Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1032420rdb; Wed, 24 Jan 2024 02:48:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IGjWuOclCN+On6UG8cmXPtd4r3qQBGlsatNCUGGfCVmeALPr40hb7YkLzoEfHxHWdphZs7x X-Received: by 2002:a05:651c:168c:b0:2cd:1c19:af2b with SMTP id bd12-20020a05651c168c00b002cd1c19af2bmr514841ljb.18.1706093312910; Wed, 24 Jan 2024 02:48:32 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706093312; cv=pass; d=google.com; s=arc-20160816; b=TGyoYzLyN51b/By33IPabaa8PhX5iDNY6yend28vjiRemxkup2tpafXDhVgq58QN09 ekFNYAEGhyE3ypwERfJNaqLbXjaGzTi/tA6xWMkxu09y3rg/X5ivY1MkSsE4/N9VYj88 oJ9KD5aJndvSoFh9x35OUj+n6YEDrn4GclTbDzjmlu6N8kAOIv1kubKZvN7TPJn3DWEa 3L9TN3CtekCduko2yZWPAIE7qidmfuu1P79AxV8QnG+XfadsYWLyO6p8qKogGx1Lv+PI Gsp+UajcAz4LOHLQF3hGNAV4dEBmR4KUOvR9knOCPpgU2F2YDnheQeZg24qbC7Fkhlgg GHng== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=X39Ts6MX+MiqoaGcJ6Oz7csIP4OtBMZYPm9qrUenbDM=; fh=EQX3DYacsbbjgFddX2nHhKeHLkfp2PiSLrUL1br1NGo=; b=OhN6NTqIvpNc14L9zQRBhLuTf8CfMqLZqX9ORWCTM6f6/mYoEbAEVFFu4IoCr/+nqV n+lefDRkpsV0dZFDS/u5ZxNRN/e4Hp8HTUT7XB2UESeKzhn6FWERDWrk6VkZVozMZ618 4/goMa+YiW3IBFhFTlAO1Cqwb1wiNiV2SdQMKHQmPqKvYTIh/BlRBGguqRddH7u2KZkR lBBrY1X1hPQLphytA/Sc/YNhZH+qtM76DVzB9RycuaZn8+NSiIOFwfoaGQy+u2Cf1cHZ kQDCStbflH8xqm0PMDBO0q5K06EQrvbb3sIm8A5XLLBGGB+pah59eGXTAyzo718F3B8O i74w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=IApJ7drQ; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-36813-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-36813-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id y4-20020a056402358400b0055c949f008csi1417535edc.398.2024.01.24.02.48.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 02:48:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-36813-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=IApJ7drQ; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-36813-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-36813-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A556D1F27A3B for ; Wed, 24 Jan 2024 10:48:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 02F991AACC; Wed, 24 Jan 2024 10:48:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IApJ7drQ" Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A593E1A286 for ; Wed, 24 Jan 2024 10:48:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706093295; cv=none; b=mTUc3aFsO55xa5DWlqHYSlkZIlUNPDmA5lg0srVxXKD3aAl2ngS+OFb+IEnvr3igWVXIjDRxUZ/pNQUCroe8QOnNjSqMuPkOKLapBlfdB6YWrqkeV9CDTBPN20pI9pGbz/3XrLYwtaPf9B6ICNaxhBr7zaHEc1XhH2bePfYfx9U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706093295; c=relaxed/simple; bh=vUYNgyEiiBGTAOVgJfsG/RvhaXLEgRGTV9YrpqQM93E=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=SLUZ/ZL7pdGi8pNRwEqdzXh7EYhf0IaOW/J2zPnd1hvQdlDicDynH7IZR7Je6PcfBUSRN9xSr0HDn4pmJbSO0toMPJiV1ciix2wHp9INKSce1/QKsuJ8xv8Z2WVOMg6KQ+udH6bNWs6Rwv+IrJ+NSaQcQa3gzvJ3OGIdwH48LxY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IApJ7drQ; arc=none smtp.client-ip=209.85.219.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-6818d263cb3so39271856d6.2 for ; Wed, 24 Jan 2024 02:48:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1706093292; x=1706698092; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=X39Ts6MX+MiqoaGcJ6Oz7csIP4OtBMZYPm9qrUenbDM=; b=IApJ7drQuzmIlJSEapY1e4i/2m3gtppl/DO81wEv2rahsftDKg5ku/nDYLyQgC0fkc ugWwmI/su2qadoktaClKNyDv4UrgJDr+aUhBMAhxTgm4NxVJGTqEGrudunGXk9eRHc5Q kPs/kXnPKverAsvj5hZw3m6Rn/QpTWDYYKK403D6QFVjOPuPugfoZoD75XZhizr3GDwt 5c/v18u0Sp8c10dWgL6OSRVhYREt8Ln9Z4UqrWABMy1KccGoqZVG83DNLUe3jjw9UbZR