Hello,
syzbot found the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
__virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
__blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
kthread+0x3ed/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
__filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
ext4_file_write_iter+0x20f/0x3460
__kernel_write_iter+0x329/0x930 fs/read_write.c:517
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x593/0xcd0 fs/coredump.c:915
elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
do_coredump+0x32c9/0x4920 fs/coredump.c:764
get_signal+0x2185/0x2d10 kernel/signal.c:2890
arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
irqentry_exit+0x16/0x40 kernel/entry/common.c:412
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff88812c79c000
CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: kblockd blk_mq_run_work_fn
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: [email protected]
#syz set subsystems: mm
On 2024/01/01 22:38, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> =====================================================
> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
> __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
> virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
> virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
> scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
> scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
> blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
> __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
> blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
> __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
> blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
> blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
> worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
> kthread+0x3ed/0x540 kernel/kthread.c:388
> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
>
> Uninit was created at:
> __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
> alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
> alloc_pages mm/mempolicy.c:2204 [inline]
> folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
> filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
> __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
> ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
> generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
> ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
> ext4_file_write_iter+0x20f/0x3460
> __kernel_write_iter+0x329/0x930 fs/read_write.c:517
> dump_emit_page fs/coredump.c:888 [inline]
> dump_user_range+0x593/0xcd0 fs/coredump.c:915
> elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
> do_coredump+0x32c9/0x4920 fs/coredump.c:764
> get_signal+0x2185/0x2d10 kernel/signal.c:2890
> arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
> exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
> exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
> irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
> irqentry_exit+0x16/0x40 kernel/entry/common.c:412
> exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
> asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
>
> Bytes 0-4095 of 4096 are uninitialized
> Memory access of size 4096 starts at ffff88812c79c000
>
> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: kblockd blk_mq_run_work_fn
> =====================================================
On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> =====================================================
> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
> __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
> virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
> virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
> scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
> scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
> blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
> __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
> blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
> __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
> blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
> blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
> worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
> kthread+0x3ed/0x540 kernel/kthread.c:388
> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
>
> Uninit was created at:
> __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
> alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
> alloc_pages mm/mempolicy.c:2204 [inline]
> folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
> filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
> __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
> ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
> generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
> ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
> ext4_file_write_iter+0x20f/0x3460
> __kernel_write_iter+0x329/0x930 fs/read_write.c:517
> dump_emit_page fs/coredump.c:888 [inline]
> dump_user_range+0x593/0xcd0 fs/coredump.c:915
> elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
> do_coredump+0x32c9/0x4920 fs/coredump.c:764
> get_signal+0x2185/0x2d10 kernel/signal.c:2890
> arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
> exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
> exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
> irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
> irqentry_exit+0x16/0x40 kernel/entry/common.c:412
> exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
> asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
>
> Bytes 0-4095 of 4096 are uninitialized
> Memory access of size 4096 starts at ffff88812c79c000
>
> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: kblockd blk_mq_run_work_fn
> =====================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > git tree: upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > =====================================================
Hi Alexander,
Please take a look at this KMSAN failure. The uninitialized memory was
created for the purpose of writing a coredump. vring_map_one_sg() should
have direction=DMA_TO_DEVICE.
I can't easily tell whether this is a genuine bug or an issue with
commit 88938359e2df ("virtio: kmsan: check/unpoison scatterlist in
vring_map_one_sg()"). Maybe coredump.c is writing out pages that KMSAN
thinks are uninitialized?
Stefan
> > BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> > BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> > BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> > vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> > virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> > virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> > virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
> > __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
> > virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
> > virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
> > scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
> > scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
> > blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
> > __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
> > blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
> > __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
> > blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
> > blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
> > process_one_work kernel/workqueue.c:2627 [inline]
> > process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
> > worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
> > kthread+0x3ed/0x540 kernel/kthread.c:388
> > ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
> > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> >
> > Uninit was created at:
> > __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
> > alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
> > alloc_pages mm/mempolicy.c:2204 [inline]
> > folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
> > filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
> > __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
> > ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
> > generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
> > ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
> > ext4_file_write_iter+0x20f/0x3460
> > __kernel_write_iter+0x329/0x930 fs/read_write.c:517
> > dump_emit_page fs/coredump.c:888 [inline]
> > dump_user_range+0x593/0xcd0 fs/coredump.c:915
> > elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
> > do_coredump+0x32c9/0x4920 fs/coredump.c:764
> > get_signal+0x2185/0x2d10 kernel/signal.c:2890
> > arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
> > exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
> > exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
> > irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
> > irqentry_exit+0x16/0x40 kernel/entry/common.c:412
> > exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
> > asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> >
> > Bytes 0-4095 of 4096 are uninitialized
> > Memory access of size 4096 starts at ffff88812c79c000
> >
> > CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> > Workqueue: kblockd blk_mq_run_work_fn
> > =====================================================
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at [email protected].
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
>
On Thu, Jan 4, 2024 at 9:45 PM Stefan Hajnoczi <[email protected]> wrote:
>
> On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> > On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > > git tree: upstream
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > =====================================================
>
> Hi Alexander,
> Please take a look at this KMSAN failure. The uninitialized memory was
> created for the purpose of writing a coredump. vring_map_one_sg() should
> have direction=DMA_TO_DEVICE.
>
Hi Stefan,
I took a closer look, and am pretty confident this is a false positive.
I tried adding memset(..., 0xab, PAGE_SIZE << order) to alloc_pages()
and never saw
the 0xab pattern in the buffers for which KMSAN reported an error.
This probably isn't an error in 88938359e2df ("virtio: kmsan:
check/unpoison scatterlist in
vring_map_one_sg()"), which by itself should be doing a sane thing:
report an error if an
uninitialized buffer is passed to it. It is more likely that we're
missing some initialization that
happens in coredump.c
Does anyone have an idea where coredump.c is supposed to be
initializing these pages?
Maybe there are some inline assembly functions involved in copying the data?
On Wed, Jan 24, 2024 at 11:47:32AM +0100, Alexander Potapenko wrote:
> On Thu, Jan 4, 2024 at 9:45 PM Stefan Hajnoczi <[email protected]> wrote:
> >
> > On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> > > On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > > > git tree: upstream
> > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: [email protected]
> > > >
> > > > =====================================================
> >
> > Hi Alexander,
> > Please take a look at this KMSAN failure. The uninitialized memory was
> > created for the purpose of writing a coredump. vring_map_one_sg() should
> > have direction=DMA_TO_DEVICE.
> >
> Hi Stefan,
>
> I took a closer look, and am pretty confident this is a false positive.
> I tried adding memset(..., 0xab, PAGE_SIZE << order) to alloc_pages()
> and never saw
> the 0xab pattern in the buffers for which KMSAN reported an error.
>
> This probably isn't an error in 88938359e2df ("virtio: kmsan:
> check/unpoison scatterlist in
> vring_map_one_sg()"), which by itself should be doing a sane thing:
> report an error if an
> uninitialized buffer is passed to it. It is more likely that we're
> missing some initialization that
> happens in coredump.c
>
> Does anyone have an idea where coredump.c is supposed to be
> initializing these pages?
> Maybe there are some inline assembly functions involved in copying the data?
Thanks for your time looking into this!
Stefan
please test uninit-value in virtqueue_add (4)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
size_t req_size, size_t resp_size)
{
struct scsi_cmnd *sc = cmd->sc;
- struct scatterlist *sgs[6], req, resp;
+ struct scatterlist *sgs[6], req = {}, resp = {};
struct sg_table *out, *in;
unsigned out_num = 0, in_num = 0;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.436786][ T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[ 0.439567][ T0] random: crng init done
[ 0.440342][ T0] Fallback order for Node 0: 0 1
[ 0.440387][ T0] Fallback order for Node 1: 1 0
[ 0.440402][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2055933
[ 0.443831][ T0] Policy zone: Normal
[ 0.444788][ T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.709507][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.710697][ T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[ 0.714527][ T0] software IO TLB: area num 2.
