Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp2701823ybh; Mon, 9 Mar 2020 11:12:55 -0700 (PDT) X-Google-Smtp-Source: ADFU+vur0yDDtIIbw/erRcfQgy/h2w1cjHSJB57Jsob/ySCXqUwAbRk08Y/wPybLIMiXJbdOqLXT X-Received: by 2002:a9d:5cc4:: with SMTP id r4mr14063603oti.33.1583777575431; Mon, 09 Mar 2020 11:12:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583777575; cv=none; d=google.com; s=arc-20160816; b=anI23plhB1jR+odB1FWGwluGSJqmtT7/jWNX5txNR3W5gDW6TyDqz+5WNiqTWmTSsY QswTJ+yoDYD0uSaIE4UxyR5dqtNsox2CFjC0uAanCKBG3FUjftY+jI6PoYawaY7MiWck PBtVdIYTeZhrX6KEy7OvqWFeu8wlEdJLQEM9rRoxoQtZby/ZZhAQSOG65Q7XHGh3TCBf NwSKeq82Si7doXXZb30/usBkV2CFXT5GuEtUlvvKHjLJu4e2F+Aa5aKZayol1vFth1xg j8b1snEcgcvvjmnf/ia4jKtntA8zgYlMGyxWfEmRx4QGAhROFQAQ4VSoMfPpK/Koeo8U 0OzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=SSW9ESfYjZT9D/zgN+FvMGn6YpDVbX5oxq/qJrQ2a+U=; b=KTTe/kXRxDyagnU3+3qH+sUEpIvsOHmrGvXLiqkjAtxPBZwhtNWtHfTYg2KnjybuVe ncwmUEV9+6ZFkYFf4OnEUvH/TGbKcFRMqH5Uh4KltPHJZVak3lwli8b8EH3nQFS9HgMH ce3VufZ3NyUrfD1liuPqWDKfQe8WwZCyUkfZUtSB4lsKLn7ZCcM5OUJ0SHns5bYPbK7X BS14mnnuTrYr4d4luA76eTOKhc3E2I+KVUbbQEbUnPabq9SCf1NMGatlsTCti5++S9F9 1/PrSIyZWGYdFZ7uTpj+cJNk4Yvh2Ras25J2MHlp3a01YpXE6QzQJ3RD+TzmBrFP8W2N sRNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=brUnLUwv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m20si6529233otp.255.2020.03.09.11.12.40; Mon, 09 Mar 2020 11:12:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=brUnLUwv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727336AbgCISL4 (ORCPT + 99 others); Mon, 9 Mar 2020 14:11:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:58264 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726169AbgCISL4 (ORCPT ); Mon, 9 Mar 2020 14:11:56 -0400 Received: from sol.localdomain (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E71BE20578; Mon, 9 Mar 2020 18:11:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583777516; bh=g4rrfzjCL4hI6s6dopZcQt/VCDFZg5ds7WQUwVk+JNk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=brUnLUwvrCnMEr/yJII2YhYLe6aEfst7VS4X7H8UvrTWQGb82h1uCvWqFA5Gbh1HO zIng1d3UkVO+F7/YioYf50YJn0eFxsn5wRbLdaxddQzcJuOwXuKk6E2Wlrj2liubmM qJZdJCSs9gWk5mnh2e2JiR0NuZCZvMCfkSjyiztM= Date: Mon, 9 Mar 2020 11:11:54 -0700 From: Eric Biggers To: Alexander Potapenko Cc: syzbot , len.brown@intel.com, LKML , Linux PM , Pavel Machek , "Rafael J. Wysocki" , syzkaller-bugs Subject: Re: KMSAN: uninit-value in snapshot_compat_ioctl Message-ID: <20200309181154.GB1073@sol.localdomain> References: <000000000000938a57059f7cafe4@google.com> <20200307235437.GW15444@sol.localdomain> <20200308032434.GX15444@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 09, 2020 at 12:53:28PM +0100, 'Alexander Potapenko' via syzkaller-bugs wrote: > > > Looks like a KMSAN false positive? As far as I can tell, the memory is being > > > initialized by put_user() called under set_fs(KERNEL_DS). > > Why? put_user() doesn't write to kernel memory, instead it copies a > value to the userspace. > That's why KMSAN performs kmsan_check_memory() on it. > It would actually be better if KMSAN printed an kernel-infoleak warning instead. When under set_fs(KERNEL_DS), the userspace access functions like put_user() and copy_to_user() can write to kernel memory. It's discouraged and people have been trying to get rid of uses of set_fs(), but a lot still remain, since sometimes it's useful to allow code to operate on both user and kernel memory. A common example is kernel_read(). > > > Although, it also looks like the problematic code can just be removed, since > > always sizeof(compat_loff_t) == sizeof(loff_t). I'll send a patch to do that... > > Thanks! > - Eric