All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
@ 2024-01-01 13:38 syzbot
  2024-01-02  7:38 ` Tetsuo Handa
                   ` (12 more replies)
  0 siblings, 13 replies; 35+ messages in thread
From: syzbot @ 2024-01-01 13:38 UTC (permalink / raw)
  To: jasowang, linux-kernel, mst, syzkaller-bugs, virtualization, xuanzhuo

Hello,

syzbot found the following issue on:

HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
 virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
 virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
 virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
 virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
 scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
 blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
 blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
 __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
 blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
 blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
 kthread+0x3ed/0x540 kernel/kthread.c:388
 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Uninit was created at:
 __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
 alloc_pages mm/mempolicy.c:2204 [inline]
 folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
 filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
 __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
 ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
 generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
 ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
 ext4_file_write_iter+0x20f/0x3460
 __kernel_write_iter+0x329/0x930 fs/read_write.c:517
 dump_emit_page fs/coredump.c:888 [inline]
 dump_user_range+0x593/0xcd0 fs/coredump.c:915
 elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
 do_coredump+0x32c9/0x4920 fs/coredump.c:764
 get_signal+0x2185/0x2d10 kernel/signal.c:2890
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
 irqentry_exit+0x16/0x40 kernel/entry/common.c:412
 exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
 asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570

Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff88812c79c000

CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: kblockd blk_mq_run_work_fn
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
@ 2024-01-02  7:38 ` Tetsuo Handa
  2024-01-03  9:59   ` Tetsuo Handa
  2024-02-21 11:04   ` Tetsuo Handa
  2024-01-02  7:38 ` [syzbot] " syzbot
                   ` (11 subsequent siblings)
  12 siblings, 2 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-01-02  7:38 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs, linux-mm

#syz set subsystems: mm

On 2024/01/01 22:38, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> 
> =====================================================
> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
>  virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
>  virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
>  __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
>  virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
>  virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
>  scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
>  scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
>  blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
>  __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
>  blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
>  __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
>  blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
>  blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
>  process_one_work kernel/workqueue.c:2627 [inline]
>  process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
>  worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
>  kthread+0x3ed/0x540 kernel/kthread.c:388
>  ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> 
> Uninit was created at:
>  __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
>  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
>  alloc_pages mm/mempolicy.c:2204 [inline]
>  folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
>  filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
>  __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
>  ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
>  generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
>  ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
>  ext4_file_write_iter+0x20f/0x3460
>  __kernel_write_iter+0x329/0x930 fs/read_write.c:517
>  dump_emit_page fs/coredump.c:888 [inline]
>  dump_user_range+0x593/0xcd0 fs/coredump.c:915
>  elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
>  do_coredump+0x32c9/0x4920 fs/coredump.c:764
>  get_signal+0x2185/0x2d10 kernel/signal.c:2890
>  arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
>  exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
>  exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
>  irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
>  irqentry_exit+0x16/0x40 kernel/entry/common.c:412
>  exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
>  asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> 
> Bytes 0-4095 of 4096 are uninitialized
> Memory access of size 4096 starts at ffff88812c79c000
> 
> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: kblockd blk_mq_run_work_fn
> =====================================================



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
  2024-01-02  7:38 ` Tetsuo Handa
@ 2024-01-02  7:38 ` syzbot
  2024-01-02 13:03 ` Michael S. Tsirkin
                   ` (10 subsequent siblings)
  12 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-01-02  7:38 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz set subsystems: mm

On 2024/01/01 22:38, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> 
> =====================================================
> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
>  virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
>  virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
>  __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
>  virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
>  virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
>  scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
>  scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
>  blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
>  __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
>  blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
>  __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
>  blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
>  blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
>  process_one_work kernel/workqueue.c:2627 [inline]
>  process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
>  worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
>  kthread+0x3ed/0x540 kernel/kthread.c:388
>  ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> 
> Uninit was created at:
>  __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
>  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
>  alloc_pages mm/mempolicy.c:2204 [inline]
>  folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
>  filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
>  __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
>  ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
>  generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
>  ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
>  ext4_file_write_iter+0x20f/0x3460
>  __kernel_write_iter+0x329/0x930 fs/read_write.c:517
>  dump_emit_page fs/coredump.c:888 [inline]
>  dump_user_range+0x593/0xcd0 fs/coredump.c:915
>  elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
>  do_coredump+0x32c9/0x4920 fs/coredump.c:764
>  get_signal+0x2185/0x2d10 kernel/signal.c:2890
>  arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
>  exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
>  exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
>  irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
>  irqentry_exit+0x16/0x40 kernel/entry/common.c:412
>  exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
>  asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> 
> Bytes 0-4095 of 4096 are uninitialized
> Memory access of size 4096 starts at ffff88812c79c000
> 
> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: kblockd blk_mq_run_work_fn
> =====================================================


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
  2024-01-02  7:38 ` Tetsuo Handa
  2024-01-02  7:38 ` [syzbot] " syzbot
@ 2024-01-02 13:03 ` Michael S. Tsirkin
  2024-01-04 20:45   ` Stefan Hajnoczi
  2024-01-26  0:43 ` Edward Adam Davis
                   ` (9 subsequent siblings)
  12 siblings, 1 reply; 35+ messages in thread
From: Michael S. Tsirkin @ 2024-01-02 13:03 UTC (permalink / raw)
  To: syzbot
  Cc: jasowang, linux-kernel, syzkaller-bugs, virtualization, xuanzhuo,
	bonzini, stefanha

On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> 
> =====================================================
> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
>  virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
>  virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>  virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
>  __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
>  virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
>  virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
>  scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
>  scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
>  blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
>  __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
>  blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
>  __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
>  blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
>  blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
>  process_one_work kernel/workqueue.c:2627 [inline]
>  process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
>  worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
>  kthread+0x3ed/0x540 kernel/kthread.c:388
>  ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> 
> Uninit was created at:
>  __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
>  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
>  alloc_pages mm/mempolicy.c:2204 [inline]
>  folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
>  filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
>  __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
>  ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
>  generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
>  ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
>  ext4_file_write_iter+0x20f/0x3460
>  __kernel_write_iter+0x329/0x930 fs/read_write.c:517
>  dump_emit_page fs/coredump.c:888 [inline]
>  dump_user_range+0x593/0xcd0 fs/coredump.c:915
>  elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
>  do_coredump+0x32c9/0x4920 fs/coredump.c:764
>  get_signal+0x2185/0x2d10 kernel/signal.c:2890
>  arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
>  exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
>  exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
>  irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
>  irqentry_exit+0x16/0x40 kernel/entry/common.c:412
>  exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
>  asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> 
> Bytes 0-4095 of 4096 are uninitialized
> Memory access of size 4096 starts at ffff88812c79c000
> 
> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: kblockd blk_mq_run_work_fn
> =====================================================
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-02  7:38 ` Tetsuo Handa
@ 2024-01-03  9:59   ` Tetsuo Handa
  2024-02-21 11:04   ` Tetsuo Handa
  1 sibling, 0 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-01-03  9:59 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs, linux-mm, linux-ext4, virtualization

Well, no suggestions from MM people? This is currently second top crasher
for syzbot and the reproducer is doing nothing special.

syzbot is reporting uninit-value at kmsan_handle_dma() in vring_map_one_sg().

----------
	if (!vq->use_dma_api) {
		/*
		 * If DMA is not used, KMSAN doesn't know that the scatterlist
		 * is initialized by the hardware. Explicitly check/unpoison it
		 * depending on the direction.
		 */
		kmsan_handle_dma(sg_page(sg), sg->offset, sg->length, direction);
		*addr = (dma_addr_t)sg_phys(sg);
		return 0;
	}
----------

syzbot is reporting the page was allocated in ext4_da_write_begin().

----------
	folio = __filemap_get_folio(mapping, index, FGP_WRITEBEGIN,
			mapping_gfp_mask(mapping));
	if (IS_ERR(folio))
		return PTR_ERR(folio);

	/* In case writeback began while the folio was unlocked */
	folio_wait_stable(folio);

#ifdef CONFIG_FS_ENCRYPTION
	ret = ext4_block_write_begin(folio, pos, len, ext4_da_get_block_prep);
#else
	ret = __block_write_begin(&folio->page, pos, len, ext4_da_get_block_prep);
#endif
----------

Since folio_wait_stable() calls folio_wait_writeback(), I'm guessing that
blk_mq_run_work_fn() is triggered by folio_wait_stable().

----------
void folio_wait_stable(struct folio *folio)
{
	if (mapping_stable_writes(folio_mapping(folio)))
		folio_wait_writeback(folio);
}
----------

If my guess is correct, I wonder how AS_STABLE_WRITES could be already set on a
folio struct returned by __filemap_get_folio() ? When AS_STABLE_WRITES is set?

Are there anything we can do for debugging this? Is adding a kernel config option that
does s/union/struct/g for helping debugger/printk() to inspect values in "struct folio"
possible?

Not directly related to this report, but I worry that
mapping_stable_writes(folio_mapping(folio)) might hit NULL pointer
dereference bug because folio_mapping() might return NULL and
mapping_stable_writes() assumes that the argument is not NULL.

On 2024/01/02 16:38, Tetsuo Handa wrote:
> #syz set subsystems: mm
> 
> On 2024/01/01 22:38, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
>> git tree:       upstream
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
>> dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
>>
>> =====================================================
>> BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
>> BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
>> BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>>  vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
>>  virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
>>  virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
>>  virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
>>  __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
>>  virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
>>  virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
>>  scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
>>  scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
>>  blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
>>  __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
>>  blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
>>  __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
>>  blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
>>  blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
>>  process_one_work kernel/workqueue.c:2627 [inline]
>>  process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
>>  worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
>>  kthread+0x3ed/0x540 kernel/kthread.c:388
>>  ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
>>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
>>
>> Uninit was created at:
>>  __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
>>  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
>>  alloc_pages mm/mempolicy.c:2204 [inline]
>>  folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
>>  filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
>>  __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
>>  ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
>>  generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
>>  ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
>>  ext4_file_write_iter+0x20f/0x3460
>>  __kernel_write_iter+0x329/0x930 fs/read_write.c:517
>>  dump_emit_page fs/coredump.c:888 [inline]
>>  dump_user_range+0x593/0xcd0 fs/coredump.c:915
>>  elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
>>  do_coredump+0x32c9/0x4920 fs/coredump.c:764
>>  get_signal+0x2185/0x2d10 kernel/signal.c:2890
>>  arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
>>  exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
>>  exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
>>  irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
>>  irqentry_exit+0x16/0x40 kernel/entry/common.c:412
>>  exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
>>  asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
>>
>> Bytes 0-4095 of 4096 are uninitialized
>> Memory access of size 4096 starts at ffff88812c79c000
>>
>> CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
>> Workqueue: kblockd blk_mq_run_work_fn
>> =====================================================
> 


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-02 13:03 ` Michael S. Tsirkin
@ 2024-01-04 20:45   ` Stefan Hajnoczi
  2024-01-24 10:47     ` Alexander Potapenko
  0 siblings, 1 reply; 35+ messages in thread
From: Stefan Hajnoczi @ 2024-01-04 20:45 UTC (permalink / raw)
  To: Alexander Potapenko
  Cc: syzbot, jasowang, linux-kernel, syzkaller-bugs, virtualization,
	xuanzhuo, bonzini, Michael S. Tsirkin

[-- Attachment #1: Type: text/plain, Size: 6188 bytes --]

On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> > 
> > =====================================================

Hi Alexander,
Please take a look at this KMSAN failure. The uninitialized memory was
created for the purpose of writing a coredump. vring_map_one_sg() should
have direction=DMA_TO_DEVICE.

I can't easily tell whether this is a genuine bug or an issue with
commit 88938359e2df ("virtio: kmsan: check/unpoison scatterlist in
vring_map_one_sg()"). Maybe coredump.c is writing out pages that KMSAN
thinks are uninitialized?

Stefan

> > BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> > BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> > BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> >  vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
> >  virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
> >  virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
> >  virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
> >  __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
> >  virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
> >  virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
> >  scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
> >  scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
> >  blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
> >  __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
> >  blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
> >  __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
> >  blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
> >  blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
> >  process_one_work kernel/workqueue.c:2627 [inline]
> >  process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
> >  worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
> >  kthread+0x3ed/0x540 kernel/kthread.c:388
> >  ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
> >  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> > 
> > Uninit was created at:
> >  __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
> >  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
> >  alloc_pages mm/mempolicy.c:2204 [inline]
> >  folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
> >  filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
> >  __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
> >  ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
> >  generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918
> >  ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
> >  ext4_file_write_iter+0x20f/0x3460
> >  __kernel_write_iter+0x329/0x930 fs/read_write.c:517
> >  dump_emit_page fs/coredump.c:888 [inline]
> >  dump_user_range+0x593/0xcd0 fs/coredump.c:915
> >  elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
> >  do_coredump+0x32c9/0x4920 fs/coredump.c:764
> >  get_signal+0x2185/0x2d10 kernel/signal.c:2890
> >  arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
> >  exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
> >  exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
> >  irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
> >  irqentry_exit+0x16/0x40 kernel/entry/common.c:412
> >  exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564
> >  asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
> > 
> > Bytes 0-4095 of 4096 are uninitialized
> > Memory access of size 4096 starts at ffff88812c79c000
> > 
> > CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> > Workqueue: kblockd blk_mq_run_work_fn
> > =====================================================
> > 
> > 
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > 
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > 
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> > 
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> > 
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> > 
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> > 
> > If you want to undo deduplication, reply with:
> > #syz undup
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-04 20:45   ` Stefan Hajnoczi
@ 2024-01-24 10:47     ` Alexander Potapenko
  2024-01-24 21:25       ` Stefan Hajnoczi
  0 siblings, 1 reply; 35+ messages in thread
From: Alexander Potapenko @ 2024-01-24 10:47 UTC (permalink / raw)
  To: Stefan Hajnoczi
  Cc: syzbot, jasowang, linux-kernel, syzkaller-bugs, virtualization,
	xuanzhuo, bonzini, Michael S. Tsirkin

On Thu, Jan 4, 2024 at 9:45 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
> On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> > On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > > git tree:       upstream
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> > >
> > > =====================================================
>
> Hi Alexander,
> Please take a look at this KMSAN failure. The uninitialized memory was
> created for the purpose of writing a coredump. vring_map_one_sg() should
> have direction=DMA_TO_DEVICE.
>
Hi Stefan,

I took a closer look, and am pretty confident this is a false positive.
I tried adding memset(..., 0xab, PAGE_SIZE << order) to alloc_pages()
and never saw
the 0xab pattern in the buffers for which KMSAN reported an error.

This probably isn't an error in 88938359e2df ("virtio: kmsan:
check/unpoison scatterlist in
vring_map_one_sg()"), which by itself should be doing a sane thing:
report an error if an
uninitialized buffer is passed to it. It is more likely that we're
missing some initialization that
happens in coredump.c

Does anyone have an idea where coredump.c is supposed to be
initializing these pages?
Maybe there are some inline assembly functions involved in copying the data?