[ 0.805862][ T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[ 0.810734][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 0.811929][ T0] Starting KernelMemorySanitizer
[ 0.812611][ T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2 Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID ee6e2ee3-62a1-1e1b-9da6-871c6e7e270f
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
[ 0.000000][ T0] Linux version 6.8.0-rc1-syzkaller-gecb1b8288dc7-dirty (syzkaller@syzkaller) (Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT_DYNAMIC now
[ 0.000000][ T0] Command line: BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.000000][ T0] KERNEL supported cpus:
[ 0.000000][ T0] Intel GenuineIntel
[ 0.000000][ T0] AMD AuthenticAMD
[ 0.000000][ T0] BIOS-provided physical RAM map:
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000][ T0] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000100000000-0x000000023fffffff] usable
[ 0.000000][ T0] printk: legacy bootconsole [earlyser0] enabled
[ 0.000000][ T0] ERROR: earlyprintk= earlyser already used
[ 0.000000][ T0] ERROR: earlyprintk= earlyser already used
[ 0.000000][ T0] **********************************************************
[ 0.000000][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** This system shows unhashed kernel memory addresses **
[ 0.000000][ T0] ** via the console, logs, and other interfaces. This **
[ 0.000000][ T0] ** might reduce the security of your system. **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** If you see this message and you are not debugging **
[ 0.000000][ T0] ** the kernel, report this immediately to your system **
[ 0.000000][ T0] ** administrator! **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000][ T0] **********************************************************
[ 0.000000][ T0] Malformed early option 'vsyscall'
[ 0.000000][ T0] nopcid: PCID feature disabled
[ 0.000000][ T0] NX (Execute Disable) protection: active
[ 0.000000][ T0] APIC: Static calls initialized
[ 0.000000][ T0] SMBIOS 2.4 present.
[ 0.000000][ T0] DMI: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 0.000000][ T0] Hypervisor detected: KVM
[ 0.000000][ T0] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000003][ T0] kvm-clock: using sched offset of 5361175763 cycles
[ 0.000979][ T0] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.004869][ T0] tsc: Detected 2200.152 MHz processor
[ 0.013186][ T0] last_pfn = 0x240000 max_arch_pfn = 0x400000000
[ 0.014422][ T0] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[ 0.016036][ T0] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
[ 0.017511][ T0] last_pfn = 0xbfffd max_arch_pfn = 0x400000000
[ 0.025734][ T0] found SMP MP-table at [mem 0x000f2b30-0x000f2b3f]
[ 0.027084][ T0] Using GB pages for direct mapping
[ 0.031479][ T0] ACPI: Early table checksum verification disabled
[ 0.032936][ T0] ACPI: RSDP 0x00000000000F28B0 000014 (v00 Google)
[ 0.034280][ T0] ACPI: RSDT 0x00000000BFFFFFA0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[ 0.036044][ T0] ACPI: FACP 0x00000000BFFFF330 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[ 0.037902][ T0] ACPI: DSDT 0x00000000BFFFD8C0 001A64 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[ 0.040136][ T0] ACPI: FACS 0x00000000BFFFD880 000040
[ 0.041374][ T0] ACPI: FACS 0x00000000BFFFD880 000040
[ 0.042421][ T0] ACPI: SRAT 0x00000000BFFFFE60 0000C8 (v03 Google GOOGSRAT 00000001 GOOG 00000001)
[ 0.044426][ T0] ACPI: APIC 0x00000000BFFFFDB0 000076 (v05 Google GOOGAPIC 00000001 GOOG 00000001)
[ 0.046543][ T0] ACPI: SSDT 0x00000000BFFFF430 000980 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[ 0.048530][ T0] ACPI: WAET 0x00000000BFFFFE30 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[ 0.050596][ T0] ACPI: Reserving FACP table memory at [mem 0xbffff330-0xbffff423]
[ 0.051916][ T0] ACPI: Reserving DSDT table memory at [mem 0xbfffd8c0-0xbffff323]
[ 0.053117][ T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[ 0.054371][ T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[ 0.055840][ T0] ACPI: Reserving SRAT table memory at [mem 0xbffffe60-0xbfffff27]
[ 0.058109][ T0] ACPI: Reserving APIC table memory at [mem 0xbffffdb0-0xbffffe25]
[ 0.059864][ T0] ACPI: Reserving SSDT table memory at [mem 0xbffff430-0xbffffdaf]
[ 0.061666][ T0] ACPI: Reserving WAET table memory at [mem 0xbffffe30-0xbffffe57]
[ 0.063198][ T0] SRAT: PXM 0 -> APIC 0x00 -> Node 0
[ 0.064065][ T0] SRAT: PXM 0 -> APIC 0x01 -> Node 0
[ 0.064984][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[ 0.066942][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff]
[ 0.068354][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x23fffffff]
[ 0.069621][ T0] NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x00000000-0xbfffffff]
[ 0.071997][ T0] NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x23fffffff] -> [mem 0x00000000-0x23fffffff]
[ 0.075579][ T0] Faking node 0 at [mem 0x0000000000000000-0x000000013fffffff] (5120MB)
[ 0.077333][ T0] Faking node 1 at [mem 0x0000000140000000-0x000000023fffffff] (4096MB)
[ 0.079984][ T0] NODE_DATA(0) allocated [mem 0x13fffa000-0x13fffffff]
[ 0.082677][ T0] NODE_DATA(1) allocated [mem 0x23fff7000-0x23fffcfff]
[ 0.104743][ T0] Zone ranges:
[ 0.105603][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.107187][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.109218][ T0] Normal [mem 0x0000000100000000-0x000000023fffffff]
[ 0.110726][ T0] Device empty
[ 0.111630][ T0] Movable zone start for each node
[ 0.113093][ T0] Early memory node ranges
[ 0.113926][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.115166][ T0] node 0: [mem 0x0000000000100000-0x00000000bfffcfff]
[ 0.116887][ T0] node 0: [mem 0x0000000100000000-0x000000013fffffff]
[ 0.117924][ T0] node 1: [mem 0x0000000140000000-0x000000023fffffff]
[ 0.119129][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000013fffffff]
[ 0.120252][ T0] Initmem setup node 1 [mem 0x0000000140000000-0x000000023fffffff]
[ 0.122345][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.123755][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.244127][ T0] On node 0, zone Normal: 3 pages in unavailable ranges
[ 0.365187][ T0] ACPI: PM-Timer IO Port: 0xb008
[ 0.366213][ T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.367294][ T0] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.369026][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.370283][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.371435][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.372688][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.373776][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.374745][ T0] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[ 0.375648][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.378087][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[ 0.379781][ T0] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000effff]
[ 0.381429][ T0] PM: hibernation: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[ 0.383062][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xbfffffff]
[ 0.384796][ T0] PM: hibernation: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
[ 0.386969][ T0] PM: hibernation: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
[ 0.389189][ T0] [mem 0xc0000000-0xfffbbfff] available for PCI devices
[ 0.390657][ T0] Booting paravirtualized kernel on KVM
[ 0.392046][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.395073][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[ 0.398586][ T0] percpu: Embedded 176 pages/cpu s683016 r8192 d29688 u1048576
[ 0.400406][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.424272][ T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[ 0.428208][ T0] random: crng init done
[ 0.429106][ T0] Fallback order for Node 0: 0 1
[ 0.429151][ T0] Fallback order for Node 1: 1 0
[ 0.429165][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2055933
[ 0.432106][ T0] Policy zone: Normal
[ 0.432815][ T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.697820][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.699706][ T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[ 0.703815][ T0] software IO TLB: area num 2.
[ 0.793637][ T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[ 0.798348][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 0.799788][ T0] Starting KernelMemorySanitizer
[ 0.800749][ T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build948879897=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1565fca7e80000
Tested on:
commit: ecb1b828 Merge tag 'net-6.8-rc2' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=2a91fdc4fbf06a67
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1098fe5fe80000
please test uninit-value in virtqueue_add (4)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
size_t req_size, size_t resp_size)
{
struct scsi_cmnd *sc = cmd->sc;
- struct scatterlist *sgs[6], req, resp;
+ struct scatterlist *sgs[6], req = {}, resp = {};
struct sg_table *out, *in;
unsigned out_num = 0, in_num = 0;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git on commit fbafc3e621c3: failed to run ["git" "fetch" "--force" "--tags" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "fbafc3e621c3"]: exit status 128
fatal: couldn't find remote ref fbafc3e621c3
Tested on:
commit: [unknown
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
kernel config: https://syzkaller.appspot.com/x/.config?x=656820e61b758b15
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=132ce437e80000
please test uninit-value in virtqueue_add (4)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
size_t req_size, size_t resp_size)
{
struct scsi_cmnd *sc = cmd->sc;
- struct scatterlist *sgs[6], req, resp;
+ struct scatterlist *sgs[6], req = {}, resp = {};
struct sg_table *out, *in;
unsigned out_num = 0, in_num = 0;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
r for Node 0: 0 1
[ 0.419258][ T0] Fallback order for Node 1: 1 0
[ 0.419274][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2055933
[ 0.422796][ T0] Policy zone: Normal
[ 0.423582][ T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.686873][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.688786][ T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[ 0.692810][ T0] software IO TLB: area num 2.
