[syzbot] [kernel?] KMSAN: kernel-infoleak in exc_page_fault
3 views
Skip to first unread message
syzbot
Jun 24, 2026, 9:08:21 PM (10 hours ago) Jun 24
to linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com, tg...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 9ecfb2f7287a Merge tag 'trace-ring-buffer-v7.2' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1471e8ea580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a9e1383387f0e112
dashboard link: https://syzkaller.appspot.com/bug?extid=411634dace73dad6f4d4
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8d222bd96ba/disk-9ecfb2f7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/629368d40b7e/vmlinux-9ecfb2f7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/156086f5f12a/bzImage-9ecfb2f7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+411634...@syzkaller.appspotmail.com
BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
BUG: KMSAN: kernel-infoleak in rseq_update_usr include/linux/rseq_entry.h:536 [inline]
BUG: KMSAN: kernel-infoleak in rseq_exit_user_update include/linux/rseq_entry.h:645 [inline]
BUG: KMSAN: kernel-infoleak in __rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:674 [inline]
BUG: KMSAN: kernel-infoleak in rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:703 [inline]
BUG: KMSAN: kernel-infoleak in exit_to_user_mode_loop kernel/entry/common.c:103 [inline]
BUG: KMSAN: kernel-infoleak in __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit+0x4a6/0xa40 kernel/entry/common.c:165
exc_page_fault+0x7e/0xb0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:595
Local variable st.i.i created at:
__do_sys_statfs fs/statfs.c:193 [inline]
__se_sys_statfs fs/statfs.c:191 [inline]
__x64_sys_statfs+0x73/0x200 fs/statfs.c:191
x64_sys_call+0x334c/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:138
Bytes 0-3 of 4 are uninitialized
Memory access of size 4 starts at ffff88811856be78
Data copied to user address 00007ff99a04cac0
CPU: 1 UID: 0 PID: 5314 Comm: rm Not tainted syzkaller #0 PREEMPT(lazy)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9ecfb2f7287a Merge tag 'trace-ring-buffer-v7.2' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1471e8ea580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a9e1383387f0e112
dashboard link: https://syzkaller.appspot.com/bug?extid=411634dace73dad6f4d4
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8d222bd96ba/disk-9ecfb2f7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/629368d40b7e/vmlinux-9ecfb2f7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/156086f5f12a/bzImage-9ecfb2f7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+411634...@syzkaller.appspotmail.com
BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
BUG: KMSAN: kernel-infoleak in rseq_update_usr include/linux/rseq_entry.h:536 [inline]
BUG: KMSAN: kernel-infoleak in rseq_exit_user_update include/linux/rseq_entry.h:645 [inline]
BUG: KMSAN: kernel-infoleak in __rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:674 [inline]
BUG: KMSAN: kernel-infoleak in rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:703 [inline]
BUG: KMSAN: kernel-infoleak in exit_to_user_mode_loop kernel/entry/common.c:103 [inline]
BUG: KMSAN: kernel-infoleak in __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline]
BUG: KMSAN: kernel-infoleak in irqentry_exit+0x4a6/0xa40 kernel/entry/common.c:165
exc_page_fault+0x7e/0xb0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:595
Local variable st.i.i created at:
__do_sys_statfs fs/statfs.c:193 [inline]
__se_sys_statfs fs/statfs.c:191 [inline]
__x64_sys_statfs+0x73/0x200 fs/statfs.c:191
x64_sys_call+0x334c/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:138
Bytes 0-3 of 4 are uninitialized
Memory access of size 4 starts at ffff88811856be78
Data copied to user address 00007ff99a04cac0
CPU: 1 UID: 0 PID: 5314 Comm: rm Not tainted syzkaller #0 PREEMPT(lazy)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Thomas Gleixner
3:07 AM (4 hours ago) 3:07 AM
to syzbot, linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com
#syz set subsystems: kasan
On Wed, Jun 24 2026 at 18:08, syzbot wrote:
> syzbot found the following issue on:
>
> HEAD commit: 9ecfb2f7287a Merge tag 'trace-ring-buffer-v7.2' of git://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1471e8ea580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a9e1383387f0e112