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-24 10:47     ` Alexander Potapenko
@ 2024-01-24 21:25       ` Stefan Hajnoczi
  0 siblings, 0 replies; 35+ messages in thread
From: Stefan Hajnoczi @ 2024-01-24 21:25 UTC (permalink / raw)
  To: Alexander Potapenko
  Cc: syzbot, jasowang, linux-kernel, syzkaller-bugs, virtualization,
	xuanzhuo, bonzini, Michael S. Tsirkin

[-- Attachment #1: Type: text/plain, Size: 2610 bytes --]

On Wed, Jan 24, 2024 at 11:47:32AM +0100, Alexander Potapenko wrote:
> On Thu, Jan 4, 2024 at 9:45 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> >
> > On Tue, Jan 02, 2024 at 08:03:46AM -0500, Michael S. Tsirkin wrote:
> > > On Mon, Jan 01, 2024 at 05:38:24AM -0800, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
> > > > git tree:       upstream
> > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e80000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
> > > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e80000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=130b0379e80000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com
> > > >
> > > > =====================================================
> >
> > Hi Alexander,
> > Please take a look at this KMSAN failure. The uninitialized memory was
> > created for the purpose of writing a coredump. vring_map_one_sg() should
> > have direction=DMA_TO_DEVICE.
> >
> Hi Stefan,
> 
> I took a closer look, and am pretty confident this is a false positive.
> I tried adding memset(..., 0xab, PAGE_SIZE << order) to alloc_pages()
> and never saw
> the 0xab pattern in the buffers for which KMSAN reported an error.
> 
> This probably isn't an error in 88938359e2df ("virtio: kmsan:
> check/unpoison scatterlist in
> vring_map_one_sg()"), which by itself should be doing a sane thing:
> report an error if an
> uninitialized buffer is passed to it. It is more likely that we're
> missing some initialization that
> happens in coredump.c
> 
> Does anyone have an idea where coredump.c is supposed to be
> initializing these pages?
> Maybe there are some inline assembly functions involved in copying the data?

Thanks for your time looking into this!

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (2 preceding siblings ...)
  2024-01-02 13:03 ` Michael S. Tsirkin
@ 2024-01-26  0:43 ` Edward Adam Davis
  2024-01-26  1:26   ` [syzbot] [mm] " syzbot
  2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
                   ` (8 subsequent siblings)
  12 siblings, 1 reply; 35+ messages in thread
From: Edward Adam Davis @ 2024-01-26  0:43 UTC (permalink / raw)
  To: syzbot+d7521c1e3841ed075a42; +Cc: linux-kernel, syzkaller-bugs

please test uninit-value in virtqueue_add (4)

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
 			    size_t req_size, size_t resp_size)
 {
 	struct scsi_cmnd *sc = cmd->sc;
-	struct scatterlist *sgs[6], req, resp;
+	struct scatterlist *sgs[6], req = {}, resp = {};
 	struct sg_table *out, *in;
 	unsigned out_num = 0, in_num = 0;
 


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-26  0:43 ` Edward Adam Davis
@ 2024-01-26  1:26   ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-01-26  1:26 UTC (permalink / raw)
  To: eadavis, linux-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

.rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[    0.436786][    T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[    0.439567][    T0] random: crng init done
[    0.440342][    T0] Fallback order for Node 0: 0 1 
[    0.440387][    T0] Fallback order for Node 1: 1 0 
[    0.440402][    T0] Built 2 zonelists, mobility grouping on.  Total pages: 2055933
[    0.443831][    T0] Policy zone: Normal
[    0.444788][    T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.709507][    T0] stackdepot: allocating hash table via alloc_large_system_hash
[    0.710697][    T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[    0.714527][    T0] software IO TLB: area num 2.
[    0.805862][    T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[    0.810734][    T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[    0.811929][    T0] Starting KernelMemorySanitizer
[    0.812611][    T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2     Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID ee6e2ee3-62a1-1e1b-9da6-871c6e7e270f
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
[    0.000000][    T0] Linux version 6.8.0-rc1-syzkaller-gecb1b8288dc7-dirty (syzkaller@syzkaller) (Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT_DYNAMIC now
[    0.000000][    T0] Command line: BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[    0.000000][    T0] KERNEL supported cpus:
[    0.000000][    T0]   Intel GenuineIntel
[    0.000000][    T0]   AMD AuthenticAMD
[    0.000000][    T0] BIOS-provided physical RAM map:
[    0.000000][    T0] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000][    T0] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
[    0.000000][    T0] BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x0000000100000000-0x000000023fffffff] usable
[    0.000000][    T0] printk: legacy bootconsole [earlyser0] enabled
[    0.000000][    T0] ERROR: earlyprintk= earlyser already used
[    0.000000][    T0] ERROR: earlyprintk= earlyser already used
[    0.000000][    T0] **********************************************************
[    0.000000][    T0] **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] ** This system shows unhashed kernel memory addresses   **
[    0.000000][    T0] ** via the console, logs, and other interfaces. This    **
[    0.000000][    T0] ** might reduce the security of your system.            **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] ** If you see this message and you are not debugging    **
[    0.000000][    T0] ** the kernel, report this immediately to your system   **
[    0.000000][    T0] ** administrator!                                       **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
[    0.000000][    T0] **********************************************************
[    0.000000][    T0] Malformed early option 'vsyscall'
[    0.000000][    T0] nopcid: PCID feature disabled
[    0.000000][    T0] NX (Execute Disable) protection: active
[    0.000000][    T0] APIC: Static calls initialized
[    0.000000][    T0] SMBIOS 2.4 present.
[    0.000000][    T0] DMI: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[    0.000000][    T0] Hypervisor detected: KVM
[    0.000000][    T0] kvm-clock: Using msrs 4b564d01 and 4b564d00
[    0.000003][    T0] kvm-clock: using sched offset of 5361175763 cycles
[    0.000979][    T0] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.004869][    T0] tsc: Detected 2200.152 MHz processor
[    0.013186][    T0] last_pfn = 0x240000 max_arch_pfn = 0x400000000
[    0.014422][    T0] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[    0.016036][    T0] x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT  
[    0.017511][    T0] last_pfn = 0xbfffd max_arch_pfn = 0x400000000
[    0.025734][    T0] found SMP MP-table at [mem 0x000f2b30-0x000f2b3f]
[    0.027084][    T0] Using GB pages for direct mapping
[    0.031479][    T0] ACPI: Early table checksum verification disabled
[    0.032936][    T0] ACPI: RSDP 0x00000000000F28B0 000014 (v00 Google)
[    0.034280][    T0] ACPI: RSDT 0x00000000BFFFFFA0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[    0.036044][    T0] ACPI: FACP 0x00000000BFFFF330 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[    0.037902][    T0] ACPI: DSDT 0x00000000BFFFD8C0 001A64 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[    0.040136][    T0] ACPI: FACS 0x00000000BFFFD880 000040
[    0.041374][    T0] ACPI: FACS 0x00000000BFFFD880 000040
[    0.042421][    T0] ACPI: SRAT 0x00000000BFFFFE60 0000C8 (v03 Google GOOGSRAT 00000001 GOOG 00000001)
[    0.044426][    T0] ACPI: APIC 0x00000000BFFFFDB0 000076 (v05 Google GOOGAPIC 00000001 GOOG 00000001)
[    0.046543][    T0] ACPI: SSDT 0x00000000BFFFF430 000980 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[    0.048530][    T0] ACPI: WAET 0x00000000BFFFFE30 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[    0.050596][    T0] ACPI: Reserving FACP table memory at [mem 0xbffff330-0xbffff423]
[    0.051916][    T0] ACPI: Reserving DSDT table memory at [mem 0xbfffd8c0-0xbffff323]
[    0.053117][    T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[    0.054371][    T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[    0.055840][    T0] ACPI: Reserving SRAT table memory at [mem 0xbffffe60-0xbfffff27]
[    0.058109][    T0] ACPI: Reserving APIC table memory at [mem 0xbffffdb0-0xbffffe25]
[    0.059864][    T0] ACPI: Reserving SSDT table memory at [mem 0xbffff430-0xbffffdaf]
[    0.061666][    T0] ACPI: Reserving WAET table memory at [mem 0xbffffe30-0xbffffe57]
[    0.063198][    T0] SRAT: PXM 0 -> APIC 0x00 -> Node 0
[    0.064065][    T0] SRAT: PXM 0 -> APIC 0x01 -> Node 0
[    0.064984][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[    0.066942][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff]
[    0.068354][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x23fffffff]
[    0.069621][    T0] NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x00000000-0xbfffffff]
[    0.071997][    T0] NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x23fffffff] -> [mem 0x00000000-0x23fffffff]
[    0.075579][    T0] Faking node 0 at [mem 0x0000000000000000-0x000000013fffffff] (5120MB)
[    0.077333][    T0] Faking node 1 at [mem 0x0000000140000000-0x000000023fffffff] (4096MB)
[    0.079984][    T0] NODE_DATA(0) allocated [mem 0x13fffa000-0x13fffffff]
[    0.082677][    T0] NODE_DATA(1) allocated [mem 0x23fff7000-0x23fffcfff]
[    0.104743][    T0] Zone ranges:
[    0.105603][    T0]   DMA      [mem 0x0000000000001000-0x0000000000ffffff]
[    0.107187][    T0]   DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
[    0.109218][    T0]   Normal   [mem 0x0000000100000000-0x000000023fffffff]
[    0.110726][    T0]   Device   empty
[    0.111630][    T0] Movable zone start for each node
[    0.113093][    T0] Early memory node ranges
[    0.113926][    T0]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.115166][    T0]   node   0: [mem 0x0000000000100000-0x00000000bfffcfff]
[    0.116887][    T0]   node   0: [mem 0x0000000100000000-0x000000013fffffff]
[    0.117924][    T0]   node   1: [mem 0x0000000140000000-0x000000023fffffff]
[    0.119129][    T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000013fffffff]
[    0.120252][    T0] Initmem setup node 1 [mem 0x0000000140000000-0x000000023fffffff]
[    0.122345][    T0] On node 0, zone DMA: 1 pages in unavailable ranges
[    0.123755][    T0] On node 0, zone DMA: 97 pages in unavailable ranges
[    0.244127][    T0] On node 0, zone Normal: 3 pages in unavailable ranges
[    0.365187][    T0] ACPI: PM-Timer IO Port: 0xb008
[    0.366213][    T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.367294][    T0] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[    0.369026][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.370283][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.371435][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.372688][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.373776][    T0] ACPI: Using ACPI (MADT) for SMP configuration information
[    0.374745][    T0] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[    0.375648][    T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[    0.378087][    T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[    0.379781][    T0] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000effff]
[    0.381429][    T0] PM: hibernation: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[    0.383062][    T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xbfffffff]
[    0.384796][    T0] PM: hibernation: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
[    0.386969][    T0] PM: hibernation: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
[    0.389189][    T0] [mem 0xc0000000-0xfffbbfff] available for PCI devices
[    0.390657][    T0] Booting paravirtualized kernel on KVM
[    0.392046][    T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.395073][    T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[    0.398586][    T0] percpu: Embedded 176 pages/cpu s683016 r8192 d29688 u1048576
[    0.400406][    T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[    0.424272][    T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[    0.428208][    T0] random: crng init done
[    0.429106][    T0] Fallback order for Node 0: 0 1 
[    0.429151][    T0] Fallback order for Node 1: 1 0 
[    0.429165][    T0] Built 2 zonelists, mobility grouping on.  Total pages: 2055933
[    0.432106][    T0] Policy zone: Normal
[    0.432815][    T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.697820][    T0] stackdepot: allocating hash table via alloc_large_system_hash
[    0.699706][    T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[    0.703815][    T0] software IO TLB: area num 2.
[    0.793637][    T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[    0.798348][    T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[    0.799788][    T0] Starting KernelMemorySanitizer
[    0.800749][    T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build948879897=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1565fca7e80000


Tested on:

commit:         ecb1b828 Merge tag 'net-6.8-rc2' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=2a91fdc4fbf06a67
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1098fe5fe80000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (3 preceding siblings ...)
  2024-01-26  0:43 ` Edward Adam Davis
@ 2024-01-26  1:35 ` Edward Adam Davis
  2024-01-26  1:43   ` [syzbot] [mm] " syzbot
  2024-01-26 10:19   ` [syzbot] [virtualization?] " Alexander Potapenko
  2024-01-26  6:57 ` Edward Adam Davis
                   ` (7 subsequent siblings)
  12 siblings, 2 replies; 35+ messages in thread
From: Edward Adam Davis @ 2024-01-26  1:35 UTC (permalink / raw)
  To: syzbot+d7521c1e3841ed075a42; +Cc: linux-kernel, syzkaller-bugs

please test uninit-value in virtqueue_add (4)

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3

diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
 			    size_t req_size, size_t resp_size)
 {
 	struct scsi_cmnd *sc = cmd->sc;
-	struct scatterlist *sgs[6], req, resp;
+	struct scatterlist *sgs[6], req = {}, resp = {};
 	struct sg_table *out, *in;
 	unsigned out_num = 0, in_num = 0;
 


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
@ 2024-01-26  1:43   ` syzbot
  2024-01-26 10:19   ` [syzbot] [virtualization?] " Alexander Potapenko
  1 sibling, 0 replies; 35+ messages in thread
From: syzbot @ 2024-01-26  1:43 UTC (permalink / raw)
  To: eadavis, linux-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git on commit fbafc3e621c3: failed to run ["git" "fetch" "--force" "--tags" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "fbafc3e621c3"]: exit status 128
fatal: couldn't find remote ref fbafc3e621c3



Tested on:

commit:         [unknown 
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
kernel config:  https://syzkaller.appspot.com/x/.config?x=656820e61b758b15
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=132ce437e80000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (4 preceding siblings ...)
  2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
@ 2024-01-26  6:57 ` Edward Adam Davis
  2024-01-26  7:34   ` [syzbot] [mm] " syzbot
  2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
                   ` (6 subsequent siblings)
  12 siblings, 1 reply; 35+ messages in thread
From: Edward Adam Davis @ 2024-01-26  6:57 UTC (permalink / raw)
  To: syzbot+d7521c1e3841ed075a42; +Cc: linux-kernel, syzkaller-bugs

please test uninit-value in virtqueue_add (4)

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
 			    size_t req_size, size_t resp_size)
 {
 	struct scsi_cmnd *sc = cmd->sc;
-	struct scatterlist *sgs[6], req, resp;
+	struct scatterlist *sgs[6], req = {}, resp = {};
 	struct sg_table *out, *in;
 	unsigned out_num = 0, in_num = 0;
 