[ 0.783779][ T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[ 0.788226][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 0.790343][ T0] Starting KernelMemorySanitizer
[ 0.791103][ T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2 Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID c5e8ef89-17a7-409e-eaf1-2344b557078b
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
[ 0.000000][ T0] Linux version 6.8.0-rc1-syzkaller-00169-gecb1b8288dc7-dirty (syzkaller@syzkaller) (Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT_DYNAMIC now
[ 0.000000][ T0] Command line: BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.000000][ T0] KERNEL supported cpus:
[ 0.000000][ T0] Intel GenuineIntel
[ 0.000000][ T0] AMD AuthenticAMD
[ 0.000000][ T0] BIOS-provided physical RAM map:
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000][ T0] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
[ 0.000000][ T0] BIOS-e820: [mem 0x0000000100000000-0x000000023fffffff] usable
[ 0.000000][ T0] printk: legacy bootconsole [earlyser0] enabled
[ 0.000000][ T0] ERROR: earlyprintk= earlyser already used
[ 0.000000][ T0] ERROR: earlyprintk= earlyser already used
[ 0.000000][ T0] **********************************************************
[ 0.000000][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** This system shows unhashed kernel memory addresses **
[ 0.000000][ T0] ** via the console, logs, and other interfaces. This **
[ 0.000000][ T0] ** might reduce the security of your system. **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** If you see this message and you are not debugging **
[ 0.000000][ T0] ** the kernel, report this immediately to your system **
[ 0.000000][ T0] ** administrator! **
[ 0.000000][ T0] ** **
[ 0.000000][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000][ T0] **********************************************************
[ 0.000000][ T0] Malformed early option 'vsyscall'
[ 0.000000][ T0] nopcid: PCID feature disabled
[ 0.000000][ T0] NX (Execute Disable) protection: active
[ 0.000000][ T0] APIC: Static calls initialized
[ 0.000000][ T0] SMBIOS 2.4 present.
[ 0.000000][ T0] DMI: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 0.000000][ T0] Hypervisor detected: KVM
[ 0.000000][ T0] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000003][ T0] kvm-clock: using sched offset of 5153303706 cycles
[ 0.001086][ T0] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.003954][ T0] tsc: Detected 2200.216 MHz processor
[ 0.012544][ T0] last_pfn = 0x240000 max_arch_pfn = 0x400000000
[ 0.013618][ T0] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[ 0.015300][ T0] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
[ 0.017481][ T0] last_pfn = 0xbfffd max_arch_pfn = 0x400000000
[ 0.027560][ T0] found SMP MP-table at [mem 0x000f2b30-0x000f2b3f]
[ 0.028659][ T0] Using GB pages for direct mapping
[ 0.033219][ T0] ACPI: Early table checksum verification disabled
[ 0.034618][ T0] ACPI: RSDP 0x00000000000F28B0 000014 (v00 Google)
[ 0.035659][ T0] ACPI: RSDT 0x00000000BFFFFFA0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[ 0.037398][ T0] ACPI: FACP 0x00000000BFFFF330 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[ 0.039003][ T0] ACPI: DSDT 0x00000000BFFFD8C0 001A64 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[ 0.040359][ T0] ACPI: FACS 0x00000000BFFFD880 000040
[ 0.041097][ T0] ACPI: FACS 0x00000000BFFFD880 000040
[ 0.041980][ T0] ACPI: SRAT 0x00000000BFFFFE60 0000C8 (v03 Google GOOGSRAT 00000001 GOOG 00000001)
[ 0.043346][ T0] ACPI: APIC 0x00000000BFFFFDB0 000076 (v05 Google GOOGAPIC 00000001 GOOG 00000001)
[ 0.044582][ T0] ACPI: SSDT 0x00000000BFFFF430 000980 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[ 0.045985][ T0] ACPI: WAET 0x00000000BFFFFE30 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[ 0.047351][ T0] ACPI: Reserving FACP table memory at [mem 0xbffff330-0xbffff423]
[ 0.048937][ T0] ACPI: Reserving DSDT table memory at [mem 0xbfffd8c0-0xbffff323]
[ 0.050561][ T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[ 0.052024][ T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[ 0.054095][ T0] ACPI: Reserving SRAT table memory at [mem 0xbffffe60-0xbfffff27]
[ 0.055778][ T0] ACPI: Reserving APIC table memory at [mem 0xbffffdb0-0xbffffe25]
[ 0.057487][ T0] ACPI: Reserving SSDT table memory at [mem 0xbffff430-0xbffffdaf]
[ 0.058984][ T0] ACPI: Reserving WAET table memory at [mem 0xbffffe30-0xbffffe57]
[ 0.060489][ T0] SRAT: PXM 0 -> APIC 0x00 -> Node 0
[ 0.061266][ T0] SRAT: PXM 0 -> APIC 0x01 -> Node 0
[ 0.062785][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[ 0.063922][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff]
[ 0.064925][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x23fffffff]
[ 0.066998][ T0] NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x00000000-0xbfffffff]
[ 0.069122][ T0] NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x23fffffff] -> [mem 0x00000000-0x23fffffff]
[ 0.072308][ T0] Faking node 0 at [mem 0x0000000000000000-0x000000013fffffff] (5120MB)
[ 0.073610][ T0] Faking node 1 at [mem 0x0000000140000000-0x000000023fffffff] (4096MB)
[ 0.075523][ T0] NODE_DATA(0) allocated [mem 0x13fffa000-0x13fffffff]
[ 0.077223][ T0] NODE_DATA(1) allocated [mem 0x23fff7000-0x23fffcfff]
[ 0.099389][ T0] Zone ranges:
[ 0.100124][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.101317][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.102407][ T0] Normal [mem 0x0000000100000000-0x000000023fffffff]
[ 0.103767][ T0] Device empty
[ 0.104523][ T0] Movable zone start for each node
[ 0.105484][ T0] Early memory node ranges
[ 0.106357][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.108165][ T0] node 0: [mem 0x0000000000100000-0x00000000bfffcfff]
[ 0.109573][ T0] node 0: [mem 0x0000000100000000-0x000000013fffffff]
[ 0.111909][ T0] node 1: [mem 0x0000000140000000-0x000000023fffffff]
[ 0.113415][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000013fffffff]
[ 0.114895][ T0] Initmem setup node 1 [mem 0x0000000140000000-0x000000023fffffff]
[ 0.117326][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.119218][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.237797][ T0] On node 0, zone Normal: 3 pages in unavailable ranges
[ 0.358350][ T0] ACPI: PM-Timer IO Port: 0xb008
[ 0.359640][ T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.361094][ T0] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.362910][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.364846][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.367290][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.368838][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.370212][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.372153][ T0] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[ 0.373444][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.375100][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[ 0.376564][ T0] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000effff]
[ 0.378142][ T0] PM: hibernation: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[ 0.380236][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xbfffffff]
[ 0.382549][ T0] PM: hibernation: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
[ 0.384533][ T0] PM: hibernation: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
[ 0.385732][ T0] [mem 0xc0000000-0xfffbbfff] available for PCI devices
[ 0.387502][ T0] Booting paravirtualized kernel on KVM
[ 0.388557][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.390578][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[ 0.392588][ T0] percpu: Embedded 176 pages/cpu s683016 r8192 d29688 u1048576
[ 0.394942][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.416529][ T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[ 0.419786][ T0] random: crng init done
[ 0.421090][ T0] Fallback order for Node 0: 0 1
[ 0.421153][ T0] Fallback order for Node 1: 1 0
[ 0.421168][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2055933
[ 0.424825][ T0] Policy zone: Normal
[ 0.425621][ T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.689246][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.691218][ T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[ 0.695780][ T0] software IO TLB: area num 2.
