Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3942441rwb; Mon, 21 Nov 2022 01:28:07 -0800 (PST) X-Google-Smtp-Source: AA0mqf773bflPikUaygPUYO2yXO335/c188whavsmyIxO9gTwNvH/F1GonjtDjXnQKiYgB1W6v9I X-Received: by 2002:a17:906:7f96:b0:7b2:b782:73 with SMTP id f22-20020a1709067f9600b007b2b7820073mr11033008ejr.641.1669022887001; Mon, 21 Nov 2022 01:28:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669022886; cv=none; d=google.com; s=arc-20160816; b=RJOfBH2xz6wbDBUFQGrkAPO+1yF5PcX+bM08ahoXJ+VRGDRdkjsg1wSZd1UY9iAcIO k2BupVrmrRtMfgpK+vo+lRC8GfJjB1H+V1tOHgKZz5zj3PJi2H2Uwdw/KIpzkLRXf8WZ aUXJewaJc0wLgfRxPj6QG6LMUqGLtlc+8kDGiZyDHe4cHjsUG8iZm+Cjj3JhlRSz/Hpk 0WKw8a9oPhFDfoGyPzFxm9GEU3LHASHPchMSzh630eCm0ALjhzL3Pa/WmVfOTZHssgfu 6Wir6UEGBelSnNXHe54ojGXlFUw0JO7pGtRf3dsZq5wOG0UfGexPMcT8CRr0YFZRg4BL r0RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=A4yACmC+2PGRDdbKSwaUXyFJiyXOf7sRs2uPsN7XNjU=; b=aWrFSUlYwdrx7CeGKqLjleEJGLqDHyU78SJA1kWPHKaoTqAl/DmxPNR0nsYv5gNJHO cFfzEdlK1NLxrjqh0Sn4YSOA49Hpgtz8uz8UW0SEuNg1cOr3U4gyby/fkgSjQUFfYbGJ lKoa9MFhnhP500XovlydGKouJaINh6DYY2H87AY/XY4UpJo6n9sgeWvX0H7M/KQd86Zv 05xI38BfsjpYl96gV1RXw19P8bqE1znWkW3xf6kwTkM31Gdo65UR+kYODY26FwWbPTtE cM67gZFIg8wAQdQBIwLyQvJRA28VPYdfPoH14eGNfJdfiW9puUvPO0KsDPBrAIV39zgo Pd+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Au5xD51W; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ee36-20020a056402292400b00457e9f88b90si8025981edb.246.2022.11.21.01.27.38; Mon, 21 Nov 2022 01:28:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Au5xD51W; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229796AbiKUJVl (ORCPT + 99 others); Mon, 21 Nov 2022 04:21:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229601AbiKUJVk (ORCPT ); Mon, 21 Nov 2022 04:21:40 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C977F31DFC; Mon, 21 Nov 2022 01:21:39 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 5EFC11F37E; Mon, 21 Nov 2022 09:21:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1669022498; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=A4yACmC+2PGRDdbKSwaUXyFJiyXOf7sRs2uPsN7XNjU=; b=Au5xD51WGbcQ5HS0Iy4WNMaa8OHfotyM6x3TLvynhgclp7OyaVkxjZyXJ0jkUrtTE8BVhJ 96XB5GIIiPtSk6TdCOFgE3BaZO6Weph+P/b09r3tPdNS7EvzfcT+xf2HCXYzdmF0c3uECp feFFcsvnm8ZE53YdJxkm3vVdF+L0kSM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1669022498; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=A4yACmC+2PGRDdbKSwaUXyFJiyXOf7sRs2uPsN7XNjU=; b=3DzffESZ4wJmwPROhsjNFAtcGmK2nXAUE3mw2GGSkm4Yq6oDj8sQQjcsHmz5W5UqogEMUN TZ06iMWzP/ktoLBw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 4EA4E1377F; Mon, 21 Nov 2022 09:21:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id hfRHEyJDe2MoaQAAMHmgww (envelope-from ); Mon, 21 Nov 2022 09:21:38 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id E14D4A070A; Mon, 21 Nov 2022 10:21:37 +0100 (CET) Date: Mon, 21 Nov 2022 10:21:37 +0100 From: Jan Kara To: Ye Bin Cc: tytso@mit.edu, adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, jack@suse.cz, Ye Bin , syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com Subject: Re: [PATCH] ext4: fix uninit-value in 'ext4_evict_inode' Message-ID: <20221121092137.e3c4hhqvcozkakrw@quack3> References: <20221117073603.2598882-1-yebin@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221117073603.2598882-1-yebin@huaweicloud.com> X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu 17-11-22 15:36:03, Ye Bin wrote: > From: Ye Bin > > Syzbot found the following issue: > ===================================================== > BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 > ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 > evict+0x365/0x9a0 fs/inode.c:664 > iput_final fs/inode.c:1747 [inline] > iput+0x985/0xdd0 fs/inode.c:1773 > __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361 > ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844 > vfs_mknod+0x79d/0x830 fs/namei.c:3914 > do_mknodat+0x47d/0xaa0 > __do_sys_mknodat fs/namei.c:3992 [inline] > __se_sys_mknodat fs/namei.c:3989 [inline] > __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989 > do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] > __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 > do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 > do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 > entry_SYSENTER_compat_after_hwframe+0x70/0x82 > > Uninit was created at: > __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578 > alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285 > alloc_slab_page mm/slub.c:1794 [inline] > allocate_slab+0x1b5/0x1010 mm/slub.c:1939 > new_slab mm/slub.c:1992 [inline] > ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180 > __slab_alloc mm/slub.c:3279 [inline] > slab_alloc_node mm/slub.c:3364 [inline] > slab_alloc mm/slub.c:3406 [inline] > __kmem_cache_alloc_lru mm/slub.c:3413 [inline] > kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429 > alloc_inode_sb include/linux/fs.h:3117 [inline] > ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321 > alloc_inode+0x83/0x440 fs/inode.c:259 > new_inode_pseudo fs/inode.c:1018 [inline] > new_inode+0x3b/0x430 fs/inode.c:1046 > __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959 > ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992 > vfs_mkdir+0x62a/0x870 fs/namei.c:4035 > do_mkdirat+0x466/0x7b0 fs/namei.c:4060 > __do_sys_mkdirat fs/namei.c:4075 [inline] > __se_sys_mkdirat fs/namei.c:4073 [inline] > __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073 > do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] > __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 > do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 > do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 > entry_SYSENTER_compat_after_hwframe+0x70/0x82 > > CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 > ===================================================== > > Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed > before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after > 6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which > will lead to access uninit-value. > To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'. > > Reported-by: syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com > Fixes:6bc0d63dad7f("ext4: remove EA inode entry from mbcache on inode eviction") Some spaces are missing in the above tag. Should be like: Fixes: 6bc0d63dad7f ("ext4: remove EA inode entry from mbcache on inode eviction") > Signed-off-by: Ye Bin Nice catch. Thanks for fixing this! Feel free to add: Reviewed-by: Jan Kara Honza > --- > fs/ext4/super.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c > index ae433e1337ed..cd2590489392 100644 > --- a/fs/ext4/super.c > +++ b/fs/ext4/super.c > @@ -1323,6 +1323,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb) > return NULL; > > inode_set_iversion(&ei->vfs_inode, 1); > + ei->i_flags = 0; > spin_lock_init(&ei->i_raw_lock); > INIT_LIST_HEAD(&ei->i_prealloc_list); > atomic_set(&ei->i_prealloc_active, 0); > -- > 2.31.1 > -- Jan Kara SUSE Labs, CR