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-26  6:57 ` Edward Adam Davis
@ 2024-01-26  7:34   ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-01-26  7:34 UTC (permalink / raw)
  To: eadavis, linux-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

r for Node 0: 0 1 
[    0.419258][    T0] Fallback order for Node 1: 1 0 
[    0.419274][    T0] Built 2 zonelists, mobility grouping on.  Total pages: 2055933
[    0.422796][    T0] Policy zone: Normal
[    0.423582][    T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.686873][    T0] stackdepot: allocating hash table via alloc_large_system_hash
[    0.688786][    T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[    0.692810][    T0] software IO TLB: area num 2.
[    0.783779][    T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[    0.788226][    T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[    0.790343][    T0] Starting KernelMemorySanitizer
[    0.791103][    T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2     Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID c5e8ef89-17a7-409e-eaf1-2344b557078b
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
[    0.000000][    T0] Linux version 6.8.0-rc1-syzkaller-00169-gecb1b8288dc7-dirty (syzkaller@syzkaller) (Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT_DYNAMIC now
[    0.000000][    T0] Command line: BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[    0.000000][    T0] KERNEL supported cpus:
[    0.000000][    T0]   Intel GenuineIntel
[    0.000000][    T0]   AMD AuthenticAMD
[    0.000000][    T0] BIOS-provided physical RAM map:
[    0.000000][    T0] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000][    T0] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
[    0.000000][    T0] BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
[    0.000000][    T0] BIOS-e820: [mem 0x0000000100000000-0x000000023fffffff] usable
[    0.000000][    T0] printk: legacy bootconsole [earlyser0] enabled
[    0.000000][    T0] ERROR: earlyprintk= earlyser already used
[    0.000000][    T0] ERROR: earlyprintk= earlyser already used
[    0.000000][    T0] **********************************************************
[    0.000000][    T0] **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] ** This system shows unhashed kernel memory addresses   **
[    0.000000][    T0] ** via the console, logs, and other interfaces. This    **
[    0.000000][    T0] ** might reduce the security of your system.            **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] ** If you see this message and you are not debugging    **
[    0.000000][    T0] ** the kernel, report this immediately to your system   **
[    0.000000][    T0] ** administrator!                                       **
[    0.000000][    T0] **                                                      **
[    0.000000][    T0] **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
[    0.000000][    T0] **********************************************************
[    0.000000][    T0] Malformed early option 'vsyscall'
[    0.000000][    T0] nopcid: PCID feature disabled
[    0.000000][    T0] NX (Execute Disable) protection: active
[    0.000000][    T0] APIC: Static calls initialized
[    0.000000][    T0] SMBIOS 2.4 present.
[    0.000000][    T0] DMI: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[    0.000000][    T0] Hypervisor detected: KVM
[    0.000000][    T0] kvm-clock: Using msrs 4b564d01 and 4b564d00
[    0.000003][    T0] kvm-clock: using sched offset of 5153303706 cycles
[    0.001086][    T0] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.003954][    T0] tsc: Detected 2200.216 MHz processor
[    0.012544][    T0] last_pfn = 0x240000 max_arch_pfn = 0x400000000
[    0.013618][    T0] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[    0.015300][    T0] x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT  
[    0.017481][    T0] last_pfn = 0xbfffd max_arch_pfn = 0x400000000
[    0.027560][    T0] found SMP MP-table at [mem 0x000f2b30-0x000f2b3f]
[    0.028659][    T0] Using GB pages for direct mapping
[    0.033219][    T0] ACPI: Early table checksum verification disabled
[    0.034618][    T0] ACPI: RSDP 0x00000000000F28B0 000014 (v00 Google)
[    0.035659][    T0] ACPI: RSDT 0x00000000BFFFFFA0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[    0.037398][    T0] ACPI: FACP 0x00000000BFFFF330 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[    0.039003][    T0] ACPI: DSDT 0x00000000BFFFD8C0 001A64 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[    0.040359][    T0] ACPI: FACS 0x00000000BFFFD880 000040
[    0.041097][    T0] ACPI: FACS 0x00000000BFFFD880 000040
[    0.041980][    T0] ACPI: SRAT 0x00000000BFFFFE60 0000C8 (v03 Google GOOGSRAT 00000001 GOOG 00000001)
[    0.043346][    T0] ACPI: APIC 0x00000000BFFFFDB0 000076 (v05 Google GOOGAPIC 00000001 GOOG 00000001)
[    0.044582][    T0] ACPI: SSDT 0x00000000BFFFF430 000980 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[    0.045985][    T0] ACPI: WAET 0x00000000BFFFFE30 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[    0.047351][    T0] ACPI: Reserving FACP table memory at [mem 0xbffff330-0xbffff423]
[    0.048937][    T0] ACPI: Reserving DSDT table memory at [mem 0xbfffd8c0-0xbffff323]
[    0.050561][    T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[    0.052024][    T0] ACPI: Reserving FACS table memory at [mem 0xbfffd880-0xbfffd8bf]
[    0.054095][    T0] ACPI: Reserving SRAT table memory at [mem 0xbffffe60-0xbfffff27]
[    0.055778][    T0] ACPI: Reserving APIC table memory at [mem 0xbffffdb0-0xbffffe25]
[    0.057487][    T0] ACPI: Reserving SSDT table memory at [mem 0xbffff430-0xbffffdaf]
[    0.058984][    T0] ACPI: Reserving WAET table memory at [mem 0xbffffe30-0xbffffe57]
[    0.060489][    T0] SRAT: PXM 0 -> APIC 0x00 -> Node 0
[    0.061266][    T0] SRAT: PXM 0 -> APIC 0x01 -> Node 0
[    0.062785][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[    0.063922][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff]
[    0.064925][    T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x23fffffff]
[    0.066998][    T0] NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x00000000-0xbfffffff]
[    0.069122][    T0] NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x23fffffff] -> [mem 0x00000000-0x23fffffff]
[    0.072308][    T0] Faking node 0 at [mem 0x0000000000000000-0x000000013fffffff] (5120MB)
[    0.073610][    T0] Faking node 1 at [mem 0x0000000140000000-0x000000023fffffff] (4096MB)
[    0.075523][    T0] NODE_DATA(0) allocated [mem 0x13fffa000-0x13fffffff]
[    0.077223][    T0] NODE_DATA(1) allocated [mem 0x23fff7000-0x23fffcfff]
[    0.099389][    T0] Zone ranges:
[    0.100124][    T0]   DMA      [mem 0x0000000000001000-0x0000000000ffffff]
[    0.101317][    T0]   DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
[    0.102407][    T0]   Normal   [mem 0x0000000100000000-0x000000023fffffff]
[    0.103767][    T0]   Device   empty
[    0.104523][    T0] Movable zone start for each node
[    0.105484][    T0] Early memory node ranges
[    0.106357][    T0]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.108165][    T0]   node   0: [mem 0x0000000000100000-0x00000000bfffcfff]
[    0.109573][    T0]   node   0: [mem 0x0000000100000000-0x000000013fffffff]
[    0.111909][    T0]   node   1: [mem 0x0000000140000000-0x000000023fffffff]
[    0.113415][    T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000013fffffff]
[    0.114895][    T0] Initmem setup node 1 [mem 0x0000000140000000-0x000000023fffffff]
[    0.117326][    T0] On node 0, zone DMA: 1 pages in unavailable ranges
[    0.119218][    T0] On node 0, zone DMA: 97 pages in unavailable ranges
[    0.237797][    T0] On node 0, zone Normal: 3 pages in unavailable ranges
[    0.358350][    T0] ACPI: PM-Timer IO Port: 0xb008
[    0.359640][    T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.361094][    T0] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[    0.362910][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.364846][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.367290][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.368838][    T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.370212][    T0] ACPI: Using ACPI (MADT) for SMP configuration information
[    0.372153][    T0] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[    0.373444][    T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[    0.375100][    T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[    0.376564][    T0] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000effff]
[    0.378142][    T0] PM: hibernation: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[    0.380236][    T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xbfffffff]
[    0.382549][    T0] PM: hibernation: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
[    0.384533][    T0] PM: hibernation: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
[    0.385732][    T0] [mem 0xc0000000-0xfffbbfff] available for PCI devices
[    0.387502][    T0] Booting paravirtualized kernel on KVM
[    0.388557][    T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.390578][    T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[    0.392588][    T0] percpu: Embedded 176 pages/cpu s683016 r8192 d29688 u1048576
[    0.394942][    T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=8 kmsan.panic=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[    0.416529][    T0] Unknown kernel command line parameters "page_owner=on spec_store_bypass_disable=prctl watchdog_thresh=55 BOOT_IMAGE=/boot/bzImage", will be passed to user space.
[    0.419786][    T0] random: crng init done
[    0.421090][    T0] Fallback order for Node 0: 0 1 
[    0.421153][    T0] Fallback order for Node 1: 1 0 
[    0.421168][    T0] Built 2 zonelists, mobility grouping on.  Total pages: 2055933
[    0.424825][    T0] Policy zone: Normal
[    0.425621][    T0] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.689246][    T0] stackdepot: allocating hash table via alloc_large_system_hash
[    0.691218][    T0] stackdepot hash table entries: 524288 (order: 11, 8388608 bytes, linear)
[    0.695780][    T0] software IO TLB: area num 2.
[    0.785270][    T0] Memory: 2335784K/8388204K available (227328K kernel code, 9515K rwdata, 14976K rodata, 4256K init, 2096K bss, 1372684K reserved, 0K cma-reserved)
[    0.789410][    T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[    0.790971][    T0] Starting KernelMemorySanitizer
[    0.791892][    T0] ATTENTION: KMSAN is a debugging tool! Do not use it on production machines!
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000200000000 = 8192 MiB
CPUs found: 2     Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID c5e8ef89-17a7-409e-eaf1-2344b557078b
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2870: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2898975123=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14081aa7e80000


Tested on:

commit:         ecb1b828 Merge tag 'net-6.8-rc2' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=2a91fdc4fbf06a67
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1294655fe80000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
  2024-01-26  1:43   ` [syzbot] [mm] " syzbot
@ 2024-01-26 10:19   ` Alexander Potapenko
  1 sibling, 0 replies; 35+ messages in thread
From: Alexander Potapenko @ 2024-01-26 10:19 UTC (permalink / raw)
  To: Edward Adam Davis
  Cc: syzbot+d7521c1e3841ed075a42, linux-kernel, syzkaller-bugs

On Fri, Jan 26, 2024 at 2:36 AM 'Edward Adam Davis' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
> please test uninit-value in virtqueue_add (4)

Hi Edward,

KMSAN is currently broken at trunk, see
https://lore.kernel.org/linux-mm/20240115184430.2710652-1-glider@google.com/
Therefore syzbot is unable to test patches before a couple of changes
reach upstream.

I checked your patch, and it is still triggering the same bug, which
is expected, because there are whole uninitialized pages, and the
patch below only initializes two instances of struct scatterlist that
are unlikely to be cloned to fill those pages.
There must be some non-instrumented code that fills those pages with
data, e.g. a DMA write, an assembly routine or some VM-to-kernel
interaction that KMSAN fails to handle.

>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index 9d1bdcdc1331..4ca6627a7459 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
>                             size_t req_size, size_t resp_size)
>  {
>         struct scsi_cmnd *sc = cmd->sc;
> -       struct scatterlist *sgs[6], req, resp;
> +       struct scatterlist *sgs[6], req = {}, resp = {};
>         struct sg_table *out, *in;
>         unsigned out_num = 0, in_num = 0;

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-02  7:38 ` Tetsuo Handa
  2024-01-03  9:59   ` Tetsuo Handa
@ 2024-02-21 11:04   ` Tetsuo Handa
  1 sibling, 0 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-02-21 11:04 UTC (permalink / raw)
  To: kasan-dev, syzbot, syzkaller-bugs, Alexander Potapenko; +Cc: linux-mm

I tried to reproduce this problem in my environment, and I found that
just consuming almost all memory trivially generates below one.
This might be the same cause?

$ ./scripts/faddr2line vmlinux free_unref_page_prepare+0x130/0xfc0
free_unref_page_prepare+0x130/0xfc0:
arch_static_branch_jump at arch/x86/include/asm/jump_label.h:55
(inlined by) memcg_kmem_online at include/linux/memcontrol.h:1840
(inlined by) free_pages_prepare at mm/page_alloc.c:1096
(inlined by) free_unref_page_prepare at mm/page_alloc.c:2346