[ 0.785270][ T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[ 0.789410][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 0.790971][ T0] Starting KernelMemorySanitizer
[ 0.791892][ T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2 Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID c5e8ef89-17a7-409e-eaf1-2344b557078b
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2898975123=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14081aa7e80000
Tested on:
commit: ecb1b828 Merge tag 'net-6.8-rc2' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=2a91fdc4fbf06a67
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1294655fe80000
On Fri, Jan 26, 2024 at 2:36 AM 'Edward Adam Davis' via syzkaller-bugs
<[email protected]> wrote:
>
> please test uninit-value in virtqueue_add (4)
Hi Edward,
KMSAN is currently broken at trunk, see
https://lore.kernel.org/linux-mm/[email protected]/
Therefore syzbot is unable to test patches before a couple of changes
reach upstream.
I checked your patch, and it is still triggering the same bug, which
is expected, because there are whole uninitialized pages, and the
patch below only initializes two instances of struct scatterlist that
are unlikely to be cloned to fill those pages.
There must be some non-instrumented code that fills those pages with
data, e.g. a DMA write, an assembly routine or some VM-to-kernel
interaction that KMSAN fails to handle.
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index 9d1bdcdc1331..4ca6627a7459 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
> size_t req_size, size_t resp_size)
> {
> struct scsi_cmnd *sc = cmd->sc;
> - struct scatterlist *sgs[6], req, resp;
> + struct scatterlist *sgs[6], req = {}, resp = {};
> struct sg_table *out, *in;
> unsigned out_num = 0, in_num = 0;
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
--
2.34.1
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
d
[ 21.218838][ T1] befs: version: 0.9.3
[ 21.224039][ T1] ocfs2: Registered cluster interface o2cb
[ 21.231409][ T1] ocfs2: Registered cluster interface user
[ 21.238747][ T1] OCFS2 User DLM kernel interface loaded
[ 21.258685][ T1] gfs2: GFS2 installed
[ 21.299341][ T1] ceph: loaded (mds proto 32)
[ 25.455884][ T1] NET: Registered PF_ALG protocol family
[ 25.462173][ T1] xor: automatically using best checksumming function avx
[ 25.470258][ T1] async_tx: api initialized (async)
[ 25.475789][ T1] Key type asymmetric registered
[ 25.480985][ T1] Asymmetric key parser 'x509' registered
[ 25.486893][ T1] Asymmetric key parser 'pkcs8' registered
[ 25.492975][ T1] Key type pkcs7_test registered
[ 25.498812][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[ 25.509132][ T1] io scheduler mq-deadline registered
[ 25.514858][ T1] io scheduler kyber registered
[ 25.520533][ T1] io scheduler bfq registered
[ 25.537345][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 25.557878][ T1] ACPI: button: Power Button [PWRF]
[ 25.565475][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 25.575850][ T1] ACPI: button: Sleep Button [SLPF]
[ 25.599393][ T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[ 25.688382][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 25.698171][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 25.773719][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 25.780039][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 25.858501][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 25.864338][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 25.925717][ T1] virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
[ 26.972684][ T1] N_HDLC line discipline registered with maxframe=4096
[ 26.980030][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 26.993242][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 27.024320][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 27.054743][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 27.083834][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 27.133086][ T1] Non-volatile memory driver v1.3
[ 27.161382][ T1] Linux agpgart interface v0.103
[ 27.177896][ T1] ACPI: bus type drm_connector registered
[ 27.195073][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 27.215880][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 27.690881][ T1] Console: switching to colour frame buffer device 128x48
[ 27.845338][ T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[ 27.853291][ T1] usbcore: registered new interface driver udl
[ 28.015016][ T1] brd: module loaded
[ 28.195324][ T1] loop: module loaded
[ 28.444871][ T1] zram: Added device: zram0
[ 28.471729][ T1] null_blk: disk nullb0 created
[ 28.476949][ T1] null_blk: module loaded
[ 28.481708][ T1] Guest personality initialized and is inactive
[ 28.489569][ T1] VMCI host device registered (name=vmci, major=10, minor=118)
[ 28.497772][ T1] Initialized host personality
[ 28.503268][ T1] usbcore: registered new interface driver rtsx_usb
[ 28.512421][ T1] usbcore: registered new interface driver viperboard
[ 28.520209][ T1] usbcore: registered new interface driver dln2
[ 28.527820][ T1] usbcore: registered new interface driver pn533_usb
[ 28.540882][ T1] nfcsim 0.2 initialized
[ 28.545800][ T1] usbcore: registered new interface driver port100
[ 28.553465][ T1] usbcore: registered new interface driver nfcmrvl
[ 28.570561][ T1] Loading iSCSI transport class v2.0-870.
[ 28.605596][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 28.652924][ T1] scsi host0: Virtio SCSI HBA
[ 29.190956][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[ 29.207865][ T26] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6
[ 29.257823][ T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[ 29.270496][ T1] db_root: cannot open: /etc/target
[ 29.286144][ T1] =====================================================
[ 29.286396][ T1] BUG: KMSAN: use-after-free in __list_del_entry_valid_or_report+0x19e/0x490
[ 29.286565][ T1] __list_del_entry_valid_or_report+0x19e/0x490
[ 29.286657][ T1] stack_depot_save_flags+0x3e7/0x7b0
[ 29.286657][ T1] stack_depot_save+0x12/0x20
[ 29.286842][ T1] ref_tracker_alloc+0x215/0x700
[ 29.286842][ T1] net_rx_queue_update_kobjects+0x1eb/0xa80
[ 29.286842][ T1] netdev_register_kobject+0x30e/0x520
[ 29.286842][ T1] register_netdevice+0x198f/0x2170
[ 29.286842][ T1] bond_create+0x138/0x2a0
[ 29.286842][ T1] bonding_init+0x1a7/0x2d0
[ 29.286842][ T1] do_one_initcall+0x216/0x960
[ 29.286842][ T1] do_initcall_level+0x140/0x350
[ 29.286842][ T1] do_initcalls+0xf0/0x1d0
[ 29.286842][ T1] do_basic_setup+0x22/0x30
[ 29.287955][ T1] kernel_init_freeable+0x300/0x4b0
[ 29.287955][ T1] kernel_init+0x2f/0x7e0
[ 29.287955][ T1] ret_from_fork+0x66/0x80
[ 29.287955][ T1] ret_from_fork_asm+0x11/0x20
[ 29.287955][ T1]
[ 29.287955][ T1] Uninit was created at:
[ 29.287955][ T1] __free_pages_ok+0x133/0xeb0
[ 29.287955][ T1] alloc_pages_exact+0x2f5/0x350
[ 29.287955][ T1] vring_alloc_queue_split+0x2d9/0x990
[ 29.287955][ T1] vring_create_virtqueue_split+0x89/0x380
[ 29.287955][ T1] vring_create_virtqueue+0x101/0x1a0
[ 29.287955][ T1] setup_vq+0x175/0x510
[ 29.287955][ T1] vp_setup_vq+0x103/0x630
[ 29.287955][ T1] vp_find_vqs_msix+0x1162/0x16c0
[ 29.287955][ T1] vp_find_vqs+0x78/0x770
[ 29.287955][ T1] virtscsi_init+0xff7/0x17a0
[ 29.289671][ T1] virtscsi_probe+0x43b/0xfe0
[ 29.289671][ T1] virtio_dev_probe+0x16df/0x1900
[ 29.289671][ T1] really_probe+0x506/0xf40
[ 29.289671][ T1] __driver_probe_device+0x2a7/0x5d0
[ 29.289671][ T1] driver_probe_device+0x72/0x7b0
[ 29.289671][ T1] __driver_attach+0x710/0xa30
[ 29.289671][ T1] bus_for_each_dev+0x34c/0x530
[ 29.289671][ T1] driver_attach+0x51/0x60
[ 29.289671][ T1] bus_add_driver+0x747/0xca0
[ 29.289671][ T1] driver_register+0x3fb/0x650
[ 29.289671][ T1] register_virtio_driver+0xd1/0xf0
[ 29.289671][ T1] virtio_scsi_init+0x123/0x2f0
[ 29.289671][ T1] do_one_initcall+0x216/0x960
[ 29.289671][ T1] do_initcall_level+0x140/0x350
[ 29.289671][ T1] do_initcalls+0xf0/0x1d0
[ 29.289671][ T1] do_basic_setup+0x22/0x30
[ 29.289671][ T1] kernel_init_freeable+0x300/0x4b0
[ 29.289671][ T1] kernel_init+0x2f/0x7e0
[ 29.289671][ T1] ret_from_fork+0x66/0x80
[ 29.289671][ T1] ret_from_fork_asm+0x11/0x20
[ 29.289671][ T1]
[ 29.289671][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[ 29.289671][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 29.289671][ T1] =====================================================
[ 29.289671][ T1] Disabling lock debugging due to kernel taint
[ 29.289671][ T1] Kernel panic - not syncing: kmsan.panic set ...