pUDPTiNJnNv+7jKZgWoyNsPtfBKpeyzKuGXu8/mp1cc044L+dAfseV789OMDG7t9mDbN WX9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706093292; x=1706698092; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=X39Ts6MX+MiqoaGcJ6Oz7csIP4OtBMZYPm9qrUenbDM=; b=MI01bmoidiWZdo4U+afOG9GYgBLBGj/VZigRV10v/KILBNXXcT+aO0PdiUQTf+JBFK ddrJX+oH5+N9RT8Mjn+2Cky8n4N+PuV0A01Kjf8RRrtwge6W9BC6IDW1Vuesopm24Q3e ApRNVGVC0ss+aMVkoMYHG5nx3nTN31A18xtf6J7dZyPZ4wmPpPsy/kVQnlCcf9IGA8uz E3qfYK+3/upqYN5OKjDTcGFkQMFiTSIOCUJB9UgG+DUMozfnyPsgcl4V8kNZ+3Vp8iXZ YD/pTwLcFyvTAXbgjTuuTuwQY805CbnpWWO6kn0Z2jdot//BCqZ7pg5LsOIjFBATJy0o RTYg== X-Gm-Message-State: AOJu0YwxvWJRPriYM7d90A8TCRv/w34wAQl3k/GQY91GQCrX26Io0V9d gMEBnfOSPQ64eKZqyzlD85C+jexPF9eFgyqP38JGzZR4p606Ww4CPY1foqVdjUsEhyQtx6mEWpF nXCP21K2EY+IRzQ2tIZK7l1pGBdWHY6Nlnrjk X-Received: by 2002:a05:6214:1d04:b0:682:85f5:f009 with SMTP id e4-20020a0562141d0400b0068285f5f009mr3313074qvd.130.1706093292445; Wed, 24 Jan 2024 02:48:12 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <000000000000fd588e060de27ef4@google.com> <20240102080315-mutt-send-email-mst@kernel.org> <20240104204531.GB954424@fedora> In-Reply-To: <20240104204531.GB954424@fedora> From: Alexander Potapenko Date: Wed, 24 Jan 2024 11:47:32 +0100 Message-ID: Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) To: Stefan Hajnoczi Cc: syzbot , jasowang@redhat.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, virtualization@lists.linux.dev, xuanzhuo@linux.alibaba.com, bonzini@redhat.com, "Michael S. Tsirkin" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 4, 2024 at 9:45=E2=80=AFPM Stefan Hajnoczi wrote: > > On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote: > > On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote: > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kerne= l.org.. > > > git tree: upstream > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D173df3e9e= 80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3De0c7078a6= b901aa3 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Dd7521c1e384= 1ed075a42 > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for= Debian) 2.40 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D1300b4a= 1e80000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D130b0379e= 80000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4= /disk-fbafc3e6.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vm= linux-fbafc3e6.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4= a4/bzImage-fbafc3e6.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the = commit: > > > Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > Hi Alexander, > Please take a look at this KMSAN failure. The uninitialized memory was > created for the purpose of writing a coredump. vring_map_one_sg() should > have direction=3DDMA_TO_DEVICE. > Hi Stefan, I took a closer look, and am pretty confident this is a false positive. I tried adding memset(..., 0xab, PAGE_SIZE << order) to alloc_pages() and never saw the 0xab pattern in the buffers for which KMSAN reported an error. This probably isn't an error in 88938359e2df ("virtio: kmsan: check/unpoison scatterlist in vring_map_one_sg()"), which by itself should be doing a sane thing: report an error if an uninitialized buffer is passed to it. It is more likely that we're missing some initialization that happens in coredump.c Does anyone have an idea where coredump.c is supposed to be initializing these pages? Maybe there are some inline assembly functions involved in copying the data= ?