----------------------------------------
[    0.000000][    T0] Linux version 6.8.0-rc5 (root@ubuntu) (Ubuntu clang version 14.0.0-1ubuntu1.1, Ubuntu LLD 14.0.0) #1089 SMP PREEMPT_DYNAMIC Tue Feb 20 22:50:10 UTC 2024
[   76.193709][ T2962] =====================================================
[   76.221751][ T2962] BUG: KMSAN: use-after-free in obj_malloc+0x6cc/0x7b0
[   76.229392][ T2962]  obj_malloc+0x6cc/0x7b0
[   76.234874][ T2962]  zs_malloc+0xdbd/0x1400
[   76.239897][ T2962]  zs_zpool_malloc+0xa5/0x1b0
[   76.248589][ T2962]  zpool_malloc+0x110/0x150
[   76.261388][ T2962]  zswap_store+0x2bbb/0x3d30
[   76.286128][ T2962]  swap_writepage+0x15b/0x4f0
[   76.305337][ T2962]  pageout+0x41d/0xef0
[   76.329597][ T2962]  shrink_folio_list+0x4d7a/0x7480
[   76.352303][ T2962]  evict_folios+0x30f1/0x5170
[   76.375539][ T2962]  try_to_shrink_lruvec+0x983/0xd20
[   76.397057][ T2962]  shrink_one+0x72d/0xeb0
[   76.405789][ T2962]  shrink_many+0x70d/0x10b0
[   76.413973][ T2962]  lru_gen_shrink_node+0x577/0x850
[   76.424001][ T2962]  shrink_node+0x13d/0x1de0
[   76.432440][ T2962]  shrink_zones+0x878/0x14a0
[   76.441432][ T2962]  do_try_to_free_pages+0x2ac/0x16a0
[   76.453092][ T2962]  try_to_free_pages+0xd9e/0x1910
[   76.469480][ T2962]  __alloc_pages_slowpath+0x147a/0x2bd0
[   76.494976][ T2962]  __alloc_pages+0xb8c/0x1050
[   76.521081][ T2962]  alloc_pages_mpol+0x8e0/0xc80
[   76.544806][ T2962]  alloc_pages+0x224/0x240
[   76.558044][ T2962]  pipe_write+0xabe/0x2ba0
[   76.582897][ T2962]  vfs_write+0xfb0/0x1b80
[   76.604669][ T2962]  ksys_write+0x275/0x500
[   76.613269][ T2962]  __x64_sys_write+0xdf/0x120
[   76.622218][ T2962]  do_syscall_64+0xd1/0x1b0
[   76.629765][ T2962]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   76.638984][ T2962] 
[   76.645171][ T2962] Uninit was stored to memory at:
[   76.653234][ T2962]  obj_malloc+0x70a/0x7b0
[   76.660989][ T2962]  zs_malloc+0xdbd/0x1400
[   76.667451][ T2962]  zs_zpool_malloc+0xa5/0x1b0
[   76.674667][ T2962]  zpool_malloc+0x110/0x150
[   76.682273][ T2962]  zswap_store+0x2bbb/0x3d30
[   76.688772][ T2962]  swap_writepage+0x15b/0x4f0
[   76.695427][ T2962]  pageout+0x41d/0xef0
[   76.701864][ T2962]  shrink_folio_list+0x4d7a/0x7480
[   76.708623][ T2962]  evict_folios+0x30f1/0x5170
[   76.715962][ T2962]  try_to_shrink_lruvec+0x983/0xd20
[   76.723092][ T2962]  shrink_one+0x72d/0xeb0
[   76.730491][ T2962]  shrink_many+0x70d/0x10b0
[   76.736930][ T2962]  lru_gen_shrink_node+0x577/0x850
[   76.743338][ T2962]  shrink_node+0x13d/0x1de0
[   76.749527][ T2962]  shrink_zones+0x878/0x14a0
[   76.757753][ T2962]  do_try_to_free_pages+0x2ac/0x16a0
[   76.784738][ T2962]  try_to_free_pages+0xd9e/0x1910
[   76.794060][ T2962]  __alloc_pages_slowpath+0x147a/0x2bd0
[   76.809193][ T2962]  __alloc_pages+0xb8c/0x1050
[   76.819106][ T2962]  alloc_pages_mpol+0x8e0/0xc80
[   76.825845][ T2962]  alloc_pages+0x224/0x240
[   76.833084][ T2962]  pipe_write+0xabe/0x2ba0
[   76.839441][ T2962]  vfs_write+0xfb0/0x1b80
[   76.846688][ T2962]  ksys_write+0x275/0x500
[   76.861721][ T2962]  __x64_sys_write+0xdf/0x120
[   76.887481][ T2962]  do_syscall_64+0xd1/0x1b0
[   76.912683][ T2962]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   76.941992][ T2962] 
[   76.960534][ T2962] Uninit was created at:
[   76.967351][ T2962]  free_unref_page_prepare+0x130/0xfc0
[   76.974685][ T2962]  free_unref_page_list+0x139/0x1050
[   76.980910][ T2962]  shrink_folio_list+0x7139/0x7480
[   76.987899][ T2962]  evict_folios+0x30f1/0x5170
[   76.994206][ T2962]  try_to_shrink_lruvec+0x983/0xd20
[   77.000665][ T2962]  shrink_one+0x72d/0xeb0
[   77.007039][ T2962]  shrink_many+0x70d/0x10b0
[   77.013652][ T2962]  lru_gen_shrink_node+0x577/0x850
[   77.024303][ T2962]  shrink_node+0x13d/0x1de0
[   77.050110][ T2962]  shrink_zones+0x878/0x14a0
[   77.075727][ T2962]  do_try_to_free_pages+0x2ac/0x16a0
[   77.100888][ T2962]  try_to_free_pages+0xd9e/0x1910
[   77.106076][ T2962]  __alloc_pages_slowpath+0x147a/0x2bd0
[   77.111944][ T2962]  __alloc_pages+0xb8c/0x1050
[   77.117585][ T2962]  alloc_pages_mpol+0x8e0/0xc80
[   77.124268][ T2962]  alloc_pages+0x224/0x240
[   77.130464][ T2962]  pipe_write+0xabe/0x2ba0
[   77.136968][ T2962]  vfs_write+0xfb0/0x1b80
[   77.143088][ T2962]  ksys_write+0x275/0x500
[   77.168816][ T2962]  __x64_sys_write+0xdf/0x120
[   77.193213][ T2962]  do_syscall_64+0xd1/0x1b0
[   77.217003][ T2962]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   77.245384][ T2962] 
[   77.271236][ T2962] CPU: 2 PID: 2962 Comm: a.out Not tainted 6.8.0-rc5 #1089
[   77.287165][ T2962] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   77.300986][ T2962] =====================================================
[   77.309323][ T2962] Disabling lock debugging due to kernel taint
[   77.317501][ T2962] Kernel panic - not syncing: kmsan.panic set ...
[   77.328533][ T2962] CPU: 2 PID: 2962 Comm: a.out Tainted: G    B              6.8.0-rc5 #1089
[   77.384024][ T2962] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   77.432726][ T2962] Call Trace:
[   77.454709][ T2962]  <TASK>
[   77.480712][ T2962]  dump_stack_lvl+0x1f6/0x280
[   77.510291][ T2962]  dump_stack+0x29/0x30
[   77.538912][ T2962]  panic+0x4ed/0xc90
[   77.565356][ T2962]  kmsan_report+0x2d1/0x2e0
[   77.593241][ T2962]  ? kmsan_internal_poison_memory+0x49/0x90
[   77.625512][ T2962]  ? kmsan_internal_poison_memory+0x7d/0x90
[   77.653002][ T2962]  ? __msan_warning+0x98/0x120
[   77.662635][ T2962]  ? obj_malloc+0x6cc/0x7b0
[   77.669636][ T2962]  ? zs_malloc+0xdbd/0x1400
[   77.677036][ T2962]  ? zs_zpool_malloc+0xa5/0x1b0
[   77.693619][ T2962]  ? zpool_malloc+0x110/0x150
[   77.724160][ T2962]  ? zswap_store+0x2bbb/0x3d30
[   77.736985][ T2962]  ? swap_writepage+0x15b/0x4f0
[   77.744190][ T2962]  ? pageout+0x41d/0xef0
[   77.750941][ T2962]  ? shrink_folio_list+0x4d7a/0x7480
[   77.758465][ T2962]  ? evict_folios+0x30f1/0x5170
[   77.768334][ T2962]  ? try_to_shrink_lruvec+0x983/0xd20
[   77.789768][ T2962]  ? shrink_one+0x72d/0xeb0
[   77.803770][ T2962]  ? shrink_many+0x70d/0x10b0
[   77.823518][ T2962]  ? lru_gen_shrink_node+0x577/0x850
[   77.831064][ T2962]  ? shrink_node+0x13d/0x1de0
[   77.838508][ T2962]  ? shrink_zones+0x878/0x14a0
[   77.853087][ T2962]  ? do_try_to_free_pages+0x2ac/0x16a0
[   77.870947][ T2962]  ? try_to_free_pages+0xd9e/0x1910
[   77.898331][ T2962]  ? __alloc_pages_slowpath+0x147a/0x2bd0
[   77.927623][ T2962]  ? __alloc_pages+0xb8c/0x1050
[   77.954001][ T2962]  ? alloc_pages_mpol+0x8e0/0xc80
[   77.977357][ T2962]  ? alloc_pages+0x224/0x240
[   77.999681][ T2962]  ? pipe_write+0xabe/0x2ba0
[   78.014454][ T2962]  ? vfs_write+0xfb0/0x1b80
[   78.023741][ T2962]  ? ksys_write+0x275/0x500
[   78.031807][ T2962]  ? __x64_sys_write+0xdf/0x120
[   78.040331][ T2962]  ? do_syscall_64+0xd1/0x1b0
[   78.047608][ T2962]  ? entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   78.055721][ T2962]  ? entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   78.072687][ T2962]  ? __msan_metadata_ptr_for_load_8+0x24/0x40
[   78.081809][ T2962]  ? filter_irq_stacks+0xb9/0x230
[   78.087869][ T2962]  ? filter_irq_stacks+0xb9/0x230
[   78.095051][ T2962]  ? should_fail_ex+0x91/0xa20
[   78.101839][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.107538][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.114253][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.122152][ T2962]  ? __should_failslab+0x24f/0x2e0
[   78.129024][ T2962]  ? __msan_metadata_ptr_for_load_8+0x24/0x40
[   78.136577][ T2962]  ? __should_failslab+0x24f/0x2e0
[   78.156694][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.162925][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.169811][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.177276][ T2962]  __msan_warning+0x98/0x120
[   78.183309][ T2962]  obj_malloc+0x6cc/0x7b0
[   78.188246][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.193961][ T2962]  zs_malloc+0xdbd/0x1400
[   78.198774][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.204373][ T2962]  zs_zpool_malloc+0xa5/0x1b0
[   78.209487][ T2962]  ? zs_zpool_destroy+0x50/0x50
[   78.215875][ T2962]  zpool_malloc+0x110/0x150
[   78.221423][ T2962]  zswap_store+0x2bbb/0x3d30
[   78.226784][ T2962]  swap_writepage+0x15b/0x4f0
[   78.232645][ T2962]  ? generic_swapfile_activate+0xee0/0xee0
[   78.238777][ T2962]  pageout+0x41d/0xef0
[   78.244187][ T2962]  shrink_folio_list+0x4d7a/0x7480
[   78.250349][ T2962]  evict_folios+0x30f1/0x5170
[   78.256857][ T2962]  try_to_shrink_lruvec+0x983/0xd20
[   78.263215][ T2962]  shrink_one+0x72d/0xeb0
[   78.268410][ T2962]  shrink_many+0x70d/0x10b0
[   78.274632][ T2962]  lru_gen_shrink_node+0x577/0x850
[   78.281485][ T2962]  shrink_node+0x13d/0x1de0
[   78.287756][ T2962]  ? mem_cgroup_soft_limit_reclaim+0x34/0x17a0
[   78.295195][ T2962]  ? filter_irq_stacks+0xb9/0x230
[   78.301832][ T2962]  ? stack_depot_save_flags+0x2c/0x810
[   78.308677][ T2962]  ? kmsan_internal_set_shadow_origin+0x66/0xe0
[   78.315638][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.321575][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.328726][ T2962]  shrink_zones+0x878/0x14a0
[   78.335109][ T2962]  ? __module_address+0x114/0x890
[   78.341766][ T2962]  do_try_to_free_pages+0x2ac/0x16a0
[   78.348484][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.357673][ T2962]  try_to_free_pages+0xd9e/0x1910
[   78.382022][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.409072][ T2962]  __alloc_pages_slowpath+0x147a/0x2bd0
[   78.435039][ T2962]  ? get_page_from_freelist+0x11ed/0x1b00
[   78.461720][ T2962]  __alloc_pages+0xb8c/0x1050
[   78.474860][ T2962]  alloc_pages_mpol+0x8e0/0xc80
[   78.481368][ T2962]  alloc_pages+0x224/0x240
[   78.487579][ T2962]  pipe_write+0xabe/0x2ba0
[   78.494006][ T2962]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[   78.501316][ T2962]  ? filter_irq_stacks+0x1d8/0x230
[   78.508179][ T2962]  ? kmsan_get_metadata+0x146/0x1c0
[   78.515408][ T2962]  ? pipe_read+0x2220/0x2220
[   78.530652][ T2962]  vfs_write+0xfb0/0x1b80
[   78.553685][ T2962]  ksys_write+0x275/0x500
[   78.576529][ T2962]  __x64_sys_write+0xdf/0x120
[   78.599958][ T2962]  do_syscall_64+0xd1/0x1b0
[   78.623046][ T2962]  ? irqentry_exit+0x16/0x50
[   78.646375][ T2962]  ? exc_page_fault+0x7c/0x180
[   78.667298][ T2962]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[   78.693772][ T2962] RIP: 0033:0x7f24b1f14887
[   78.712875][ T2962] Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
[   78.769621][ T2962] RSP: 002b:00007ffd348e7138 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   78.779659][ T2962] RAX: ffffffffffffffda RBX: 0000000000000089 RCX: 00007f24b1f14887
[   78.788322][ T2962] RDX: 0000000000001000 RSI: 000055fd4849e040 RDI: 00000000000000ea
[   78.799066][ T2962] RBP: 000055fd4849e040 R08: 0000000000000000 R09: 00007f24b2094740
[   78.808645][ T2962] R10: 00007f24b20de0c8 R11: 0000000000000246 R12: 00007ffd348e7140
[   78.819277][ T2962] R13: 000055fd4849b160 R14: 000055fd4849dd80 R15: 00007f24b20dd040
[   78.828758][ T2962]  </TASK>
[   78.856768][ T2962] Kernel Offset: disabled
[   78.861472][ T2962] Rebooting in 10 seconds..
----------------------------------------



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (5 preceding siblings ...)
  2024-01-26  6:57 ` Edward Adam Davis
@ 2024-02-24  5:53 ` Tetsuo Handa
  2024-02-24  6:22   ` [syzbot] [mm] " syzbot
  2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
  2024-02-25  0:27 ` [syzbot] [virtualization?] " Edward Adam Davis
                   ` (5 subsequent siblings)
  12 siblings, 2 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-02-24  5:53 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs; +Cc: linux-kernel

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
@ 2024-02-24  6:22   ` syzbot
  2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
  1 sibling, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-24  6:22 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