[ 29.289671][ T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[ 29.289671][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 29.289671][ T1] Call Trace:
[ 29.289671][ T1] <TASK>
[ 29.289671][ T1] dump_stack_lvl+0x1bf/0x240
[ 29.289671][ T1] dump_stack+0x1e/0x20
[ 29.289671][ T1] panic+0x4de/0xc90
[ 29.289671][ T1] kmsan_report+0x2d0/0x2d0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? __msan_warning+0x96/0x110
[ 29.289671][ T1] ? __list_del_entry_valid_or_report+0x19e/0x490
[ 29.289671][ T1] ? stack_depot_save_flags+0x3e7/0x7b0
[ 29.289671][ T1] ? stack_depot_save+0x12/0x20
[ 29.289671][ T1] ? ref_tracker_alloc+0x215/0x700
[ 29.289671][ T1] ? net_rx_queue_update_kobjects+0x1eb/0xa80
[ 29.289671][ T1] ? netdev_register_kobject+0x30e/0x520
[ 29.289671][ T1] ? register_netdevice+0x198f/0x2170
[ 29.289671][ T1] ? bond_create+0x138/0x2a0
[ 29.289671][ T1] ? bonding_init+0x1a7/0x2d0
[ 29.289671][ T1] ? do_one_initcall+0x216/0x960
[ 29.289671][ T1] ? do_initcall_level+0x140/0x350
[ 29.289671][ T1] ? do_initcalls+0xf0/0x1d0
[ 29.289671][ T1] ? do_basic_setup+0x22/0x30
[ 29.289671][ T1] ? kernel_init_freeable+0x300/0x4b0
[ 29.289671][ T1] ? kernel_init+0x2f/0x7e0
[ 29.289671][ T1] ? ret_from_fork+0x66/0x80
[ 29.289671][ T1] ? ret_from_fork_asm+0x11/0x20
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? _raw_spin_lock_irqsave+0x35/0xc0
[ 29.289671][ T1] ? filter_irq_stacks+0x60/0x1a0
[ 29.289671][ T1] ? stack_depot_save_flags+0x2c/0x7b0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] __msan_warning+0x96/0x110
[ 29.289671][ T1] __list_del_entry_valid_or_report+0x19e/0x490
[ 29.289671][ T1] stack_depot_save_flags+0x3e7/0x7b0
[ 29.289671][ T1] stack_depot_save+0x12/0x20
[ 29.289671][ T1] ref_tracker_alloc+0x215/0x700
[ 29.289671][ T1] ? dev_uevent_filter+0x53/0x110
[ 29.289671][ T1] ? net_rx_queue_update_kobjects+0x1eb/0xa80
[ 29.289671][ T1] ? netdev_register_kobject+0x30e/0x520
[ 29.289671][ T1] ? register_netdevice+0x198f/0x2170
[ 29.289671][ T1] ? bond_create+0x138/0x2a0
[ 29.289671][ T1] ? bonding_init+0x1a7/0x2d0
[ 29.289671][ T1] ? do_one_initcall+0x216/0x960
[ 29.289671][ T1] ? do_initcall_level+0x140/0x350
[ 29.289671][ T1] ? do_initcalls+0xf0/0x1d0
[ 29.289671][ T1] ? do_basic_setup+0x22/0x30
[ 29.289671][ T1] ? kernel_init_freeable+0x300/0x4b0
[ 29.289671][ T1] ? kernel_init+0x2f/0x7e0
[ 29.289671][ T1] ? ret_from_fork+0x66/0x80
[ 29.289671][ T1] ? ret_from_fork_asm+0x11/0x20
[ 29.289671][ T1] ? kmsan_internal_unpoison_memory+0x14/0x20
[ 29.289671][ T1] net_rx_queue_update_kobjects+0x1eb/0xa80
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] netdev_register_kobject+0x30e/0x520
[ 29.289671][ T1] register_netdevice+0x198f/0x2170
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] bond_create+0x138/0x2a0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] bonding_init+0x1a7/0x2d0
[ 29.289671][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 29.289671][ T1] do_one_initcall+0x216/0x960
[ 29.289671][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 29.289671][ T1] ? kmsan_get_metadata+0x80/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? filter_irq_stacks+0x164/0x1a0
[ 29.289671][ T1] ? stack_depot_save_flags+0x2c/0x7b0
[ 29.289671][ T1] ? skip_spaces+0x8f/0xc0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? parse_args+0x1511/0x15e0
[ 29.289671][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 29.289671][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 29.289671][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 29.289671][ T1] do_initcall_level+0x140/0x350
[ 29.289671][ T1] do_initcalls+0xf0/0x1d0
[ 29.289671][ T1] ? arch_cpuhp_init_parallel_bringup+0xe0/0xe0
[ 29.289671][ T1] do_basic_setup+0x22/0x30
[ 29.289671][ T1] kernel_init_freeable+0x300/0x4b0
[ 29.289671][ T1] ? rest_init+0x260/0x260
[ 29.289671][ T1] kernel_init+0x2f/0x7e0
[ 29.289671][ T1] ? rest_init+0x260/0x260
[ 29.289671][ T1] ret_from_fork+0x66/0x80
[ 29.289671][ T1] ? rest_init+0x260/0x260
[ 29.289671][ T1] ret_from_fork_asm+0x11/0x20
[ 29.289671][ T1] </TASK>
[ 29.289671][ T1] Kernel Offset: disabled
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4072519577=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1409f29a180000
Tested on:
commit: 603c04e2 Merge tag 'parisc-for-6.8-rc6' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=d33318d4e4a0d226
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=164e2a9a180000
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
diff --git a/lib/stackdepot.c b/lib/stackdepot.c
index 5caa1f566553..48277029c282 100644
--- a/lib/stackdepot.c
+++ b/lib/stackdepot.c
@@ -592,22 +592,27 @@ static inline struct stack_record *find_stack(struct list_head *bucket,
/*
* This may race with depot_free_stack() accessing the freelist
- * management state unioned with @entries. The refcount is zero
- * in that case and the below refcount_inc_not_zero() will fail.
+ * management state unioned with @entries.
*/
if (data_race(stackdepot_memcmp(entries, stack->entries, size)))
continue;
/*
- * Try to increment refcount. If this succeeds, the stack record
- * is valid and has not yet been freed.
+ * Check if an invalid record had the same {hash, size, entries}
+ * by testing whether the refcount is already 0.
+ * Also, try to increment refcount if STACK_DEPOT_FLAG_GET is used.
*
* If STACK_DEPOT_FLAG_GET is not used, it is undefined behavior
* to then call stack_depot_put() later, and we can assume that
* a stack record is never placed back on the freelist.
*/
- if ((flags & STACK_DEPOT_FLAG_GET) && !refcount_inc_not_zero(&stack->count))
- continue;
+ if (flags & STACK_DEPOT_FLAG_GET) {
+ if (!refcount_inc_not_zero(&stack->count))
+ continue;
+ } else {
+ if (!refcount_read(&stack->count))
+ continue;
+ }
ret = stack;
break;
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
t_init: NFSv4 File Layout Driver Registering...
[ 20.471049][ T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 20.505263][ T1] Key type cifs.spnego registered
[ 20.511376][ T1] Key type cifs.idmap registered
[ 20.520289][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 20.527115][ T1] ntfs3: Max link count 4000
[ 20.531960][ T1] ntfs3: Enabled Linux POSIX ACLs support
[ 20.538483][ T1] ntfs3: Read-only LZX/Xpress compression included
[ 20.545508][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 20.551729][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 20.557831][ T1] QNX4 filesystem 0.2.3 registered.
