[syzbot] KMSAN: uninit-value in do_user_addr_fault (3)
31 views
Skip to first unread message
syzbot
Mar 24, 2022, 9:48:22 AM3/24/22
to ak...@linux-foundation.org, dvy...@google.com, el...@google.com, gli...@google.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 724946410067 x86: kmsan: enable KMSAN builds for x86
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1734f916700000
kernel config: https://syzkaller.appspot.com/x/.config?x=76f99026248b24e4
dashboard link: https://syzkaller.appspot.com/bug?extid=6684a9d1b4d61d0b8f3e
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b1cbf2700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131d38a6700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6684a9...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
stack_trace_save+0x43/0x60 kernel/stacktrace.c:122
kmsan_save_stack_with_flags mm/kmsan/core.c:80 [inline]
kmsan_internal_chain_origin+0xa9/0x110 mm/kmsan/core.c:217
kmsan_internal_memmove_metadata+0x1f2/0x2e0 mm/kmsan/core.c:165
__msan_memcpy+0x65/0x90 mm/kmsan/instrumentation.c:127
sock_write_iter+0x605/0x690 net/socket.c:1062
do_iter_readv_writev+0xa7f/0xc70
do_iter_write+0x52c/0x1500 fs/read_write.c:851
vfs_writev fs/read_write.c:924 [inline]
do_writev+0x645/0xe00 fs/read_write.c:967
__do_sys_writev fs/read_write.c:1040 [inline]
__se_sys_writev fs/read_write.c:1037 [inline]
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable regs created at:
__bpf_prog_run32+0x84/0x180 kernel/bpf/core.c:1796
bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline]
__bpf_prog_run include/linux/filter.h:626 [inline]
bpf_prog_run include/linux/filter.h:633 [inline]
__bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
CPU: 1 PID: 3474 Comm: syz-executor178 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 724946410067 x86: kmsan: enable KMSAN builds for x86
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1734f916700000
kernel config: https://syzkaller.appspot.com/x/.config?x=76f99026248b24e4
dashboard link: https://syzkaller.appspot.com/bug?extid=6684a9d1b4d61d0b8f3e
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b1cbf2700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131d38a6700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6684a9...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
stack_trace_save+0x43/0x60 kernel/stacktrace.c:122
kmsan_save_stack_with_flags mm/kmsan/core.c:80 [inline]
kmsan_internal_chain_origin+0xa9/0x110 mm/kmsan/core.c:217
kmsan_internal_memmove_metadata+0x1f2/0x2e0 mm/kmsan/core.c:165
__msan_memcpy+0x65/0x90 mm/kmsan/instrumentation.c:127
sock_write_iter+0x605/0x690 net/socket.c:1062
do_iter_readv_writev+0xa7f/0xc70
do_iter_write+0x52c/0x1500 fs/read_write.c:851
vfs_writev fs/read_write.c:924 [inline]
do_writev+0x645/0xe00 fs/read_write.c:967
__do_sys_writev fs/read_write.c:1040 [inline]
__se_sys_writev fs/read_write.c:1037 [inline]
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable regs created at:
__bpf_prog_run32+0x84/0x180 kernel/bpf/core.c:1796
bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline]
__bpf_prog_run include/linux/filter.h:626 [inline]
bpf_prog_run include/linux/filter.h:633 [inline]
__bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
CPU: 1 PID: 3474 Comm: syz-executor178 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Dmitry Vyukov
Mar 24, 2022, 10:16:55 AM3/24/22
to syzbot, linux-riscv, Palmer Dabbelt, ak...@linux-foundation.org, el...@google.com, gli...@google.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 24 Mar 2022 at 14:48, syzbot
<syzbot+6684a9...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 724946410067 x86: kmsan: enable KMSAN builds for x86
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=1734f916700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=76f99026248b24e4
> dashboard link: https://syzkaller.appspot.com/bug?extid=6684a9d1b4d61d0b8f3e
> compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b1cbf2700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131d38a6700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6684a9...@syzkaller.appspotmail.com
+linux-riscv as there are some riscv bugs bucketed here as well:
<syzbot+6684a9...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 724946410067 x86: kmsan: enable KMSAN builds for x86
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=1734f916700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=76f99026248b24e4
> dashboard link: https://syzkaller.appspot.com/bug?extid=6684a9d1b4d61d0b8f3e
> compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b1cbf2700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131d38a6700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6684a9...@syzkaller.appspotmail.com
BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260
arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf800bd53d60 by task syz-executor.0/2044
CPU: 0 PID: 2044 Comm: syz-executor.0 Not tainted
5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260
arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c
arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
[<ffffffff80473abe>] kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
If risc-v stack walking is intentionally imprecise, then it needs
kasan annotations as other arches do for async stack walking. Or
otherwise it looks like a stack walking precision bug.