d
[   21.218838][    T1] befs: version: 0.9.3
[   21.224039][    T1] ocfs2: Registered cluster interface o2cb
[   21.231409][    T1] ocfs2: Registered cluster interface user
[   21.238747][    T1] OCFS2 User DLM kernel interface loaded
[   21.258685][    T1] gfs2: GFS2 installed
[   21.299341][    T1] ceph: loaded (mds proto 32)
[   25.455884][    T1] NET: Registered PF_ALG protocol family
[   25.462173][    T1] xor: automatically using best checksumming function   avx       
[   25.470258][    T1] async_tx: api initialized (async)
[   25.475789][    T1] Key type asymmetric registered
[   25.480985][    T1] Asymmetric key parser 'x509' registered
[   25.486893][    T1] Asymmetric key parser 'pkcs8' registered
[   25.492975][    T1] Key type pkcs7_test registered
[   25.498812][    T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[   25.509132][    T1] io scheduler mq-deadline registered
[   25.514858][    T1] io scheduler kyber registered
[   25.520533][    T1] io scheduler bfq registered
[   25.537345][    T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[   25.557878][    T1] ACPI: button: Power Button [PWRF]
[   25.565475][    T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[   25.575850][    T1] ACPI: button: Sleep Button [SLPF]
[   25.599393][    T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[   25.688382][    T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[   25.698171][    T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[   25.773719][    T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[   25.780039][    T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[   25.858501][    T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[   25.864338][    T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[   25.925717][    T1] virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
[   26.972684][    T1] N_HDLC line discipline registered with maxframe=4096
[   26.980030][    T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[   26.993242][    T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[   27.024320][    T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[   27.054743][    T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[   27.083834][    T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[   27.133086][    T1] Non-volatile memory driver v1.3
[   27.161382][    T1] Linux agpgart interface v0.103
[   27.177896][    T1] ACPI: bus type drm_connector registered
[   27.195073][    T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[   27.215880][    T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[   27.690881][    T1] Console: switching to colour frame buffer device 128x48
[   27.845338][    T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[   27.853291][    T1] usbcore: registered new interface driver udl
[   28.015016][    T1] brd: module loaded
[   28.195324][    T1] loop: module loaded
[   28.444871][    T1] zram: Added device: zram0
[   28.471729][    T1] null_blk: disk nullb0 created
[   28.476949][    T1] null_blk: module loaded
[   28.481708][    T1] Guest personality initialized and is inactive
[   28.489569][    T1] VMCI host device registered (name=vmci, major=10, minor=118)
[   28.497772][    T1] Initialized host personality
[   28.503268][    T1] usbcore: registered new interface driver rtsx_usb
[   28.512421][    T1] usbcore: registered new interface driver viperboard
[   28.520209][    T1] usbcore: registered new interface driver dln2
[   28.527820][    T1] usbcore: registered new interface driver pn533_usb
[   28.540882][    T1] nfcsim 0.2 initialized
[   28.545800][    T1] usbcore: registered new interface driver port100
[   28.553465][    T1] usbcore: registered new interface driver nfcmrvl
[   28.570561][    T1] Loading iSCSI transport class v2.0-870.
[   28.605596][    T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[   28.652924][    T1] scsi host0: Virtio SCSI HBA
[   29.190956][    T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[   29.207865][   T26] scsi 0:0:1:0: Direct-Access     Google   PersistentDisk   1    PQ: 0 ANSI: 6
[   29.257823][    T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[   29.270496][    T1] db_root: cannot open: /etc/target
[   29.286144][    T1] =====================================================
[   29.286396][    T1] BUG: KMSAN: use-after-free in __list_del_entry_valid_or_report+0x19e/0x490
[   29.286565][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[   29.286657][    T1]  stack_depot_save_flags+0x3e7/0x7b0
[   29.286657][    T1]  stack_depot_save+0x12/0x20
[   29.286842][    T1]  ref_tracker_alloc+0x215/0x700
[   29.286842][    T1]  net_rx_queue_update_kobjects+0x1eb/0xa80
[   29.286842][    T1]  netdev_register_kobject+0x30e/0x520
[   29.286842][    T1]  register_netdevice+0x198f/0x2170
[   29.286842][    T1]  bond_create+0x138/0x2a0
[   29.286842][    T1]  bonding_init+0x1a7/0x2d0
[   29.286842][    T1]  do_one_initcall+0x216/0x960
[   29.286842][    T1]  do_initcall_level+0x140/0x350
[   29.286842][    T1]  do_initcalls+0xf0/0x1d0
[   29.286842][    T1]  do_basic_setup+0x22/0x30
[   29.287955][    T1]  kernel_init_freeable+0x300/0x4b0
[   29.287955][    T1]  kernel_init+0x2f/0x7e0
[   29.287955][    T1]  ret_from_fork+0x66/0x80
[   29.287955][    T1]  ret_from_fork_asm+0x11/0x20
[   29.287955][    T1] 
[   29.287955][    T1] Uninit was created at:
[   29.287955][    T1]  __free_pages_ok+0x133/0xeb0
[   29.287955][    T1]  alloc_pages_exact+0x2f5/0x350
[   29.287955][    T1]  vring_alloc_queue_split+0x2d9/0x990
[   29.287955][    T1]  vring_create_virtqueue_split+0x89/0x380
[   29.287955][    T1]  vring_create_virtqueue+0x101/0x1a0
[   29.287955][    T1]  setup_vq+0x175/0x510
[   29.287955][    T1]  vp_setup_vq+0x103/0x630
[   29.287955][    T1]  vp_find_vqs_msix+0x1162/0x16c0
[   29.287955][    T1]  vp_find_vqs+0x78/0x770
[   29.287955][    T1]  virtscsi_init+0xff7/0x17a0
[   29.289671][    T1]  virtscsi_probe+0x43b/0xfe0
[   29.289671][    T1]  virtio_dev_probe+0x16df/0x1900
[   29.289671][    T1]  really_probe+0x506/0xf40
[   29.289671][    T1]  __driver_probe_device+0x2a7/0x5d0
[   29.289671][    T1]  driver_probe_device+0x72/0x7b0
[   29.289671][    T1]  __driver_attach+0x710/0xa30
[   29.289671][    T1]  bus_for_each_dev+0x34c/0x530
[   29.289671][    T1]  driver_attach+0x51/0x60
[   29.289671][    T1]  bus_add_driver+0x747/0xca0
[   29.289671][    T1]  driver_register+0x3fb/0x650
[   29.289671][    T1]  register_virtio_driver+0xd1/0xf0
[   29.289671][    T1]  virtio_scsi_init+0x123/0x2f0
[   29.289671][    T1]  do_one_initcall+0x216/0x960
[   29.289671][    T1]  do_initcall_level+0x140/0x350
[   29.289671][    T1]  do_initcalls+0xf0/0x1d0
[   29.289671][    T1]  do_basic_setup+0x22/0x30
[   29.289671][    T1]  kernel_init_freeable+0x300/0x4b0
[   29.289671][    T1]  kernel_init+0x2f/0x7e0
[   29.289671][    T1]  ret_from_fork+0x66/0x80
[   29.289671][    T1]  ret_from_fork_asm+0x11/0x20
[   29.289671][    T1] 
[   29.289671][    T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[   29.289671][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   29.289671][    T1] =====================================================
[   29.289671][    T1] Disabling lock debugging due to kernel taint
[   29.289671][    T1] Kernel panic - not syncing: kmsan.panic set ...
[   29.289671][    T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G    B              6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[   29.289671][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   29.289671][    T1] Call Trace:
[   29.289671][    T1]  <TASK>
[   29.289671][    T1]  dump_stack_lvl+0x1bf/0x240
[   29.289671][    T1]  dump_stack+0x1e/0x20
[   29.289671][    T1]  panic+0x4de/0xc90
[   29.289671][    T1]  kmsan_report+0x2d0/0x2d0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? __msan_warning+0x96/0x110
[   29.289671][    T1]  ? __list_del_entry_valid_or_report+0x19e/0x490
[   29.289671][    T1]  ? stack_depot_save_flags+0x3e7/0x7b0
[   29.289671][    T1]  ? stack_depot_save+0x12/0x20
[   29.289671][    T1]  ? ref_tracker_alloc+0x215/0x700
[   29.289671][    T1]  ? net_rx_queue_update_kobjects+0x1eb/0xa80
[   29.289671][    T1]  ? netdev_register_kobject+0x30e/0x520
[   29.289671][    T1]  ? register_netdevice+0x198f/0x2170
[   29.289671][    T1]  ? bond_create+0x138/0x2a0
[   29.289671][    T1]  ? bonding_init+0x1a7/0x2d0
[   29.289671][    T1]  ? do_one_initcall+0x216/0x960
[   29.289671][    T1]  ? do_initcall_level+0x140/0x350
[   29.289671][    T1]  ? do_initcalls+0xf0/0x1d0
[   29.289671][    T1]  ? do_basic_setup+0x22/0x30
[   29.289671][    T1]  ? kernel_init_freeable+0x300/0x4b0
[   29.289671][    T1]  ? kernel_init+0x2f/0x7e0
[   29.289671][    T1]  ? ret_from_fork+0x66/0x80
[   29.289671][    T1]  ? ret_from_fork_asm+0x11/0x20
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? _raw_spin_lock_irqsave+0x35/0xc0
[   29.289671][    T1]  ? filter_irq_stacks+0x60/0x1a0
[   29.289671][    T1]  ? stack_depot_save_flags+0x2c/0x7b0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  __msan_warning+0x96/0x110
[   29.289671][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[   29.289671][    T1]  stack_depot_save_flags+0x3e7/0x7b0
[   29.289671][    T1]  stack_depot_save+0x12/0x20
[   29.289671][    T1]  ref_tracker_alloc+0x215/0x700
[   29.289671][    T1]  ? dev_uevent_filter+0x53/0x110
[   29.289671][    T1]  ? net_rx_queue_update_kobjects+0x1eb/0xa80
[   29.289671][    T1]  ? netdev_register_kobject+0x30e/0x520
[   29.289671][    T1]  ? register_netdevice+0x198f/0x2170
[   29.289671][    T1]  ? bond_create+0x138/0x2a0
[   29.289671][    T1]  ? bonding_init+0x1a7/0x2d0
[   29.289671][    T1]  ? do_one_initcall+0x216/0x960
[   29.289671][    T1]  ? do_initcall_level+0x140/0x350
[   29.289671][    T1]  ? do_initcalls+0xf0/0x1d0
[   29.289671][    T1]  ? do_basic_setup+0x22/0x30
[   29.289671][    T1]  ? kernel_init_freeable+0x300/0x4b0
[   29.289671][    T1]  ? kernel_init+0x2f/0x7e0
[   29.289671][    T1]  ? ret_from_fork+0x66/0x80
[   29.289671][    T1]  ? ret_from_fork_asm+0x11/0x20
[   29.289671][    T1]  ? kmsan_internal_unpoison_memory+0x14/0x20
[   29.289671][    T1]  net_rx_queue_update_kobjects+0x1eb/0xa80
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  netdev_register_kobject+0x30e/0x520
[   29.289671][    T1]  register_netdevice+0x198f/0x2170
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  bond_create+0x138/0x2a0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  bonding_init+0x1a7/0x2d0
[   29.289671][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   29.289671][    T1]  do_one_initcall+0x216/0x960
[   29.289671][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   29.289671][    T1]  ? kmsan_get_metadata+0x80/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? filter_irq_stacks+0x164/0x1a0
[   29.289671][    T1]  ? stack_depot_save_flags+0x2c/0x7b0
[   29.289671][    T1]  ? skip_spaces+0x8f/0xc0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? parse_args+0x1511/0x15e0
[   29.289671][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   29.289671][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   29.289671][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   29.289671][    T1]  do_initcall_level+0x140/0x350
[   29.289671][    T1]  do_initcalls+0xf0/0x1d0
[   29.289671][    T1]  ? arch_cpuhp_init_parallel_bringup+0xe0/0xe0
[   29.289671][    T1]  do_basic_setup+0x22/0x30
[   29.289671][    T1]  kernel_init_freeable+0x300/0x4b0
[   29.289671][    T1]  ? rest_init+0x260/0x260
[   29.289671][    T1]  kernel_init+0x2f/0x7e0
[   29.289671][    T1]  ? rest_init+0x260/0x260
[   29.289671][    T1]  ret_from_fork+0x66/0x80
[   29.289671][    T1]  ? rest_init+0x260/0x260
[   29.289671][    T1]  ret_from_fork_asm+0x11/0x20
[   29.289671][    T1]  </TASK>
[   29.289671][    T1] Kernel Offset: disabled


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4072519577=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1409f29a180000


Tested on:

commit:         603c04e2 Merge tag 'parisc-for-6.8-rc6' of git://git.k..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d33318d4e4a0d226
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=164e2a9a180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
  2024-02-24  6:22   ` [syzbot] [mm] " syzbot
@ 2024-02-24 10:47   ` Tetsuo Handa
  2024-02-24 11:19     ` [syzbot] [mm] " syzbot
  2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
  1 sibling, 2 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-02-24 10:47 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs; +Cc: linux-kernel

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
diff --git a/lib/stackdepot.c b/lib/stackdepot.c
index 5caa1f566553..48277029c282 100644
--- a/lib/stackdepot.c
+++ b/lib/stackdepot.c
@@ -592,22 +592,27 @@ static inline struct stack_record *find_stack(struct list_head *bucket,
 
 		/*
 		 * This may race with depot_free_stack() accessing the freelist
-		 * management state unioned with @entries. The refcount is zero
-		 * in that case and the below refcount_inc_not_zero() will fail.
+		 * management state unioned with @entries.
 		 */
 		if (data_race(stackdepot_memcmp(entries, stack->entries, size)))
 			continue;
 
 		/*
-		 * Try to increment refcount. If this succeeds, the stack record
-		 * is valid and has not yet been freed.
+		 * Check if an invalid record had the same {hash, size, entries}
+		 * by testing whether the refcount is already 0.
+		 * Also, try to increment refcount if STACK_DEPOT_FLAG_GET is used.
 		 *
 		 * If STACK_DEPOT_FLAG_GET is not used, it is undefined behavior
 		 * to then call stack_depot_put() later, and we can assume that
 		 * a stack record is never placed back on the freelist.
 		 */
-		if ((flags & STACK_DEPOT_FLAG_GET) && !refcount_inc_not_zero(&stack->count))
-			continue;
+		if (flags & STACK_DEPOT_FLAG_GET) {
+			if (!refcount_inc_not_zero(&stack->count))
+				continue;
+		} else {
+			if (!refcount_read(&stack->count))
+				continue;
+		}
 
 		ret = stack;
 		break;



^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
@ 2024-02-24 11:19     ` syzbot
  2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
  1 sibling, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-24 11:19 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