[ 20.563340][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 20.570536][ T1] fuse: init (API version 7.39)
[ 20.571734][ T101] kworker/u4:2 (101) used greatest stack depth: 11288 bytes left
[ 20.581752][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 20.592075][ T1] orangefs_init: module version upstream loaded
[ 20.600151][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 20.639154][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 20.657570][ T1] 9p: Installing v9fs 9p2000 file system support
[ 20.665095][ T1] NILFS version 2 loaded
[ 20.669396][ T1] befs: version: 0.9.3
[ 20.674578][ T1] ocfs2: Registered cluster interface o2cb
[ 20.681669][ T1] ocfs2: Registered cluster interface user
[ 20.688930][ T1] OCFS2 User DLM kernel interface loaded
[ 20.707749][ T1] gfs2: GFS2 installed
[ 20.744474][ T1] ceph: loaded (mds proto 32)
[ 24.874084][ T1] NET: Registered PF_ALG protocol family
[ 24.880210][ T1] xor: automatically using best checksumming function avx
[ 24.888295][ T1] async_tx: api initialized (async)
[ 24.893754][ T1] Key type asymmetric registered
[ 24.898745][ T1] Asymmetric key parser 'x509' registered
[ 24.904660][ T1] Asymmetric key parser 'pkcs8' registered
[ 24.910541][ T1] Key type pkcs7_test registered
[ 24.916242][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[ 24.926204][ T1] io scheduler mq-deadline registered
[ 24.931648][ T1] io scheduler kyber registered
[ 24.937150][ T1] io scheduler bfq registered
[ 24.953833][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 24.971277][ T1] ACPI: button: Power Button [PWRF]
[ 24.979332][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 24.989840][ T1] ACPI: button: Sleep Button [SLPF]
[ 25.012119][ T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[ 25.095202][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 25.101026][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 25.175231][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 25.180945][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 25.256940][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 25.262845][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 25.319638][ T1] virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
[ 25.380117][ T192] kworker/u4:2 (192) used greatest stack depth: 11000 bytes left
[ 25.419761][ T216] kworker/u4:4 (216) used greatest stack depth: 10880 bytes left
[ 26.330623][ T1] N_HDLC line discipline registered with maxframe=4096
[ 26.337903][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 26.350042][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 26.379363][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 26.408213][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 26.436415][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 26.484205][ T1] Non-volatile memory driver v1.3
[ 26.510889][ T1] Linux agpgart interface v0.103
[ 26.525992][ T1] ACPI: bus type drm_connector registered
[ 26.541877][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 26.561354][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 27.039310][ T1] Console: switching to colour frame buffer device 128x48
[ 27.194448][ T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[ 27.202140][ T1] usbcore: registered new interface driver udl
[ 27.363686][ T1] brd: module loaded
[ 27.533426][ T1] loop: module loaded
[ 27.781686][ T1] zram: Added device: zram0
[ 27.803872][ T1] null_blk: disk nullb0 created
[ 27.808850][ T1] null_blk: module loaded
[ 27.813612][ T1] Guest personality initialized and is inactive
[ 27.821083][ T1] VMCI host device registered (name=vmci, major=10, minor=118)
[ 27.828876][ T1] Initialized host personality
[ 27.835427][ T1] usbcore: registered new interface driver rtsx_usb
[ 27.843793][ T1] usbcore: registered new interface driver viperboard
[ 27.851479][ T1] usbcore: registered new interface driver dln2
[ 27.858605][ T1] usbcore: registered new interface driver pn533_usb
[ 27.871594][ T1] nfcsim 0.2 initialized
[ 27.876318][ T1] usbcore: registered new interface driver port100
[ 27.883331][ T1] usbcore: registered new interface driver nfcmrvl
[ 27.899548][ T1] Loading iSCSI transport class v2.0-870.
[ 27.935492][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 27.968598][ T1] scsi host0: Virtio SCSI HBA
[ 28.484347][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[ 28.491538][ T26] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6
[ 28.563800][ T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[ 28.574157][ T1] db_root: cannot open: /etc/target
[ 28.623965][ T1] =====================================================
[ 28.624202][ T1] BUG: KMSAN: use-after-free in __list_del_entry_valid_or_report+0x19e/0x490
[ 28.624362][ T1] __list_del_entry_valid_or_report+0x19e/0x490
[ 28.624516][ T1] stack_depot_save_flags+0x3e2/0x7a0
[ 28.624621][ T1] stack_depot_save+0x12/0x20
[ 28.624709][ T1] ref_tracker_alloc+0x215/0x700
[ 28.624801][ T1] netdev_hold+0xe2/0x120
[ 28.624916][ T1] register_netdevice+0x1bc7/0x2170
[ 28.625022][ T1] bond_create+0x138/0x2a0
[ 28.625148][ T1] bonding_init+0x1a7/0x2d0
[ 28.625247][ T1] do_one_initcall+0x216/0x960
[ 28.625348][ T1] do_initcall_level+0x140/0x350
[ 28.625453][ T1] do_initcalls+0xf0/0x1d0
[ 28.625556][ T1] do_basic_setup+0x22/0x30
[ 28.625649][ T1] kernel_init_freeable+0x300/0x4b0
[ 28.625757][ T1] kernel_init+0x2f/0x7e0
[ 28.625871][ T1] ret_from_fork+0x66/0x80
[ 28.625991][ T1] ret_from_fork_asm+0x11/0x20
[ 28.626101][ T1]
[ 28.626114][ T1] Uninit was created at:
[ 28.626277][ T1] free_unref_page_prepare+0xc1/0xad0
[ 28.626418][ T1] free_unref_page+0x58/0x6d0
[ 28.626549][ T1] __free_pages+0xb1/0x1f0
[ 28.626626][ T1] thread_stack_free_rcu+0x97/0xb0
[ 28.626721][ T1] rcu_core+0xa3c/0x1df0
[ 28.626843][ T1] rcu_core_si+0x12/0x20
[ 28.626950][ T1] __do_softirq+0x1b7/0x7c3
[ 28.627080][ T1]
[ 28.627096][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[ 28.627194][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 28.627246][ T1] =====================================================
[ 28.627270][ T1] Disabling lock debugging due to kernel taint
[ 28.627299][ T1] Kernel panic - not syncing: kmsan.panic set ...
