAOKGt (ORCPT + 99 others); Tue, 15 Jan 2019 05:06:49 -0500 Received: from mx2.suse.de ([195.135.220.15]:36680 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727200AbfAOKGt (ORCPT ); Tue, 15 Jan 2019 05:06:49 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 05C79ADF5; Tue, 15 Jan 2019 10:06:46 +0000 (UTC) Subject: Re: KMSAN: uninit-value in mpol_rebind_mm To: Andrew Morton Cc: Dmitry Vyukov , syzbot , Andrea Arcangeli , Alexander Potapenko , "Kirill A. Shutemov" , LKML , Linux-MM , linux@dominikbrodowski.net, Michal Hocko , David Rientjes , syzkaller-bugs , xieyisheng1@huawei.com, zhong jiang References: <000000000000c06550057e4cac7c@google.com> <52835ef5-6351-3852-d4ba-b6de285f96f5@suse.cz> <20190104172802.ce9c4b77577a9c2810f04171@linux-foundation.org> From: Vlastimil Babka Openpgp: preference=signencrypt Message-ID: <73da3e9c-cc84-509e-17d9-0c434bb9967d@suse.cz> Date: Tue, 15 Jan 2019 11:06:44 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: <20190104172802.ce9c4b77577a9c2810f04171@linux-foundation.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/5/19 2:28 AM, Andrew Morton wrote: > On Fri, 4 Jan 2019 09:50:31 +0100 Vlastimil Babka wrote: > >>> Yes, it doesn't and it's not trivial to do. The tool reports uses of >>> unint _values_. Values don't necessary reside in memory. It can be a >>> register, that come from another register that was calculated as a sum >>> of two other values, which may come from a function argument, etc. >> >> I see. BTW, the patch I sent will be picked up for testing, or does it >> have to be in mmotm/linux-next first? > > I grabbed it. To go further we'd need a changelog, a signoff, > description of testing status, reviews, a Fixes: and perhaps a > cc:stable ;) Here's the full patch. Since there was no reproducer, there probably won't be any conclusive testing, but we might interpret lack of further KSMSAN reports as a success :) ----8<---- From 81ad0c822cb022cacea9b69565e12aac96dfb3fc Mon Sep 17 00:00:00 2001 From: Vlastimil Babka Date: Thu, 3 Jan 2019 09:31:59 +0100 Subject: [PATCH] mm, mempolicy: fix uninit memory access Syzbot with KMSAN reports (excerpt): ================================================================== BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline] BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295 mpol_rebind_policy mm/mempolicy.c:353 [inline] mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120 update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline] update_nodemask kernel/cgroup/cpuset.c:1253 [inline] cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728 ... Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777 mpol_new mm/mempolicy.c:276 [inline] do_mbind mm/mempolicy.c:1180 [inline] kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347 __do_sys_mbind mm/mempolicy.c:1354 [inline] As it's difficult to report where exactly the uninit value resides in the mempolicy object, we have to guess a bit. mm/mempolicy.c:353 contains this part of mpol_rebind_policy(): if (!mpol_store_user_nodemask(pol) && nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) "mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't ever see being uninitialized after leaving mpol_new(). So I'll guess it's actually about accessing pol->w.cpuset_mems_allowed on line 354, but still part of statement starting on line 353. For w.cpuset_mems_allowed to be not initialized, and the nodes_equal() reachable for a mempolicy where mpol_set_nodemask() is called in do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL flag. Let's exclude such policies from the nodes_equal() check. Note the uninit access should be benign anyway, as rebinding this kind of policy is always a no-op. Therefore no actual need for stable inclusion. Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com Signed-off-by: Vlastimil Babka Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrea Arcangeli Cc: "Kirill A. Shutemov" Cc: Michal Hocko Cc: David Rientjes Cc: Yisheng Xie Cc: zhong jiang Signed-off-by: Andrew Morton --- mm/mempolicy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index d4496d9d34f5..a0b7487b9112 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) { if (!pol) return; - if (!mpol_store_user_nodemask(pol) && + if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) return; -- 2.20.1