t_init: NFSv4 File Layout Driver Registering...
[   20.471049][    T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[   20.505263][    T1] Key type cifs.spnego registered
[   20.511376][    T1] Key type cifs.idmap registered
[   20.520289][    T1] ntfs: driver 2.1.32 [Flags: R/W].
[   20.527115][    T1] ntfs3: Max link count 4000
[   20.531960][    T1] ntfs3: Enabled Linux POSIX ACLs support
[   20.538483][    T1] ntfs3: Read-only LZX/Xpress compression included
[   20.545508][    T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[   20.551729][    T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[   20.557831][    T1] QNX4 filesystem 0.2.3 registered.
[   20.563340][    T1] qnx6: QNX6 filesystem 1.0.0 registered.
[   20.570536][    T1] fuse: init (API version 7.39)
[   20.571734][  T101] kworker/u4:2 (101) used greatest stack depth: 11288 bytes left
[   20.581752][    T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[   20.592075][    T1] orangefs_init: module version upstream loaded
[   20.600151][    T1] JFS: nTxBlock = 8192, nTxLock = 65536
[   20.639154][    T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[   20.657570][    T1] 9p: Installing v9fs 9p2000 file system support
[   20.665095][    T1] NILFS version 2 loaded
[   20.669396][    T1] befs: version: 0.9.3
[   20.674578][    T1] ocfs2: Registered cluster interface o2cb
[   20.681669][    T1] ocfs2: Registered cluster interface user
[   20.688930][    T1] OCFS2 User DLM kernel interface loaded
[   20.707749][    T1] gfs2: GFS2 installed
[   20.744474][    T1] ceph: loaded (mds proto 32)
[   24.874084][    T1] NET: Registered PF_ALG protocol family
[   24.880210][    T1] xor: automatically using best checksumming function   avx       
[   24.888295][    T1] async_tx: api initialized (async)
[   24.893754][    T1] Key type asymmetric registered
[   24.898745][    T1] Asymmetric key parser 'x509' registered
[   24.904660][    T1] Asymmetric key parser 'pkcs8' registered
[   24.910541][    T1] Key type pkcs7_test registered
[   24.916242][    T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[   24.926204][    T1] io scheduler mq-deadline registered
[   24.931648][    T1] io scheduler kyber registered
[   24.937150][    T1] io scheduler bfq registered
[   24.953833][    T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[   24.971277][    T1] ACPI: button: Power Button [PWRF]
[   24.979332][    T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[   24.989840][    T1] ACPI: button: Sleep Button [SLPF]
[   25.012119][    T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[   25.095202][    T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[   25.101026][    T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[   25.175231][    T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[   25.180945][    T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[   25.256940][    T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[   25.262845][    T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[   25.319638][    T1] virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
[   25.380117][  T192] kworker/u4:2 (192) used greatest stack depth: 11000 bytes left
[   25.419761][  T216] kworker/u4:4 (216) used greatest stack depth: 10880 bytes left
[   26.330623][    T1] N_HDLC line discipline registered with maxframe=4096
[   26.337903][    T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[   26.350042][    T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[   26.379363][    T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[   26.408213][    T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[   26.436415][    T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[   26.484205][    T1] Non-volatile memory driver v1.3
[   26.510889][    T1] Linux agpgart interface v0.103
[   26.525992][    T1] ACPI: bus type drm_connector registered
[   26.541877][    T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[   26.561354][    T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[   27.039310][    T1] Console: switching to colour frame buffer device 128x48
[   27.194448][    T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[   27.202140][    T1] usbcore: registered new interface driver udl
[   27.363686][    T1] brd: module loaded
[   27.533426][    T1] loop: module loaded
[   27.781686][    T1] zram: Added device: zram0
[   27.803872][    T1] null_blk: disk nullb0 created
[   27.808850][    T1] null_blk: module loaded
[   27.813612][    T1] Guest personality initialized and is inactive
[   27.821083][    T1] VMCI host device registered (name=vmci, major=10, minor=118)
[   27.828876][    T1] Initialized host personality
[   27.835427][    T1] usbcore: registered new interface driver rtsx_usb
[   27.843793][    T1] usbcore: registered new interface driver viperboard
[   27.851479][    T1] usbcore: registered new interface driver dln2
[   27.858605][    T1] usbcore: registered new interface driver pn533_usb
[   27.871594][    T1] nfcsim 0.2 initialized
[   27.876318][    T1] usbcore: registered new interface driver port100
[   27.883331][    T1] usbcore: registered new interface driver nfcmrvl
[   27.899548][    T1] Loading iSCSI transport class v2.0-870.
[   27.935492][    T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[   27.968598][    T1] scsi host0: Virtio SCSI HBA
[   28.484347][    T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[   28.491538][   T26] scsi 0:0:1:0: Direct-Access     Google   PersistentDisk   1    PQ: 0 ANSI: 6
[   28.563800][    T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[   28.574157][    T1] db_root: cannot open: /etc/target
[   28.623965][    T1] =====================================================
[   28.624202][    T1] BUG: KMSAN: use-after-free in __list_del_entry_valid_or_report+0x19e/0x490
[   28.624362][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[   28.624516][    T1]  stack_depot_save_flags+0x3e2/0x7a0
[   28.624621][    T1]  stack_depot_save+0x12/0x20
[   28.624709][    T1]  ref_tracker_alloc+0x215/0x700
[   28.624801][    T1]  netdev_hold+0xe2/0x120
[   28.624916][    T1]  register_netdevice+0x1bc7/0x2170
[   28.625022][    T1]  bond_create+0x138/0x2a0
[   28.625148][    T1]  bonding_init+0x1a7/0x2d0
[   28.625247][    T1]  do_one_initcall+0x216/0x960
[   28.625348][    T1]  do_initcall_level+0x140/0x350
[   28.625453][    T1]  do_initcalls+0xf0/0x1d0
[   28.625556][    T1]  do_basic_setup+0x22/0x30
[   28.625649][    T1]  kernel_init_freeable+0x300/0x4b0
[   28.625757][    T1]  kernel_init+0x2f/0x7e0
[   28.625871][    T1]  ret_from_fork+0x66/0x80
[   28.625991][    T1]  ret_from_fork_asm+0x11/0x20
[   28.626101][    T1] 
[   28.626114][    T1] Uninit was created at:
[   28.626277][    T1]  free_unref_page_prepare+0xc1/0xad0
[   28.626418][    T1]  free_unref_page+0x58/0x6d0
[   28.626549][    T1]  __free_pages+0xb1/0x1f0
[   28.626626][    T1]  thread_stack_free_rcu+0x97/0xb0
[   28.626721][    T1]  rcu_core+0xa3c/0x1df0
[   28.626843][    T1]  rcu_core_si+0x12/0x20
[   28.626950][    T1]  __do_softirq+0x1b7/0x7c3
[   28.627080][    T1] 
[   28.627096][    T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[   28.627194][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   28.627246][    T1] =====================================================
[   28.627270][    T1] Disabling lock debugging due to kernel taint
[   28.627299][    T1] Kernel panic - not syncing: kmsan.panic set ...
[   28.627335][    T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G    B              6.8.0-rc5-syzkaller-00278-g603c04e27c3e-dirty #0
[   28.627441][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   28.627493][    T1] Call Trace:
[   28.627520][    T1]  <TASK>
[   28.627548][    T1]  dump_stack_lvl+0x1bf/0x240
[   28.627651][    T1]  dump_stack+0x1e/0x20
[   28.627733][    T1]  panic+0x4de/0xc90
[   28.627875][    T1]  kmsan_report+0x2d0/0x2d0
[   28.627974][    T1]  ? cleanup_uevent_env+0x40/0x50
[   28.628108][    T1]  ? netdev_queue_update_kobjects+0x3f5/0x870
[   28.628237][    T1]  ? netdev_register_kobject+0x41e/0x520
[   28.628357][    T1]  ? register_netdevice+0x198f/0x2170
[   28.628473][    T1]  ? __msan_warning+0x96/0x110
[   28.628609][    T1]  ? __list_del_entry_valid_or_report+0x19e/0x490
[   28.628762][    T1]  ? stack_depot_save_flags+0x3e2/0x7a0
[   28.628872][    T1]  ? stack_depot_save+0x12/0x20
[   28.628971][    T1]  ? ref_tracker_alloc+0x215/0x700
[   28.629069][    T1]  ? netdev_hold+0xe2/0x120
[   28.629172][    T1]  ? register_netdevice+0x1bc7/0x2170
[   28.629287][    T1]  ? bond_create+0x138/0x2a0
[   28.629416][    T1]  ? bonding_init+0x1a7/0x2d0
[   28.629523][    T1]  ? do_one_initcall+0x216/0x960
[   28.629638][    T1]  ? do_initcall_level+0x140/0x350
[   28.629749][    T1]  ? do_initcalls+0xf0/0x1d0
[   28.629852][    T1]  ? do_basic_setup+0x22/0x30
[   28.629955][    T1]  ? kernel_init_freeable+0x300/0x4b0
[   28.630064][    T1]  ? kernel_init+0x2f/0x7e0
[   28.630180][    T1]  ? ret_from_fork+0x66/0x80
[   28.630304][    T1]  ? ret_from_fork_asm+0x11/0x20
[   28.630420][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.630527][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.630619][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.630710][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.630805][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.630913][    T1]  ? filter_irq_stacks+0x60/0x1a0
[   28.631030][    T1]  ? stack_depot_save_flags+0x2c/0x7a0
[   28.631140][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.631239][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.631330][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.631426][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.631538][    T1]  __msan_warning+0x96/0x110
[   28.631674][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[   28.631838][    T1]  stack_depot_save_flags+0x3e2/0x7a0
[   28.631958][    T1]  stack_depot_save+0x12/0x20
[   28.632058][    T1]  ref_tracker_alloc+0x215/0x700
[   28.632169][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.632260][    T1]  ? netdev_hold+0xe2/0x120
[   28.632365][    T1]  ? register_netdevice+0x1bc7/0x2170
[   28.632438][    T1]  ? bond_create+0x138/0x2a0
[   28.632438][    T1]  ? bonding_init+0x1a7/0x2d0
[   28.632438][    T1]  ? do_one_initcall+0x216/0x960
[   28.632438][    T1]  ? do_initcall_level+0x140/0x350
[   28.632900][    T1]  ? do_initcalls+0xf0/0x1d0
[   28.632900][    T1]  ? do_basic_setup+0x22/0x30
[   28.632900][    T1]  ? kernel_init_freeable+0x300/0x4b0
[   28.632900][    T1]  ? kernel_init+0x2f/0x7e0
[   28.632900][    T1]  ? ret_from_fork+0x66/0x80
[   28.632900][    T1]  ? ret_from_fork_asm+0x11/0x20
[   28.632900][    T1]  ? kmsan_internal_unpoison_memory+0x14/0x20
[   28.633734][    T1]  netdev_hold+0xe2/0x120
[   28.633734][    T1]  register_netdevice+0x1bc7/0x2170
[   28.633970][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.633970][    T1]  bond_create+0x138/0x2a0
[   28.633970][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.633970][    T1]  bonding_init+0x1a7/0x2d0
[   28.633970][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   28.633970][    T1]  do_one_initcall+0x216/0x960
[   28.633970][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   28.634792][    T1]  ? kmsan_get_metadata+0x80/0x1c0
[   28.634802][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.634802][    T1]  ? filter_irq_stacks+0x60/0x1a0
[   28.634802][    T1]  ? stack_depot_save_flags+0x2c/0x7a0
[   28.634802][    T1]  ? skip_spaces+0x8f/0xc0
[   28.634802][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.634802][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.634802][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.635636][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.635636][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.635636][    T1]  ? parse_args+0x1511/0x15e0
[   28.635636][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[   28.635636][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[   28.635636][    T1]  ? spi_dln2_driver_init+0x40/0x40
[   28.635636][    T1]  do_initcall_level+0x140/0x350
[   28.635636][    T1]  do_initcalls+0xf0/0x1d0
[   28.636461][    T1]  ? arch_cpuhp_init_parallel_bringup+0xe0/0xe0
[   28.636461][    T1]  do_basic_setup+0x22/0x30
[   28.636461][    T1]  kernel_init_freeable+0x300/0x4b0
[   28.636461][    T1]  ? rest_init+0x260/0x260
[   28.636461][    T1]  kernel_init+0x2f/0x7e0
[   28.636461][    T1]  ? rest_init+0x260/0x260
[   28.636461][    T1]  ret_from_fork+0x66/0x80
[   28.637299][    T1]  ? rest_init+0x260/0x260
[   28.637299][    T1]  ret_from_fork_asm+0x11/0x20
[   28.637299][    T1]  </TASK>
[   28.637299][    T1] Kernel Offset: disabled


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1437193816=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1423a4ac180000


Tested on:

commit:         603c04e2 Merge tag 'parisc-for-6.8-rc6' of git://git.k..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d33318d4e4a0d226
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17a12a30180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
  2024-02-24 11:19     ` [syzbot] [mm] " syzbot
@ 2024-02-24 14:03     ` Tetsuo Handa
  2024-02-24 14:24       ` [syzbot] [mm] " syzbot
  2024-02-25  0:01       ` [syzbot] [virtualization?] " Tetsuo Handa
  1 sibling, 2 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-02-24 14:03 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs; +Cc: linux-kernel

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
@ 2024-02-24 14:24       ` syzbot
  2024-02-25  0:01       ` [syzbot] [virtualization?] " Tetsuo Handa
  1 sibling, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-24 14:24 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add

=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
 virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
 virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
 virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
 virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
 scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
 blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
 blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
 __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
 blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
 blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
 kthread+0x3ed/0x540 kernel/kthread.c:388
 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Uninit was created at:
 __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
 alloc_pages mm/mempolicy.c:2204 [inline]
 folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
 filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
 __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
 ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
 generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
 ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
 ext4_file_write_iter+0x20f/0x3460
 __kernel_write_iter+0x329/0x930 fs/read_write.c:517
 dump_emit_page fs/coredump.c:888 [inline]
 dump_user_range+0x593/0xcd0 fs/coredump.c:915
 elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
 do_coredump+0x32c9/0x4920 fs/coredump.c:764
 get_signal+0x2185/0x2d10 kernel/signal.c:2890
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
 irqentry_exit+0x16/0x40 kernel/entry/common.c:412
 exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
 asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570

Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff88803438f000

CPU: 0 PID: 51 Comm: kworker/0:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================


Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=147162c4180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12a294c4180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
  2024-02-24 14:24       ` [syzbot] [mm] " syzbot
@ 2024-02-25  0:01       ` Tetsuo Handa
  2024-02-25  0:21         ` [syzbot] [mm] " syzbot
  1 sibling, 1 reply; 35+ messages in thread
From: Tetsuo Handa @ 2024-02-25  0:01 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs; +Cc: linux-kernel

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
 }
 
 /* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
 void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 {
 	if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 }
 EXPORT_SYMBOL(kmsan_poison_memory);
 
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
 void kmsan_unpoison_memory(const void *address, size_t size)
 {
 	unsigned long ua_flags;
 
-	if (!kmsan_enabled || kmsan_in_runtime())
+	if (!kmsan_enabled)
 		return;
 
 	ua_flags = user_access_save();
-	kmsan_enter_runtime();
 	/* The users may want to poison/unpoison random memory. */
 	kmsan_internal_unpoison_memory((void *)address, size,
 				       KMSAN_POISON_NOCHECK);
-	kmsan_leave_runtime();
 	user_access_restore(ua_flags);
 }
 EXPORT_SYMBOL(kmsan_unpoison_memory);
 
 /*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
  */
 void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
 {
-	unsigned long ua_flags;
-
-	if (!kmsan_enabled)
-		return;
-
-	ua_flags = user_access_save();
-	kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
-				       KMSAN_POISON_NOCHECK);
-	user_access_restore(ua_flags);
+	kmsan_unpoison_memory((void *)regs, sizeof(*regs));
 }
 
 void kmsan_check_memory(const void *addr, size_t size)



^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-25  0:01       ` [syzbot] [virtualization?] " Tetsuo Handa
@ 2024-02-25  0:21         ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  0:21 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add

=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
 virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
 virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
 virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501
 virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
 scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
 blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
 blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
 __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
 blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
 blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
 kthread+0x3ed/0x540 kernel/kthread.c:388
 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Uninit was created at:
 __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
 alloc_pages mm/mempolicy.c:2204 [inline]
 folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
 filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
 __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
 ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
 generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
 ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
 ext4_file_write_iter+0x20f/0x3460
 __kernel_write_iter+0x329/0x930 fs/read_write.c:517
 dump_emit_page fs/coredump.c:888 [inline]
 dump_user_range+0x593/0xcd0 fs/coredump.c:915
 elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
 do_coredump+0x32c9/0x4920 fs/coredump.c:764
 get_signal+0x2185/0x2d10 kernel/signal.c:2890
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
 irqentry_exit+0x16/0x40 kernel/entry/common.c:412
 exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
 asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570

Bytes 0-4095 of 4096 are uninitialized
Memory access of size 4096 starts at ffff888037212000

CPU: 1 PID: 51 Comm: kworker/1:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================


Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=1462a106180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1455d9d8180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (6 preceding siblings ...)
  2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
@ 2024-02-25  0:27 ` Edward Adam Davis
  2024-02-25  0:52   ` [syzbot] [mm] " syzbot
  2024-02-25  1:50 ` [syzbot] Re: [syzbot] [virtualization?] " syzbot
                   ` (4 subsequent siblings)
  12 siblings, 1 reply; 35+ messages in thread
From: Edward Adam Davis @ 2024-02-25  0:27 UTC (permalink / raw)
  To: syzbot+d7521c1e3841ed075a42; +Cc: linux-kernel, syzkaller-bugs

please test uninit-value in virtqueue_add (4)

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 9d1bdcdc1331..4ca6627a7459 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
 			    size_t req_size, size_t resp_size)
 {
 	struct scsi_cmnd *sc = cmd->sc;
-	struct scatterlist *sgs[6], req, resp;
+	struct scatterlist *sgs[6], req = {}, resp = {};
 	struct sg_table *out, *in;
 	unsigned out_num = 0, in_num = 0;
 


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
  2024-02-25  0:27 ` [syzbot] [virtualization?] " Edward Adam Davis
@ 2024-02-25  0:52   ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  0:52 UTC (permalink / raw)
  To: eadavis, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in virtqueue_add

=====================================================
BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline]
 virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline]
 virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210
 virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244
 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline]
 virtscsi_add_cmd+0x817/0xa90 drivers/scsi/virtio_scsi.c:501
 virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline]
 scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758
 blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]
 blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]
 __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309
 blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333
 blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
 kthread+0x3ed/0x540 kernel/kthread.c:388
 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Uninit was created at:
 __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
 alloc_pages mm/mempolicy.c:2204 [inline]
 folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
 filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
 __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918
 ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891
 generic_perform_write+0x3f5/0xc40 mm/filemap.c:3927
 ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299
 ext4_file_write_iter+0x20f/0x3460
 __kernel_write_iter+0x329/0x930 fs/read_write.c:517
 dump_emit_page fs/coredump.c:888 [inline]
 dump_user_range+0x593/0xcd0 fs/coredump.c:915
 elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077
 do_coredump+0x32c9/0x4920 fs/coredump.c:764
 get_signal+0x2185/0x2d10 kernel/signal.c:2890
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309
 irqentry_exit+0x16/0x40 kernel/entry/common.c:412
 exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
 asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570

