Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1085021rwb; Wed, 14 Dec 2022 06:26:02 -0800 (PST) X-Google-Smtp-Source: AA0mqf5ChMBLGHAhX4aqgf1CbNptLNmDTlizSP3bePUSVD43mOnQ2NJHP+v1ORjvzZR/qEqHbuUh X-Received: by 2002:a17:906:278c:b0:7c0:ee31:d8df with SMTP id j12-20020a170906278c00b007c0ee31d8dfmr21273173ejc.63.1671027962476; Wed, 14 Dec 2022 06:26:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671027962; cv=none; d=google.com; s=arc-20160816; b=Zul0jUVq7vE3q1GFo7/MQVd5jg2/vJPwQMM5mXePC4nO+3J9fqRwJJKRTBPFpWCPPS Q87Gk03mBVseDXg21yNNigltpIO3+5tepDk2rjNE91pNmlYZwCRNA0LzQLA1yP8Stabf mVoybbA462k9s5+efmKxjFgotkh8vhQ+MJwAGbBQC0itybFgMWNBLeqJIz8FU61pLZKV tfixYk9xKKwv7rrB9tzc7+3Efrq658hy8VS+2tgzsTF0Tg6njquruHuSOe/VppyaQX9+ v9I+rNL+LnL9wHe+RO/hEqeNj/f86k81ELnp3C3jmaR0pOvtf6yuUP/eMOC88GmSjPWW uRQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:reply-to:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=J8zM93onZ+wyMUx2u678a0EiovzGYDh0EbHR+OS2gn0=; b=cFJOVVw/oF9EP/XPEJxh9oGBHfvwoPVVf5DCB42/i9sBjRai5/tjUpiNUuq9R5tQn5 O2hod4XTQPizj66rX6shhbXFpx1LPSBAgY7FsGH4paWtdsrM7OV5PLCEoVG/1VRkvrcJ arfhZDBLHKpfyPk48zm2TkKFsZLGb8ksODPLfQnJJ9mlusdmtUTY6f/Cw3WhFpIRjq22 HXvlD8znm+bXhlW+tLjU9vtgldVVMGUnpySqLRIeLd7JFfTCdukMUNkZqkUL+CsqUyiZ c8kuSk4NMx0VCz091/4NseCqN05XTsGhGintoyGVIRc7StXWtam3tR/QZ+geWVPPdu9/ 12Ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="FfZ/yjlg"; dkim=neutral (no key) header.i=@suse.cz header.b="JHU4ur/c"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hb11-20020a170907160b00b007c18f5f64cfsi4225565ejc.996.2022.12.14.06.25.45; Wed, 14 Dec 2022 06:26:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="FfZ/yjlg"; dkim=neutral (no key) header.i=@suse.cz header.b="JHU4ur/c"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238289AbiLNORG (ORCPT + 70 others); Wed, 14 Dec 2022 09:17:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238503AbiLNORA (ORCPT ); Wed, 14 Dec 2022 09:17:00 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A54222BC5; Wed, 14 Dec 2022 06:16:58 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 589FC200AC; Wed, 14 Dec 2022 14:16:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1671027416; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J8zM93onZ+wyMUx2u678a0EiovzGYDh0EbHR+OS2gn0=; b=FfZ/yjlgGnXm/bhZDI11fbcxfTDq/MOJC/fhiM0WESLXwiqqzw2eZjoK6MlGHkisNV5IV2 mBt59slsftdZzE8lkN1vtnJsDAbEOLC55s8bTqYNEyPcrTTQ5iJFKW0EUY2Tlh7i8280Tn sH2K9BNO7VtSxyfyHykj7RVJyC6/ec4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1671027416; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J8zM93onZ+wyMUx2u678a0EiovzGYDh0EbHR+OS2gn0=; b=JHU4ur/czOhI4MsVTsQxzwtlFJrWvATEEDYHWRhdGrVDIEgBROaBP7F58ADZlIztiob2mr jDGiN/my7PyzxDAw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 14FF5138F6; Wed, 14 Dec 2022 14:16:56 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id Vt5QBNjamWPJIQAAMHmgww (envelope-from ); Wed, 14 Dec 2022 14:16:56 +0000 Date: Wed, 14 Dec 2022 15:16:13 +0100 From: David Sterba To: Alexander Potapenko Cc: Eric Biggers , syzbot , clm@fb.com, dsterba@suse.com, josef@toxicpanda.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] KMSAN: uninit-value in longest_match Message-ID: <20221214141613.GB10499@suse.cz> Reply-To: dsterba@suse.cz References: <0000000000004f995905ef61a764@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 14, 2022 at 02:56:56PM +0100, Alexander Potapenko wrote: > On Tue, Dec 13, 2022 at 7:40 AM Eric Biggers wrote: > > On Fri, Dec 09, 2022 at 01:19:41AM -0800, syzbot wrote: > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 30d2727189c5 kmsan: fix memcpy tests > > > git tree: https://github.com/google/kmsan.git master > > > console output: https://syzkaller.appspot.com/x/log.txt?x=117d38f5880000 > > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=a2144983ada8b4f3 > > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=14d9e7602ebdf7ec0a60 > > > compiler: clang version 15.0.0 ( > > https://github.com/llvm/llvm-project.git > > 610139d2d9ce6746b3c617fb3e2f7886272d26ff), GNU ld (GNU Binutils for Debian) > > 2.35.2 > > > userspace arch: i386 > > > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > > > Downloadable assets: > > > disk image: > > https://storage.googleapis.com/syzbot-assets/1e8c2d419c2e/disk-30d27271.raw.xz > > > vmlinux: > > https://storage.googleapis.com/syzbot-assets/9e8a728a72a9/vmlinux-30d27271.xz > > > kernel image: > > https://storage.googleapis.com/syzbot-assets/89f71c80c707/bzImage-30d27271.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the > > commit: > > > Reported-by: syzbot+14d9e7602ebdf7ec0a60@syzkaller.appspotmail.com > > > > > > ===================================================== > > > BUG: KMSAN: uninit-value in longest_match+0xc88/0x1220 > > lib/zlib_deflate/deflate.c:668 > > > longest_match+0xc88/0x1220 lib/zlib_deflate/deflate.c:668 > > > deflate_fast+0x1838/0x2280 lib/zlib_deflate/deflate.c:954 > > > zlib_deflate+0x1783/0x22b0 lib/zlib_deflate/deflate.c:410 > > > zlib_compress_pages+0xd34/0x1f90 fs/btrfs/zlib.c:178 > > > compression_compress_pages fs/btrfs/compression.c:77 [inline] > > > btrfs_compress_pages+0x325/0x440 fs/btrfs/compression.c:1208 > > > compress_file_range+0x11ac/0x3510 fs/btrfs/inode.c:730 > > > async_cow_start+0x33/0xd0 fs/btrfs/inode.c:1458 > > > btrfs_work_helper+0x55a/0x990 fs/btrfs/async-thread.c:280 > > > process_one_work+0xb27/0x13e0 kernel/workqueue.c:2289 > > > worker_thread+0x1076/0x1d60 kernel/workqueue.c:2436 > > > kthread+0x31b/0x430 kernel/kthread.c:376 > > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 > > > > zlib has long been known to use initialized values in longest_match(). > > This > > issue is mentioned in the zlib FAQ. I personally consider this to be a > > bug, as > > the code could be written in a way such that it doesn't use uninitialized > > memory. However, zlib considers it to be "safe" and "working as intended". > > > > Note that the copy of zlib in Linux is not really being maintained, and it > > is > > based on a 25-year old version of zlib. However, upstream zlib does not > > change > > much anyway (it's very hard to get changes accepted into it), and as far > > as I > > can tell even the latest version of upstream zlib has this same issue. > > > > So I suppose the way to resolve this syzbot report is to just add > > __no_kmsan_checks to longest_match(). The real issue, though, is that zlib > > hasn't kept up with the times (nor has Linux kept up with zlib). > > > > > Can't we just pass __GFP_ZERO when allocating the workspace here: > > diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c > index b4f44662cda7c..23dc5628f8209 100644 > --- a/fs/btrfs/zlib.c > +++ b/fs/btrfs/zlib.c > @@ -63,7 +63,8 @@ struct list_head *zlib_alloc_workspace(unsigned int level) > > workspacesize = max(zlib_deflate_workspacesize(MAX_WBITS, > MAX_MEM_LEVEL), > zlib_inflate_workspacesize()); > - workspace->strm.workspace = kvmalloc(workspacesize, GFP_KERNEL); > + workspace->strm.workspace = kvmalloc(workspacesize, > + GFP_KERNEL | __GFP_ZERO); Currently none of the compression workspaces does allocation with zeroing. I'm not sure if we should actually zero the work memory right before use, in the *get_workspace helpers so that each compression starts from the same state. But this will be a performance hit and not actually necessary if it's not required by the compression methods. Which would leave only the allocation as the place to zero the memory. If it's really just zlib that needs that then Ok, I'd suggest to use the kvzalloc instead of __GFP_ZERO.