[ 28.627335][ T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[ 28.627441][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 28.627493][ T1] Call Trace:
[ 28.627520][ T1] <TASK>
[ 28.627548][ T1] dump_stack_lvl+0x1bf/0x240
[ 28.627651][ T1] dump_stack+0x1e/0x20
[ 28.627733][ T1] panic+0x4de/0xc90
[ 28.627875][ T1] kmsan_report+0x2d0/0x2d0
[ 28.627974][ T1] ? cleanup_uevent_env+0x40/0x50
[ 28.628108][ T1] ? netdev_queue_update_kobjects+0x3f5/0x870
[ 28.628237][ T1] ? netdev_register_kobject+0x41e/0x520
[ 28.628357][ T1] ? register_netdevice+0x198f/0x2170
[ 28.628473][ T1] ? __msan_warning+0x96/0x110
[ 28.628609][ T1] ? __list_del_entry_valid_or_report+0x19e/0x490
[ 28.628762][ T1] ? stack_depot_save_flags+0x3e2/0x7a0
[ 28.628872][ T1] ? stack_depot_save+0x12/0x20
[ 28.628971][ T1] ? ref_tracker_alloc+0x215/0x700
[ 28.629069][ T1] ? netdev_hold+0xe2/0x120
[ 28.629172][ T1] ? register_netdevice+0x1bc7/0x2170
[ 28.629287][ T1] ? bond_create+0x138/0x2a0
[ 28.629416][ T1] ? bonding_init+0x1a7/0x2d0
[ 28.629523][ T1] ? do_one_initcall+0x216/0x960
[ 28.629638][ T1] ? do_initcall_level+0x140/0x350
[ 28.629749][ T1] ? do_initcalls+0xf0/0x1d0
[ 28.629852][ T1] ? do_basic_setup+0x22/0x30
[ 28.629955][ T1] ? kernel_init_freeable+0x300/0x4b0
[ 28.630064][ T1] ? kernel_init+0x2f/0x7e0
[ 28.630180][ T1] ? ret_from_fork+0x66/0x80
[ 28.630304][ T1] ? ret_from_fork_asm+0x11/0x20
[ 28.630420][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.630527][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.630619][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.630710][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.630805][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.630913][ T1] ? filter_irq_stacks+0x60/0x1a0
[ 28.631030][ T1] ? stack_depot_save_flags+0x2c/0x7a0
[ 28.631140][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.631239][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.631330][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.631426][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.631538][ T1] __msan_warning+0x96/0x110
[ 28.631674][ T1] __list_del_entry_valid_or_report+0x19e/0x490
[ 28.631838][ T1] stack_depot_save_flags+0x3e2/0x7a0
[ 28.631958][ T1] stack_depot_save+0x12/0x20
[ 28.632058][ T1] ref_tracker_alloc+0x215/0x700
[ 28.632169][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.632260][ T1] ? netdev_hold+0xe2/0x120
[ 28.632365][ T1] ? register_netdevice+0x1bc7/0x2170
[ 28.632438][ T1] ? bond_create+0x138/0x2a0
[ 28.632438][ T1] ? bonding_init+0x1a7/0x2d0
[ 28.632438][ T1] ? do_one_initcall+0x216/0x960
[ 28.632438][ T1] ? do_initcall_level+0x140/0x350
[ 28.632900][ T1] ? do_initcalls+0xf0/0x1d0
[ 28.632900][ T1] ? do_basic_setup+0x22/0x30
[ 28.632900][ T1] ? kernel_init_freeable+0x300/0x4b0
[ 28.632900][ T1] ? kernel_init+0x2f/0x7e0
[ 28.632900][ T1] ? ret_from_fork+0x66/0x80
[ 28.632900][ T1] ? ret_from_fork_asm+0x11/0x20
[ 28.632900][ T1] ? kmsan_internal_unpoison_memory+0x14/0x20
[ 28.633734][ T1] netdev_hold+0xe2/0x120
[ 28.633734][ T1] register_netdevice+0x1bc7/0x2170
[ 28.633970][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.633970][ T1] bond_create+0x138/0x2a0
[ 28.633970][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.633970][ T1] bonding_init+0x1a7/0x2d0
[ 28.633970][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 28.633970][ T1] do_one_initcall+0x216/0x960
[ 28.633970][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 28.634792][ T1] ? kmsan_get_metadata+0x80/0x1c0
[ 28.634802][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.634802][ T1] ? filter_irq_stacks+0x60/0x1a0
[ 28.634802][ T1] ? stack_depot_save_flags+0x2c/0x7a0
[ 28.634802][ T1] ? skip_spaces+0x8f/0xc0
[ 28.634802][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.634802][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.634802][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.635636][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.635636][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.635636][ T1] ? parse_args+0x1511/0x15e0
[ 28.635636][ T1] ? kmsan_get_metadata+0x146/0x1c0
[ 28.635636][ T1] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[ 28.635636][ T1] ? spi_dln2_driver_init+0x40/0x40
[ 28.635636][ T1] do_initcall_level+0x140/0x350
[ 28.635636][ T1] do_initcalls+0xf0/0x1d0
[ 28.636461][ T1] ? arch_cpuhp_init_parallel_bringup+0xe0/0xe0
[ 28.636461][ T1] do_basic_setup+0x22/0x30
[ 28.636461][ T1] kernel_init_freeable+0x300/0x4b0
[ 28.636461][ T1] ? rest_init+0x260/0x260
[ 28.636461][ T1] kernel_init+0x2f/0x7e0
[ 28.636461][ T1] ? rest_init+0x260/0x260
[ 28.636461][ T1] ret_from_fork+0x66/0x80
[ 28.637299][ T1] ? rest_init+0x260/0x260
[ 28.637299][ T1] ret_from_fork_asm+0x11/0x20
[ 28.637299][ T1] </TASK>
[ 28.637299][ T1] Kernel Offset: disabled
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1437193816=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1423a4ac180000
Tested on:
commit: 603c04e2 Merge tag 'parisc-for-6.8-rc6' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=d33318d4e4a0d226
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17a12a30180000
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
--
2.34.1
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add
=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
__virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
__blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
kthread+0x3ed/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
__filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
ext4_file_write_iter+0x20f/0x3460
__kernel_write_iter+0x329/0x930 fs/read_write.c:517
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x593/0xcd0 fs/coredump.c:915
elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
do_coredump+0x32c9/0x4920 fs/coredump.c:764
get_signal+0x2185/0x2d10 kernel/signal.c:2890
arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
irqentry_exit+0x16/0x40 kernel/entry/common.c:412
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff88803438f000
CPU: 0 PID: 51 Comm: kworker/0:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================
Tested on:
commit: 0dd3ee31 Linux 6.7
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=147162c4180000
kernel config: https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12a294c4180000
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
}
/* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
{
if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
}
EXPORT_SYMBOL(kmsan_poison_memory);
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
void kmsan_unpoison_memory(const void *address, size_t size)
{
unsigned long ua_flags;
- if (!kmsan_enabled || kmsan_in_runtime())
+ if (!kmsan_enabled)
return;
ua_flags = user_access_save();
- kmsan_enter_runtime();
/* The users may want to poison/unpoison random memory. */
kmsan_internal_unpoison_memory((void *)address, size,
KMSAN_POISON_NOCHECK);
- kmsan_leave_runtime();
user_access_restore(ua_flags);
}
EXPORT_SYMBOL(kmsan_unpoison_memory);
/*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
*/
void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
{
- unsigned long ua_flags;
-
- if (!kmsan_enabled)
- return;
-
- ua_flags = user_access_save();
- kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
- KMSAN_POISON_NOCHECK);
- user_access_restore(ua_flags);
+ kmsan_unpoison_memory((void *)regs, sizeof(*regs));
}
void kmsan_check_memory(const void *addr, size_t size)
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add
=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
__virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
__blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
kthread+0x3ed/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
__filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
ext4_file_write_iter+0x20f/0x3460
__kernel_write_iter+0x329/0x930 fs/read_write.c:517
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x593/0xcd0 fs/coredump.c:915
elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
do_coredump+0x32c9/0x4920 fs/coredump.c:764
get_signal+0x2185/0x2d10 kernel/signal.c:2890
arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
irqentry_exit+0x16/0x40 kernel/entry/common.c:412
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff888037212000
CPU: 1 PID: 51 Comm: kworker/1:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================
Tested on:
commit: 0dd3ee31 Linux 6.7
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=1462a106180000
kernel config: https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1455d9d8180000
please test uninit-value in virtqueue_add (4)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
size_t req_size, size_t resp_size)
{
struct scsi_cmnd *sc = cmd->sc;
- struct scatterlist *sgs[6], req, resp;
+ struct scatterlist *sgs[6], req = {}, resp = {};
struct sg_table *out, *in;
unsigned out_num = 0, in_num = 0;
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add
=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
__virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
virtscsi_add_cmd+0x817/0xa90 drivers/scsi/virtio_scsi.c:501
virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
__blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
kthread+0x3ed/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
__filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
ext4_file_write_iter+0x20f/0x3460
__kernel_write_iter+0x329/0x930 fs/read_write.c:517
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x593/0xcd0 fs/coredump.c:915
elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
do_coredump+0x32c9/0x4920 fs/coredump.c:764