Bytes 0-1023 of 1024 are uninitialized
Memory access of size 1024 starts at ffff88801e7d9c00

CPU: 0 PID: 52 Comm: kworker/0:1H Not tainted 6.7.0-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: kblockd blk_mq_run_work_fn
=====================================================


Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=15dee522180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1524ca02180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (7 preceding siblings ...)
  2024-02-25  0:27 ` [syzbot] [virtualization?] " Edward Adam Davis
@ 2024-02-25  1:50 ` syzbot
  2024-02-25  2:42 ` syzbot
                   ` (3 subsequent siblings)
  12 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  1:50 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
 }
 
 /* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
 void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 {
 	if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 }
 EXPORT_SYMBOL(kmsan_poison_memory);
 
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
 void kmsan_unpoison_memory(const void *address, size_t size)
 {
 	unsigned long ua_flags;
 
-	if (!kmsan_enabled || kmsan_in_runtime())
+	if (!kmsan_enabled)
 		return;
 
 	ua_flags = user_access_save();
-	kmsan_enter_runtime();
 	/* The users may want to poison/unpoison random memory. */
 	kmsan_internal_unpoison_memory((void *)address, size,
 				       KMSAN_POISON_NOCHECK);
-	kmsan_leave_runtime();
 	user_access_restore(ua_flags);
 }
 EXPORT_SYMBOL(kmsan_unpoison_memory);
 
 /*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
  */
 void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
 {
-	unsigned long ua_flags;
-
-	if (!kmsan_enabled)
-		return;
-
-	ua_flags = user_access_save();
-	kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
-				       KMSAN_POISON_NOCHECK);
-	user_access_restore(ua_flags);
+	kmsan_unpoison_memory((void *)regs, sizeof(*regs));
 }
 
 void kmsan_check_memory(const void *addr, size_t size)




^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (8 preceding siblings ...)
  2024-02-25  1:50 ` [syzbot] Re: [syzbot] [virtualization?] " syzbot
@ 2024-02-25  2:42 ` syzbot
  2024-02-25  3:59 ` syzbot
                   ` (2 subsequent siblings)
  12 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  2:42 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index cc6b8e087192..f13bba3a9dab 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -58,7 +58,16 @@ static inline void clear_page(void *page)
 			   : "cc", "memory", "rax", "rcx");
 }
 
+#ifdef CONFIG_KMSAN
+/* Use of non-instrumented assembly version confuses KMSAN. */
+void *memcpy(void *to, const void *from, __kernel_size_t len);
+static inline void copy_page(void *to, void *from)
+{
+	memcpy(to, from, PAGE_SIZE);
+}
+#else
 void copy_page(void *to, void *from);
+#endif
 
 #ifdef CONFIG_X86_5LEVEL
 /*
diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..bc701dcbb133 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,9 +61,9 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
  */
 unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
 {
-	if (copy_mc_fragile_enabled)
+	if (0 && copy_mc_fragile_enabled)
 		return copy_mc_fragile(dst, src, len);
-	if (static_cpu_has(X86_FEATURE_ERMS))
+	if (0 && static_cpu_has(X86_FEATURE_ERMS))
 		return copy_mc_enhanced_fast_string(dst, src, len);
 	memcpy(dst, src, len);
 	return 0;
@@ -74,14 +74,14 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
 {
 	unsigned long ret;
 
-	if (copy_mc_fragile_enabled) {
+	if (0 && copy_mc_fragile_enabled) {
 		__uaccess_begin();
 		ret = copy_mc_fragile((__force void *)dst, src, len);
 		__uaccess_end();
 		return ret;
 	}
 
-	if (static_cpu_has(X86_FEATURE_ERMS)) {
+	if (0 && static_cpu_has(X86_FEATURE_ERMS)) {
 		__uaccess_begin();
 		ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
 		__uaccess_end();
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index e0aa6b440ca5..039ffa49f324 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -253,11 +253,16 @@ size_t memcpy_from_iter_mc(void *iter_from, size_t progress,
 
 static size_t __copy_from_iter_mc(void *addr, size_t bytes, struct iov_iter *i)
 {
+	size_t ret;
+
 	if (unlikely(i->count < bytes))
 		bytes = i->count;
 	if (unlikely(!bytes))
 		return 0;
-	return iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
+	ret = iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
+	if (bytes != ret)
+		printk("addr=%px bytes=%d ret=%d\n", addr, bytes, ret);
+	return ret;
 }
 
 static __always_inline
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..0b09daa188ef 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -359,6 +359,12 @@ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
 }
 
 /* Functions from kmsan-checks.h follow. */
+
+/*
+ * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it
+ * into the stack depot. This may cause deadlocks if done from within KMSAN
+ * runtime, therefore we bail out if kmsan_in_runtime().
+ */
 void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 {
 	if (!kmsan_enabled || kmsan_in_runtime())
@@ -371,47 +377,31 @@ void kmsan_poison_memory(const void *address, size_t size, gfp_t flags)
 }
 EXPORT_SYMBOL(kmsan_poison_memory);
 
+/*
+ * Unlike kmsan_poison_memory(), this function can be used from within KMSAN
+ * runtime, because it does not trigger allocations or call instrumented code.
+ */
 void kmsan_unpoison_memory(const void *address, size_t size)
 {
 	unsigned long ua_flags;
 
-	if (!kmsan_enabled || kmsan_in_runtime())
+	if (!kmsan_enabled)
 		return;
 
 	ua_flags = user_access_save();
-	kmsan_enter_runtime();
 	/* The users may want to poison/unpoison random memory. */
 	kmsan_internal_unpoison_memory((void *)address, size,
 				       KMSAN_POISON_NOCHECK);
-	kmsan_leave_runtime();
 	user_access_restore(ua_flags);
 }
 EXPORT_SYMBOL(kmsan_unpoison_memory);
 
 /*
- * Version of kmsan_unpoison_memory() that can be called from within the KMSAN
- * runtime.
- *
- * Non-instrumented IRQ entry functions receive struct pt_regs from assembly
- * code. Those regs need to be unpoisoned, otherwise using them will result in
- * false positives.
- * Using kmsan_unpoison_memory() is not an option in entry code, because the
- * return value of in_task() is inconsistent - as a result, certain calls to
- * kmsan_unpoison_memory() are ignored. kmsan_unpoison_entry_regs() ensures that
- * the registers are unpoisoned even if kmsan_in_runtime() is true in the early
- * entry code.
+ * Version of kmsan_unpoison_memory() called from IRQ entry functions.
  */
 void kmsan_unpoison_entry_regs(const struct pt_regs *regs)
 {
-	unsigned long ua_flags;
-
-	if (!kmsan_enabled)
-		return;
-
-	ua_flags = user_access_save();
-	kmsan_internal_unpoison_memory((void *)regs, sizeof(*regs),
-				       KMSAN_POISON_NOCHECK);
-	user_access_restore(ua_flags);
+	kmsan_unpoison_memory((void *)regs, sizeof(*regs));
 }
 
 void kmsan_check_memory(const void *addr, size_t size)



^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (9 preceding siblings ...)
  2024-02-25  2:42 ` syzbot
@ 2024-02-25  3:59 ` syzbot
  2024-03-06 13:14 ` syzbot
  2024-03-26 10:35 ` Tetsuo Handa
  12 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  3:59 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

syzbot is reporting a false-positive KMSAN warning upon coredump, for
dump_emit_page() path reaches memcpy_from_iter_mc() via iterate_bvec()
by setting "struct iov_iter"->copy_mc to true.

Make arch/x86/lib/copy_mc.c not to call arch/x86/lib/copy_mc_64.S
when KMSAN is enabled.

Reported-by: syzbot <syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 arch/x86/lib/copy_mc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..c6a0b8dbf58d 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,9 +61,9 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
  */
 unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
 {
-	if (copy_mc_fragile_enabled)
+	if (!IS_ENABLED(CONFIG_KMSAN) && copy_mc_fragile_enabled)
 		return copy_mc_fragile(dst, src, len);
-	if (static_cpu_has(X86_FEATURE_ERMS))
+	if (!IS_ENABLED(CONFIG_KMSAN) && static_cpu_has(X86_FEATURE_ERMS))
 		return copy_mc_enhanced_fast_string(dst, src, len);
 	memcpy(dst, src, len);
 	return 0;
@@ -74,14 +74,14 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
 {
 	unsigned long ret;
 
-	if (copy_mc_fragile_enabled) {
+	if (!IS_ENABLED(CONFIG_KMSAN) && copy_mc_fragile_enabled) {
 		__uaccess_begin();
 		ret = copy_mc_fragile((__force void *)dst, src, len);
 		__uaccess_end();
 		return ret;
 	}
 
-	if (static_cpu_has(X86_FEATURE_ERMS)) {
+	if (!IS_ENABLED(CONFIG_KMSAN) && static_cpu_has(X86_FEATURE_ERMS)) {
 		__uaccess_begin();
 		ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
 		__uaccess_end();
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (10 preceding siblings ...)
  2024-02-25  3:59 ` syzbot
@ 2024-03-06 13:14 ` syzbot
  2024-03-26 10:35 ` Tetsuo Handa
  12 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-03-06 13:14 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..6858f80fc9a2 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,12 +61,18 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
  */
 unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
 {
-	if (copy_mc_fragile_enabled)
-		return copy_mc_fragile(dst, src, len);
-	if (static_cpu_has(X86_FEATURE_ERMS))
-		return copy_mc_enhanced_fast_string(dst, src, len);
-	memcpy(dst, src, len);
-	return 0;
+	unsigned long ret;
+
+	if (copy_mc_fragile_enabled) {
+		ret = copy_mc_fragile(dst, src, len);
+	} else if (static_cpu_has(X86_FEATURE_ERMS)) {
+		ret = copy_mc_enhanced_fast_string(dst, src, len);
+	} else {
+		memcpy(dst, src, len);
+		ret = 0;
+	}
+	kmsan_memmove(dst, src, len - ret);
+	return ret;
 }
 EXPORT_SYMBOL_GPL(copy_mc_to_kernel);
 
@@ -78,15 +84,13 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
 		__uaccess_begin();
 		ret = copy_mc_fragile((__force void *)dst, src, len);
 		__uaccess_end();
-		return ret;
-	}
-
-	if (static_cpu_has(X86_FEATURE_ERMS)) {
+	} else if (static_cpu_has(X86_FEATURE_ERMS)) {
 		__uaccess_begin();
 		ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
 		__uaccess_end();
-		return ret;
+	} else {
+		ret = copy_user_generic((__force void *)dst, src, len);
 	}
-
-	return copy_user_generic((__force void *)dst, src, len);
+	kmsan_copy_to_user(dst, src, len, ret);
+	return ret;
 }
diff --git a/include/linux/kmsan-checks.h b/include/linux/kmsan-checks.h
index c4cae333deec..4c2a614dab2d 100644
--- a/include/linux/kmsan-checks.h
+++ b/include/linux/kmsan-checks.h
@@ -61,6 +61,17 @@ void kmsan_check_memory(const void *address, size_t size);
 void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
 			size_t left);
 
+/**
+ * kmsan_memmove() - Notify KMSAN about a data copy within kernel.
+ * @to:   destination address in the kernel.
+ * @from: source address in the kernel.
+ * @size: number of bytes to copy.
+ *
+ * Invoked after non-instrumented version (e.g. implemented using assembly
+ * code) of memmove()/memcpy() is called, in order to copy KMSAN's metadata.
+ */
+void kmsan_memmove(void *to, const void *from, size_t size);
+
 #else
 
 static inline void kmsan_poison_memory(const void *address, size_t size,
@@ -77,6 +88,9 @@ static inline void kmsan_copy_to_user(void __user *to, const void *from,
 				      size_t to_copy, size_t left)
 {
 }
+static inline void kmsan_memmove(void *to, const void *from, size_t size)
+{
+}
 
 #endif
 
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..364f778ee226 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -285,6 +285,17 @@ void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
 }
 EXPORT_SYMBOL(kmsan_copy_to_user);
 
+void kmsan_memmove(void *to, const void *from, size_t size)
+{
+	if (!kmsan_enabled || kmsan_in_runtime())
+		return;
+
+	kmsan_enter_runtime();
+	kmsan_internal_memmove_metadata(to, (void *)from, size);
+	kmsan_leave_runtime();
+}
+EXPORT_SYMBOL(kmsan_memmove);
+
 /* Helper function to check an URB. */
 void kmsan_handle_urb(const struct urb *urb, bool is_out)
 {


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
  2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
                   ` (11 preceding siblings ...)
  2024-03-06 13:14 ` syzbot
@ 2024-03-26 10:35 ` Tetsuo Handa
  12 siblings, 0 replies; 35+ messages in thread
From: Tetsuo Handa @ 2024-03-26 10:35 UTC (permalink / raw)
  To: syzbot, linux-kernel, syzkaller-bugs

#syz fix: x86: call instrumentation hooks from copy_mc.c


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
       [not found] <90aa64af-52f4-4320-b52e-29370be8c3c8@I-love.SAKURA.ne.jp>
@ 2024-03-06 14:38 ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-03-06 14:38 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com

Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=1179b951180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=985e3e4313e68ef5
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11008686180000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
       [not found] <2eccab0b-c251-4094-8f2b-2bc9ac3def8e@I-love.SAKURA.ne.jp>
@ 2024-02-25  4:33 ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  4:33 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com

Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=115dcc5c180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1018e874180000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
       [not found] <554675d7-afc8-445f-94b1-8bba0a774dc3@I-love.SAKURA.ne.jp>
@ 2024-02-25  3:12 ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  3:12 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com