> dashboard link: https://syzkaller.appspot.com/bug?extid=411634dace73dad6f4d4
> compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c8d222bd96ba/disk-9ecfb2f7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/629368d40b7e/vmlinux-9ecfb2f7.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/156086f5f12a/bzImage-9ecfb2f7.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+411634...@syzkaller.appspotmail.com
As I already explained here:
https://lore.kernel.org/871pe1ng7m.ffs@fw13
this is a KMSAN/compiler bug:
> BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_update_usr include/linux/rseq_entry.h:536 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_exit_user_update include/linux/rseq_entry.h:645 [inline]
> BUG: KMSAN: kernel-infoleak in __rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:674 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:703 [inline]
> BUG: KMSAN: kernel-infoleak in exit_to_user_mode_loop kernel/entry/common.c:103 [inline]
> BUG: KMSAN: kernel-infoleak in __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit+0x4a6/0xa40 kernel/entry/common.c:165
> exc_page_fault+0x7e/0xb0 arch/x86/mm/fault.c:1539
> asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:595
There was a real issue before 6d99479799c6 got applied, but KMSAN still
claims that a local variable which is completely unrelated and was
created in a (previous) syscall is the problem:
> Local variable st.i.i created at:
> __do_sys_statfs fs/statfs.c:193 [inline]
> __se_sys_statfs fs/statfs.c:191 [inline]
> __x64_sys_statfs+0x73/0x200 fs/statfs.c:191
> x64_sys_call+0x334c/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:138
That's clearly some stale information.
> Bytes 0-3 of 4 are uninitialized
> Memory access of size 4 starts at ffff88811856be78
> Data copied to user address 00007ff99a04cac0
The local variable access in rseq_set_ids_get_csaddr() is
ids->cpu_id. ids is a stack variable created _and_ correctly initialized
in rseq_exit_user_update().
On Wed, Jun 24 2026 at 18:08, syzbot wrote:
> syzbot found the following issue on:
>
> HEAD commit: 9ecfb2f7287a Merge tag 'trace-ring-buffer-v7.2' of git://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1471e8ea580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a9e1383387f0e112
> dashboard link: https://syzkaller.appspot.com/bug?extid=411634dace73dad6f4d4
> compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c8d222bd96ba/disk-9ecfb2f7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/629368d40b7e/vmlinux-9ecfb2f7.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/156086f5f12a/bzImage-9ecfb2f7.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+411634...@syzkaller.appspotmail.com
https://lore.kernel.org/871pe1ng7m.ffs@fw13
this is a KMSAN/compiler bug:
> BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_update_usr include/linux/rseq_entry.h:536 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_exit_user_update include/linux/rseq_entry.h:645 [inline]
> BUG: KMSAN: kernel-infoleak in __rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:674 [inline]
> BUG: KMSAN: kernel-infoleak in rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:703 [inline]
> BUG: KMSAN: kernel-infoleak in exit_to_user_mode_loop kernel/entry/common.c:103 [inline]
> BUG: KMSAN: kernel-infoleak in __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline]
> BUG: KMSAN: kernel-infoleak in irqentry_exit+0x4a6/0xa40 kernel/entry/common.c:165
> exc_page_fault+0x7e/0xb0 arch/x86/mm/fault.c:1539
> asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:595
claims that a local variable which is completely unrelated and was
created in a (previous) syscall is the problem:
> Local variable st.i.i created at:
> __do_sys_statfs fs/statfs.c:193 [inline]
> __se_sys_statfs fs/statfs.c:191 [inline]
> __x64_sys_statfs+0x73/0x200 fs/statfs.c:191
> x64_sys_call+0x334c/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:138
> Bytes 0-3 of 4 are uninitialized
> Memory access of size 4 starts at ffff88811856be78
> Data copied to user address 00007ff99a04cac0
ids->cpu_id. ids is a stack variable created _and_ correctly initialized
in rseq_exit_user_update().
Reply all
Reply to author
Forward
0 new messages