get_signal+0x2185/0x2d10 kernel/signal.c:2890
arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
irqentry_exit+0x16/0x40 kernel/entry/common.c:412
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
Bytes 0-1023 of 1024 are uninitialized
Memory access of size 1024 starts at ffff88801e7d9c00
CPU: 0 PID: 52 Comm: kworker/0:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================
Tested on:
commit: 0dd3ee31 Linux 6.7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=15dee522180000
kernel config: https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1524ca02180000
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: [email protected]
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
}
/* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
{
if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
}
EXPORT_SYMBOL(kmsan_poison_memory);
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
void kmsan_unpoison_memory(const void *address, size_t size)
{
unsigned long ua_flags;
- if (!kmsan_enabled || kmsan_in_runtime())
+ if (!kmsan_enabled)
return;
ua_flags = user_access_save();
- kmsan_enter_runtime();
/* The users may want to poison/unpoison random memory. */
kmsan_internal_unpoison_memory((void *)address, size,
KMSAN_POISON_NOCHECK);
- kmsan_leave_runtime();
user_access_restore(ua_flags);
}
EXPORT_SYMBOL(kmsan_unpoison_memory);
/*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
*/
void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
{
- unsigned long ua_flags;
-
- if (!kmsan_enabled)
- return;
-
- ua_flags = user_access_save();
- kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
- KMSAN_POISON_NOCHECK);
- user_access_restore(ua_flags);
+ kmsan_unpoison_memory((void *)regs, sizeof(*regs));
}
void kmsan_check_memory(const void *addr, size_t size)
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: [email protected]
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
: "cc", "memory", "rax", "rcx");
}
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+ memcpy(to, from, PAGE_SIZE);
+}
+#else
void copy_page(void *to, void *from);
+#endif
#ifdef CONFIG_X86_5LEVEL
/*
diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..bc701dcbb133 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,9 +61,9 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
*/
unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
{
- if (copy_mc_fragile_enabled)
+ if (0 && copy_mc_fragile_enabled)
return copy_mc_fragile(dst, src, len);
- if (static_cpu_has(X86_FEATURE_ERMS))
+ if (0 && static_cpu_has(X86_FEATURE_ERMS))
return copy_mc_enhanced_fast_string(dst, src, len);
memcpy(dst, src, len);
return 0;
@@ -74,14 +74,14 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
{
unsigned long ret;
- if (copy_mc_fragile_enabled) {
+ if (0 && copy_mc_fragile_enabled) {
__uaccess_begin();
ret = copy_mc_fragile((__force void *)dst, src, len);
__uaccess_end();
return ret;
}
- if (static_cpu_has(X86_FEATURE_ERMS)) {
+ if (0 && static_cpu_has(X86_FEATURE_ERMS)) {
__uaccess_begin();
ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
__uaccess_end();
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index e0aa6b440ca5..039ffa49f324 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -253,11 +253,16 @@ size_t memcpy_from_iter_mc(void *iter_from, size_t progress,
static size_t __copy_from_iter_mc(void *addr, size_t bytes, struct iov_iter *i)
{
+ size_t ret;
+
if (unlikely(i->count < bytes))
bytes = i->count;
if (unlikely(!bytes))
return 0;
- return iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
+ ret = iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
+ if (bytes != ret)
+ printk("addr=%px bytes=%d ret=%d\n", addr, bytes, ret);
+ return ret;
}
static __always_inline
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
}
/* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
{
if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
}
EXPORT_SYMBOL(kmsan_poison_memory);
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
void kmsan_unpoison_memory(const void *address, size_t size)
{
unsigned long ua_flags;
- if (!kmsan_enabled || kmsan_in_runtime())
+ if (!kmsan_enabled)
return;
ua_flags = user_access_save();
- kmsan_enter_runtime();
/* The users may want to poison/unpoison random memory. */
kmsan_internal_unpoison_memory((void *)address, size,
KMSAN_POISON_NOCHECK);
- kmsan_leave_runtime();
user_access_restore(ua_flags);
}
EXPORT_SYMBOL(kmsan_unpoison_memory);
/*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
*/
void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
{
- unsigned long ua_flags;
-
- if (!kmsan_enabled)
- return;
-
- ua_flags = user_access_save();
- kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
- KMSAN_POISON_NOCHECK);
- user_access_restore(ua_flags);
+ kmsan_unpoison_memory((void *)regs, sizeof(*regs));
}
void kmsan_check_memory(const void *addr, size_t size)
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: [email protected]
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
syzbot is reporting a false-positive KMSAN warning upon coredump, for
dump_emit_page() path reaches memcpy_from_iter_mc() via iterate_bvec()
by setting "struct iov_iter"->copy_mc to true.
Make arch/x86/lib/copy_mc.c not to call arch/x86/lib/copy_mc_64.S
when KMSAN is enabled.
Reported-by: syzbot <[email protected]>
Closes: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
Signed-off-by: Tetsuo Handa <[email protected]>
---
arch/x86/lib/copy_mc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..c6a0b8dbf58d 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,9 +61,9 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
*/
unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
{
- if (copy_mc_fragile_enabled)
+ if (!IS_ENABLED(CONFIG_KMSAN) && copy_mc_fragile_enabled)
return copy_mc_fragile(dst, src, len);
- if (static_cpu_has(X86_FEATURE_ERMS))
+ if (!IS_ENABLED(CONFIG_KMSAN) && static_cpu_has(X86_FEATURE_ERMS))
return copy_mc_enhanced_fast_string(dst, src, len);
memcpy(dst, src, len);
return 0;
@@ -74,14 +74,14 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
{
unsigned long ret;
- if (copy_mc_fragile_enabled) {
+ if (!IS_ENABLED(CONFIG_KMSAN) && copy_mc_fragile_enabled) {
__uaccess_begin();
ret = copy_mc_fragile((__force void *)dst, src, len);
__uaccess_end();
return ret;
}
- if (static_cpu_has(X86_FEATURE_ERMS)) {
+ if (!IS_ENABLED(CONFIG_KMSAN) && static_cpu_has(X86_FEATURE_ERMS)) {
__uaccess_begin();
ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
__uaccess_end();
--
2.34.1
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: [email protected]
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..6858f80fc9a2 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,12 +61,18 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
*/
unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
{
- if (copy_mc_fragile_enabled)
- return copy_mc_fragile(dst, src, len);
- if (static_cpu_has(X86_FEATURE_ERMS))
- return copy_mc_enhanced_fast_string(dst, src, len);
- memcpy(dst, src, len);
- return 0;
+ unsigned long ret;
+
+ if (copy_mc_fragile_enabled) {
+ ret = copy_mc_fragile(dst, src, len);
+ } else if (static_cpu_has(X86_FEATURE_ERMS)) {
+ ret = copy_mc_enhanced_fast_string(dst, src, len);
+ } else {
+ memcpy(dst, src, len);
+ ret = 0;
+ }
+ kmsan_memmove(dst, src, len - ret);
+ return ret;
}
EXPORT_SYMBOL_GPL(copy_mc_to_kernel);
@@ -78,15 +84,13 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
__uaccess_begin();
ret = copy_mc_fragile((__force void *)dst, src, len);
__uaccess_end();
- return ret;
- }
-
- if (static_cpu_has(X86_FEATURE_ERMS)) {
+ } else if (static_cpu_has(X86_FEATURE_ERMS)) {
__uaccess_begin();
ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
__uaccess_end();
- return ret;
+ } else {
+ ret = copy_user_generic((__force void *)dst, src, len);
}
-
- return copy_user_generic((__force void *)dst, src, len);
+ kmsan_copy_to_user(dst, src, len, ret);
+ return ret;
}
diff --git a/include/linux/kmsan-checks.h b/include/linux/kmsan-checks.h
index c4cae333deec..4c2a614dab2d 100644
--- a/include/linux/kmsan-checks.h
+++ b/include/linux/kmsan-checks.h
@@ -61,6 +61,17 @@ void kmsan_check_memory(const void *address, size_t size);
void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
size_t left);
+/**
+ * kmsan_memmove() - Notify KMSAN about a data copy within kernel.
+ * @to: destination address in the kernel.
+ * @from: source address in the kernel.
+ * @size: number of bytes to copy.
+ *
+ * Invoked after non-instrumented version (e.g. implemented using assembly
+ * code) of memmove()/memcpy() is called, in order to copy KMSAN's metadata.
+ */
+void kmsan_memmove(void *to, const void *from, size_t size);
+
#else
static inline void kmsan_poison_memory(const void *address, size_t size,
@@ -77,6 +88,9 @@ static inline void kmsan_copy_to_user(void __user *to, const void *from,
size_t to_copy, size_t left)
{
}
+static inline void kmsan_memmove(void *to, const void *from, size_t size)
+{
+}
#endif
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..364f778ee226 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -285,6 +285,17 @@ void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
}
EXPORT_SYMBOL(kmsan_copy_to_user);
+void kmsan_memmove(void *to, const void *from, size_t size)
+{
+ if (!kmsan_enabled || kmsan_in_runtime())
+ return;
+
+ kmsan_enter_runtime();
+ kmsan_internal_memmove_metadata(to, (void *)from, size);
+ kmsan_leave_runtime();
+}
+EXPORT_SYMBOL(kmsan_memmove);
+
/* Helper function to check an URB. */
void kmsan_handle_urb(const struct urb *urb, bool is_out)
{
#syz fix: x86: call instrumentation hooks from copy_mc.c