Tested on:

commit:         0dd3ee31 Linux 6.7
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7
console output: https://syzkaller.appspot.com/x/log.txt?x=13efd0c4180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179789d8180000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [syzbot] [mm] KMSAN: uninit-value in virtqueue_add (4)
       [not found] <f555e0b7-00f6-48e2-abe5-b29bedf8c4c3@I-love.SAKURA.ne.jp>
@ 2024-02-25  2:19 ` syzbot
  0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2024-02-25  2:19 UTC (permalink / raw)
  To: linux-kernel, penguin-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 processors activated (8800.82 BogoMIPS)
[    1.438059][    T1] devtmpfs: initialized
[    1.438059][    T1] x86/mm: Memory block size: 128MB
[    1.537424][    T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    1.541248][    T1] futex hash table entries: 512 (order: 3, 32768 bytes, vmalloc)
[    1.543999][    T1] PM: RTC time: 02:09:52, date: 2024-02-25
[    1.551035][    T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    1.570747][    T1] audit: initializing netlink subsys (disabled)
[    1.573762][   T27] audit: type=2000 audit(1708826992.525:1): state=initialized audit_enabled=0 res=1
[    1.589225][    T1] thermal_sys: Registered thermal governor 'step_wise'
[    1.589289][    T1] thermal_sys: Registered thermal governor 'user_space'
[    1.591526][    T1] cpuidle: using governor menu
[    1.594184][    T1] NET: Registered PF_QIPCRTR protocol family
[    1.609953][    T1] dca service started, version 1.12.1
[    1.610033][    T1] PCI: Using configuration type 1 for base access
[    1.637050][    T1] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages
[    1.640047][    T1] HugeTLB: 0 KiB vmemmap can be freed for a 1.00 GiB page
[    1.642925][    T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[    1.643291][    T1] HugeTLB: 0 KiB vmemmap can be freed for a 2.00 MiB page
[    1.693336][    T1] raid6: skipped pq benchmark and selected avx2x4
[    1.693336][    T1] raid6: using avx2x2 recovery algorithm
[    1.697685][    T1] ACPI: Added _OSI(Module Device)
[    1.700031][    T1] ACPI: Added _OSI(Processor Device)
[    1.703277][    T1] ACPI: Added _OSI(3.0 _SCP Extensions)
[    1.705648][    T1] ACPI: Added _OSI(Processor Aggregator Device)
[    2.205354][    T1] ACPI: 2 ACPI AML tables successfully acquired and loaded
[    2.299980][    T1] ACPI: _OSC evaluation for CPUs failed, trying _PDC
[    2.362337][    T1] ACPI: Interpreter enabled
[    2.364750][    T1] ACPI: PM: (supports S0 S3 S4 S5)
[    2.365761][    T1] ACPI: Using IOAPIC for interrupt routing
[    2.368508][    T1] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[    2.371280][    T1] PCI: Ignoring E820 reservations for host bridge windows
[    2.390515][    T1] ACPI: Enabled 16 GPEs in block 00 to 0F
[    3.115531][    T1] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[    3.117418][    T1] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[    3.119220][    T1] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI]
[    3.123713][    T1] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge
[    3.193294][    T1] PCI host bridge to bus 0000:00
[    3.193294][    T1] pci_bus 0000:00: Unknown NUMA node; performance will be reduced
[    3.194712][    T1] pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
[    3.196205][    T1] pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
[    3.197730][    T1] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[    3.199394][    T1] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfefff window]
[    3.200955][    T1] pci_bus 0000:00: root bus resource [bus 00-ff]
[    3.204545][    T1] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[    3.216364][    T1] pci 0000:00:01.0: [8086:7110] type 00 class 0x060100 conventional PCI endpoint
[    3.259076][    T1] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[    3.289965][    T1] pci 0000:00:01.3: quirk: [io  0xb000-0xb03f] claimed by PIIX4 ACPI
[    3.303975][    T1] pci 0000:00:03.0: [1af4:1004] type 00 class 0x000000 conventional PCI endpoint
[    3.316498][    T1] pci 0000:00:03.0: BAR 0 [io  0xc000-0xc03f]
[    3.324669][    T1] pci 0000:00:03.0: BAR 1 [mem 0xfe800000-0xfe80007f]
[    3.358364][    T1] pci 0000:00:04.0: [1af4:1000] type 00 class 0x020000 conventional PCI endpoint
[    3.374736][    T1] pci 0000:00:04.0: BAR 0 [io  0xc040-0xc07f]
[    3.383283][    T1] pci 0000:00:04.0: BAR 1 [mem 0xfe801000-0xfe80107f]
[    3.419323][    T1] pci 0000:00:05.0: [1ae0:a002] type 00 class 0x030000 conventional PCI endpoint
[    3.437913][    T1] pci 0000:00:05.0: BAR 0 [mem 0xfe000000-0xfe7fffff]
[    3.476881][    T1] pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[    3.495064][    T1] pci 0000:00:06.0: [1af4:1002] type 00 class 0x00ff00 conventional PCI endpoint
[    3.509218][    T1] pci 0000:00:06.0: BAR 0 [io  0xc080-0xc09f]
[    3.518528][    T1] pci 0000:00:06.0: BAR 1 [mem 0xfe802000-0xfe80207f]
[    3.557251][    T1] pci 0000:00:07.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint
[    3.569662][    T1] pci 0000:00:07.0: BAR 0 [io  0xc0a0-0xc0bf]
[    3.578093][    T1] pci 0000:00:07.0: BAR 1 [mem 0xfe803000-0xfe80303f]
[    3.723845][    T1] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[    3.748176][    T1] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[    3.771042][    T1] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[    3.793854][    T1] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[    3.805804][    T1] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[    3.874360][    T1] iommu: Default domain type: Translated
[    3.874835][    T1] iommu: DMA domain TLB invalidation policy: lazy mode
[    3.890314][    T1] =====================================================
[    3.890556][    T1] BUG: KMSAN: uninit-value in __list_del_entry_valid_or_report+0x19e/0x490
[    3.890717][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[    3.890868][    T1]  stack_depot_save_flags+0x3e7/0x7b0
[    3.890973][    T1]  stack_depot_save+0x12/0x20
[    3.891068][    T1]  ref_tracker_alloc+0x215/0x700
[    3.891170][    T1]  sk_alloc+0x7b4/0x850
[    3.891271][    T1]  __netlink_kernel_create+0x1ec/0xe50
[    3.891398][    T1]  scsi_netlink_init+0x6f/0x140
[    3.891505][    T1]  init_scsi+0x1dc/0x300
[    3.891593][    T1]  do_one_initcall+0x216/0x960
[    3.891705][    T1]  do_initcall_level+0x140/0x350
[    3.891814][    T1]  do_initcalls+0xf0/0x1d0
[    3.891913][    T1]  do_basic_setup+0x22/0x30
[    3.892013][    T1]  kernel_init_freeable+0x300/0x4b0
[    3.892122][    T1]  kernel_init+0x2f/0x7e0
[    3.892241][    T1]  ret_from_fork+0x66/0x80
[    3.892364][    T1]  ret_from_fork_asm+0x11/0x20
[    3.892477][    T1] 
[    3.892491][    T1] Uninit was created at:
[    3.892629][    T1]  __alloc_pages+0x9a4/0xe00
[    3.892712][    T1]  alloc_pages_mpol+0x62b/0x9d0
[    3.892806][    T1]  alloc_pages+0x1be/0x1e0
[    3.892895][    T1]  stack_depot_save_flags+0x73a/0x7b0
[    3.892999][    T1]  stack_depot_save+0x12/0x20
[    3.893094][    T1]  ref_tracker_alloc+0x215/0x700
[    3.893196][    T1]  sk_alloc+0x7b4/0x850
[    3.893197][    T1]  __netlink_kernel_create+0x1ec/0xe50
[    3.893197][    T1]  cn_init+0x6f/0x280
[    3.893197][    T1]  do_one_initcall+0x216/0x960
[    3.893197][    T1]  do_initcall_level+0x140/0x350
[    3.893197][    T1]  do_initcalls+0xf0/0x1d0
[    3.893197][    T1]  do_basic_setup+0x22/0x30
[    3.893197][    T1]  kernel_init_freeable+0x300/0x4b0
[    3.893197][    T1]  kernel_init+0x2f/0x7e0
[    3.893197][    T1]  ret_from_fork+0x66/0x80
[    3.893197][    T1]  ret_from_fork_asm+0x11/0x20
[    3.893197][    T1] 
[    3.893197][    T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00329-gab0a97cffa0b-dirty #0
[    3.893197][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[    3.893197][    T1] =====================================================
[    3.893197][    T1] Disabling lock debugging due to kernel taint
[    3.893197][    T1] Kernel panic - not syncing: kmsan.panic set ...
[    3.893197][    T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G    B              6.8.0-rc5-syzkaller-00329-gab0a97cffa0b-dirty #0
[    3.893197][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[    3.893197][    T1] Call Trace:
[    3.893197][    T1]  <TASK>
[    3.893197][    T1]  dump_stack_lvl+0x1bf/0x240
[    3.893197][    T1]  dump_stack+0x1e/0x20
[    3.893197][    T1]  panic+0x4de/0xc90
[    3.893197][    T1]  kmsan_report+0x2d0/0x2d0
[    3.893197][    T1]  ? kmsan_metadata_is_contiguous+0x66/0x1e0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? __msan_warning+0x96/0x110
[    3.893197][    T1]  ? __list_del_entry_valid_or_report+0x19e/0x490
[    3.893197][    T1]  ? stack_depot_save_flags+0x3e7/0x7b0
[    3.893197][    T1]  ? stack_depot_save+0x12/0x20
[    3.893197][    T1]  ? ref_tracker_alloc+0x215/0x700
[    3.893197][    T1]  ? sk_alloc+0x7b4/0x850
[    3.893197][    T1]  ? __netlink_kernel_create+0x1ec/0xe50
[    3.893197][    T1]  ? scsi_netlink_init+0x6f/0x140
[    3.893197][    T1]  ? init_scsi+0x1dc/0x300
[    3.893197][    T1]  ? do_one_initcall+0x216/0x960
[    3.893197][    T1]  ? do_initcall_level+0x140/0x350
[    3.893197][    T1]  ? do_initcalls+0xf0/0x1d0
[    3.893197][    T1]  ? do_basic_setup+0x22/0x30
[    3.893197][    T1]  ? kernel_init_freeable+0x300/0x4b0
[    3.893197][    T1]  ? kernel_init+0x2f/0x7e0
[    3.893197][    T1]  ? ret_from_fork+0x66/0x80
[    3.893197][    T1]  ? ret_from_fork_asm+0x11/0x20
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? _raw_spin_lock_irqsave+0x35/0xc0
[    3.893197][    T1]  ? filter_irq_stacks+0x60/0x1a0
[    3.893197][    T1]  ? stack_depot_save_flags+0x2c/0x7b0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  __msan_warning+0x96/0x110
[    3.893197][    T1]  __list_del_entry_valid_or_report+0x19e/0x490
[    3.893197][    T1]  stack_depot_save_flags+0x3e7/0x7b0
[    3.893197][    T1]  stack_depot_save+0x12/0x20
[    3.893197][    T1]  ref_tracker_alloc+0x215/0x700
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? sk_alloc+0x7b4/0x850
[    3.893197][    T1]  ? __netlink_kernel_create+0x1ec/0xe50
[    3.893197][    T1]  ? scsi_netlink_init+0x6f/0x140
[    3.893197][    T1]  ? init_scsi+0x1dc/0x300
[    3.893197][    T1]  ? do_one_initcall+0x216/0x960
[    3.893197][    T1]  ? do_initcall_level+0x140/0x350
[    3.893197][    T1]  ? do_initcalls+0xf0/0x1d0
[    3.893197][    T1]  ? do_basic_setup+0x22/0x30
[    3.893197][    T1]  ? kernel_init_freeable+0x300/0x4b0
[    3.893197][    T1]  ? kernel_init+0x2f/0x7e0
[    3.893197][    T1]  ? ret_from_fork+0x66/0x80
[    3.893197][    T1]  ? ret_from_fork_asm+0x11/0x20
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  sk_alloc+0x7b4/0x850
[    3.893197][    T1]  __netlink_kernel_create+0x1ec/0xe50
[    3.893197][    T1]  ? kmsan_internal_memmove_metadata+0x91/0x220
[    3.893197][    T1]  scsi_netlink_init+0x6f/0x140
[    3.893197][    T1]  ? scsi_netlink_init+0x140/0x140
[    3.893197][    T1]  init_scsi+0x1dc/0x300
[    3.893197][    T1]  ? udmabuf_dev_init+0x2a0/0x2a0
[    3.893197][    T1]  do_one_initcall+0x216/0x960
[    3.893197][    T1]  ? udmabuf_dev_init+0x2a0/0x2a0
[    3.893197][    T1]  ? kmsan_get_metadata+0x80/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? filter_irq_stacks+0x164/0x1a0
[    3.893197][    T1]  ? stack_depot_save_flags+0x2c/0x7b0
[    3.893197][    T1]  ? skip_spaces+0x8f/0xc0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? parse_args+0x1511/0x15e0
[    3.893197][    T1]  ? kmsan_get_metadata+0x146/0x1c0
[    3.893197][    T1]  ? kmsan_get_shadow_origin_ptr+0x4d/0xa0
[    3.893197][    T1]  ? udmabuf_dev_init+0x2a0/0x2a0
[    3.893197][    T1]  do_initcall_level+0x140/0x350
[    3.893197][    T1]  do_initcalls+0xf0/0x1d0
[    3.893197][    T1]  ? arch_cpuhp_init_parallel_bringup+0xe0/0xe0
[    3.893197][    T1]  do_basic_setup+0x22/0x30
[    3.893197][    T1]  kernel_init_freeable+0x300/0x4b0
[    3.893197][    T1]  ? rest_init+0x260/0x260
[    3.893197][    T1]  kernel_init+0x2f/0x7e0
[    3.893197][    T1]  ? rest_init+0x260/0x260
[    3.893197][    T1]  ret_from_fork+0x66/0x80
[    3.893197][    T1]  ? rest_init+0x260/0x260
[    3.893197][    T1]  ret_from_fork_asm+0x11/0x20
[    3.893197][    T1]  </TASK>


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3486373933=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 9bd8dcda8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9bd8dcda8c7c494d59bd3132a668f4784ea835c6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240119-142441'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9bd8dcda8c7c494d59bd3132a668f4784ea835c6\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=147e9a30180000


Tested on:

commit:         ab0a97cf Merge tag 'powerpc-6.8-4' of git://git.kernel..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d33318d4e4a0d226
dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=126caac4180000


^ permalink raw reply	[flat|nested] 35+ messages in thread

end of thread, other threads:[~2024-03-26 10:35 UTC | newest]

Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
2024-01-02  7:38 ` Tetsuo Handa
2024-01-03  9:59   ` Tetsuo Handa
2024-02-21 11:04   ` Tetsuo Handa
2024-01-02  7:38 ` [syzbot] " syzbot
2024-01-02 13:03 ` Michael S. Tsirkin
2024-01-04 20:45   ` Stefan Hajnoczi
2024-01-24 10:47     ` Alexander Potapenko
2024-01-24 21:25       ` Stefan Hajnoczi
2024-01-26  0:43 ` Edward Adam Davis
2024-01-26  1:26   ` [syzbot] [mm] " syzbot
2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
2024-01-26  1:43   ` [syzbot] [mm] " syzbot
2024-01-26 10:19   ` [syzbot] [virtualization?] " Alexander Potapenko
2024-01-26  6:57 ` Edward Adam Davis
2024-01-26  7:34   ` [syzbot] [mm] " syzbot
2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24  6:22   ` [syzbot] [mm] " syzbot
2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24 11:19     ` [syzbot] [mm] " syzbot
2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24 14:24       ` [syzbot] [mm] " syzbot
2024-02-25  0:01       ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-25  0:21         ` [syzbot] [mm] " syzbot
2024-02-25  0:27 ` [syzbot] [virtualization?] " Edward Adam Davis
2024-02-25  0:52   ` [syzbot] [mm] " syzbot
2024-02-25  1:50 ` [syzbot] Re: [syzbot] [virtualization?] " syzbot
2024-02-25  2:42 ` syzbot
2024-02-25  3:59 ` syzbot
2024-03-06 13:14 ` syzbot
2024-03-26 10:35 ` Tetsuo Handa
     [not found] <f555e0b7-00f6-48e2-abe5-b29bedf8c4c3@I-love.SAKURA.ne.jp>
2024-02-25  2:19 ` [syzbot] [mm] " syzbot
     [not found] <554675d7-afc8-445f-94b1-8bba0a774dc3@I-love.SAKURA.ne.jp>
2024-02-25  3:12 ` syzbot
     [not found] <2eccab0b-c251-4094-8f2b-2bc9ac3def8e@I-love.SAKURA.ne.jp>
2024-02-25  4:33 ` syzbot
     [not found] <90aa64af-52f4-4320-b52e-29370be8c3c8@I-love.SAKURA.ne.jp>
2024-03-06 14:38 ` syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.