From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from www262.sakura.ne.jp ([202.181.97.72]:12106 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753477AbdIDMMn (ORCPT ); Mon, 4 Sep 2017 08:12:43 -0400 To: viro@zeniv.linux.org.uk Cc: linux-fsdevel@vger.kernel.org Subject: fs: Uninitialized memory read at take_dentry_name_snapshot From: Tetsuo Handa Message-Id: <201709042112.BFB76862.FQVFMSOtOJFHOL@I-love.SAKURA.ne.jp> Date: Mon, 4 Sep 2017 21:12:38 +0900 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Hello. I hit kmemcheck splat on commit 49d31c2f389acfe8 ("dentry name snapshots") using linux-next-20170901. Changing to strncpy() fixes this problem, but using strncpy() only if CONFIG_KMEMCHECK=y is better for performance? [ 788.180175] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50) [ 788.184248] 636f6e66696766732e746d70000000000010000000000000020000000188ffff [ 788.186989] i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u [ 788.189841] ^ [ 788.191937] RIP: 0010:take_dentry_name_snapshot+0x28/0x50 [ 788.194225] RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246 [ 788.196453] RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002 [ 788.199200] RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60 [ 788.201950] RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001 [ 788.204773] R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00 [ 788.207625] R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000 [ 788.210399] FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000 [ 788.213422] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 788.215811] CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0 [ 788.218679] take_dentry_name_snapshot+0x28/0x50 [ 788.220915] vfs_rename+0x128/0x870 [ 788.222765] SyS_rename+0x3b2/0x3d0 [ 788.224549] entry_SYSCALL_64_fastpath+0x1a/0xa4 [ 788.226645] 0xffffffffffffffff # ./scripts/faddr2line vmlinux take_dentry_name_snapshot+0x28/0x50 take_dentry_name_snapshot+0x28/0x50: __inline_memcpy at arch/x86/include/asm/string_64.h:13 (inlined by) take_dentry_name_snapshot at fs/dcache.c:294 0000000000000330 : 330: 55 push %rbp 331: 48 89 fa mov %rdi,%rdx 334: 48 89 e5 mov %rsp,%rbp 337: 48 8b 46 28 mov 0x28(%rsi),%rax 33b: 48 83 c6 38 add $0x38,%rsi 33f: 48 39 f0 cmp %rsi,%rax 342: 75 26 jne 36a 344: 4c 8d 47 08 lea 0x8(%rdi),%r8 348: 48 89 c6 mov %rax,%rsi 34b: b9 08 00 00 00 mov $0x8,%ecx 350: b8 20 00 00 00 mov $0x20,%eax 355: 4c 89 c7 mov %r8,%rdi 358: f3 a5 rep movsl %ds:(%rsi),%es:(%rdi) // <= take_dentry_name_snapshot+0x28/0x50 35a: a8 02 test $0x2,%al 35c: 74 02 je 360 35e: 66 a5 movsw %ds:(%rsi),%es:(%rdi) 360: a8 01 test $0x1,%al 362: 74 01 je 365 364: a4 movsb %ds:(%rsi),%es:(%rdi) 365: 4c 89 02 mov %r8,(%rdx) 368: 5d pop %rbp 369: c3 retq 36a: ff 40 f0 incl -0x10(%rax) 36d: 48 89 07 mov %rax,(%rdi) 370: 5d pop %rbp 371: c3 retq 372: 0f 1f 40 00 nopl 0x0(%rax) 376: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 37d: 00 00 00