Freshly allocated memory contains garbage, better make sure
to init all struct v2r1_disk_dqblk fields to avoid KMSAN report:
BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285
qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394
v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
ext4_write_dquot fs/ext4/super.c:5934 [inline]
ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
mark_dquot_dirty fs/quota/dquot.c:347 [inline]
mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
__ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
do_tmpfile fs/namei.c:3316 [inline]
path_openat+0x4035/0x6a90 fs/namei.c:3359
do_filp_open+0x2b8/0x710 fs/namei.c:3395
do_sys_openat2+0xa88/0x1140 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_compat_sys_openat fs/open.c:1242 [inline]
__se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
__ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
__do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7ff4549
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000
RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
slab_alloc_node mm/slub.c:2907 [inline]
slab_alloc mm/slub.c:2916 [inline]
__kmalloc+0x2bb/0x4b0 mm/slub.c:3982
kmalloc include/linux/slab.h:559 [inline]
getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52
qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378
v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
ext4_write_dquot fs/ext4/super.c:5934 [inline]
ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
mark_dquot_dirty fs/quota/dquot.c:347 [inline]
mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
__ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
do_tmpfile fs/namei.c:3316 [inline]
path_openat+0x4035/0x6a90 fs/namei.c:3359
do_filp_open+0x2b8/0x710 fs/namei.c:3395
do_sys_openat2+0xa88/0x1140 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_compat_sys_openat fs/open.c:1242 [inline]
__se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
__ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
__do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits")
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Jan Kara <[email protected]>
---
fs/quota/quota_v2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
index 58fc2a7c7fd19f0be265e8189e476782571cbcfe..e69a2bfdd81c050c1ff2653528f803bd402fb399 100644
--- a/fs/quota/quota_v2.c
+++ b/fs/quota/quota_v2.c
@@ -282,6 +282,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
d->dqb_btime = cpu_to_le64(m->dqb_btime);
d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
+ d->dqb_pad = 0;
if (qtree_entry_unused(info, dp))
d->dqb_itime = cpu_to_le64(1);
}
--
2.28.0.681.g6f77f65b4e-goog
On Thu 24-09-20 11:36:19, Eric Dumazet wrote:
> Freshly allocated memory contains garbage, better make sure
> to init all struct v2r1_disk_dqblk fields to avoid KMSAN report:
>
> BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
> CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x21c/0x280 lib/dump_stack.c:118
> kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
> __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
> qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
> v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285
> qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394
> v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
> dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
> ext4_write_dquot fs/ext4/super.c:5934 [inline]
> ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
> mark_dquot_dirty fs/quota/dquot.c:347 [inline]
> mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
> dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
> __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
> ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
> vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
> do_tmpfile fs/namei.c:3316 [inline]
> path_openat+0x4035/0x6a90 fs/namei.c:3359
> do_filp_open+0x2b8/0x710 fs/namei.c:3395
> do_sys_openat2+0xa88/0x1140 fs/open.c:1168
> do_sys_open fs/open.c:1184 [inline]
> __do_compat_sys_openat fs/open.c:1242 [inline]
> __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
> __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
> do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
> __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
> do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
> do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
> entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> RIP: 0023:0xf7ff4549
> Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
> RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127
> RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000
> RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>
> Uninit was created at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
> kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
> kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
> slab_alloc_node mm/slub.c:2907 [inline]
> slab_alloc mm/slub.c:2916 [inline]
> __kmalloc+0x2bb/0x4b0 mm/slub.c:3982
> kmalloc include/linux/slab.h:559 [inline]
> getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52
> qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378
> v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
> dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
> ext4_write_dquot fs/ext4/super.c:5934 [inline]
> ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
> mark_dquot_dirty fs/quota/dquot.c:347 [inline]
> mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
> dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
> __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
> ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
> vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
> do_tmpfile fs/namei.c:3316 [inline]
> path_openat+0x4035/0x6a90 fs/namei.c:3359
> do_filp_open+0x2b8/0x710 fs/namei.c:3395
> do_sys_openat2+0xa88/0x1140 fs/open.c:1168
> do_sys_open fs/open.c:1184 [inline]
> __do_compat_sys_openat fs/open.c:1242 [inline]
> __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
> __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
> do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
> __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
> do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
> do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
> entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
>
> Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits")
> Signed-off-by: Eric Dumazet <[email protected]>
> Cc: Jan Kara <[email protected]>
Thanks for the patch! I've added it to my tree.
Honza
> ---
> fs/quota/quota_v2.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
> index 58fc2a7c7fd19f0be265e8189e476782571cbcfe..e69a2bfdd81c050c1ff2653528f803bd402fb399 100644
> --- a/fs/quota/quota_v2.c
> +++ b/fs/quota/quota_v2.c
> @@ -282,6 +282,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
> d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
> d->dqb_btime = cpu_to_le64(m->dqb_btime);
> d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
> + d->dqb_pad = 0;
> if (qtree_entry_unused(info, dp))
> d->dqb_itime = cpu_to_le64(1);
> }
> --
> 2.28.0.681.g6f77f65b4e-goog
>
--
Jan Kara <[email protected]>
SUSE Labs, CR