Alexander Potapenko
Apr 4, 2022, 11:08:33 AM4/4/22
to syzkaller-bugs
This bug should be filxed at KMSAN trunk.
What went wrong is that KMSAN didn't see memory accesses inside uninstrumented kernel/stacktrace.c - and skipping stacktrace.c, in turn, was required because some uninstrumented KMSAN locals were passed to it, leading to other false positives.
Initializing those locals and instrumenting stacktrace.c should have resolved the issues.
#syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
syzbot
Apr 4, 2022, 11:08:36 AM4/4/22
to 'Alexander Potapenko' via syzkaller-bugs, syzkall...@googlegroups.com
> This bug should be filxed at KMSAN trunk.
> What went wrong is that KMSAN didn't see memory accesses inside
> uninstrumented kernel/stacktrace.c - and skipping stacktrace.c, in turn,
> was required because some uninstrumented KMSAN locals were passed to it,
> leading to other false positives.
> Initializing those locals and instrumenting stacktrace.c should have
> resolved the issues.
>
> #syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
I see the command but can't find the corresponding bug.
> What went wrong is that KMSAN didn't see memory accesses inside
> uninstrumented kernel/stacktrace.c - and skipping stacktrace.c, in turn,
> was required because some uninstrumented KMSAN locals were passed to it,
> leading to other false positives.
> Initializing those locals and instrumenting stacktrace.c should have
> resolved the issues.
>
> #syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/4e260fa8-7970-4a9a-ab4b-39ac718d2edbn%40googlegroups.com.
Alexander Potapenko
Apr 4, 2022, 11:11:09 AM4/4/22
to syzbot, syzbot+6684a9...@syzkaller.appspotmail.com, 'Alexander Potapenko' via syzkaller-bugs
#syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/syzkaller-bugs/MIIPxK05Ojo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009a67f205dbd580b3%40google.com.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise
erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes
weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich
bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by
mistake, please don't forward it to anyone else, please erase all
copies and attachments, and please let me know that it has gone to the
wrong person.
Dmitry Vyukov
May 12, 2022, 8:08:02 AM5/12/22
to Alexander Potapenko, syzbot, syzbot+6684a9...@syzkaller.appspotmail.com, 'Alexander Potapenko' via syzkaller-bugs
On Mon, 4 Apr 2022 at 17:11, 'Alexander Potapenko' via syzkaller-bugs
<syzkall...@googlegroups.com> wrote:
>
> #syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
syzbot waits for this fix to appear in all tested trees. It won't,
<syzkall...@googlegroups.com> wrote:
>
> #syz fix: Revert "kernel: kmsan: don't instrument stacktrace.c"
it's only present in the KMSAN tree.
#syz invalid
Alexander Potapenko
May 12, 2022, 8:40:07 AM5/12/22
to Dmitry Vyukov, syzbot, syzbot+6684a9...@syzkaller.appspotmail.com, 'Alexander Potapenko' via syzkaller-bugs
> #syz invalid
Reply all
Reply to author
Forward
0 new messages