Linux-Fsdevel Archive on
 help / color / Atom feed
From: Tetsuo Handa <>
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()
Date: Wed, 13 Sep 2017 19:12:07 +0900
Message-ID: <> (raw)
In-Reply-To: <>

Vegard Nossum wrote:
> kmemcheck knows how to memcpy() the shadow memory state between two
> slab-allocated objects, but it doesn't track memory state for the
> stack so if you're copying partially uninitialised object to the stack
> (which I'm guessing is the case here?) then it will produce the
> warning Tetsuo Handa saw.
> BTW as soon as msan/kmsan support for the kernel [1] is merged I am
> planning to nuke kmemcheck from the kernel. msan/kmsan should handle
> it properly.
> [1]:

I think kmemcheck is correct and msan/kmsan must as well splat here,
for they won't be able to know that this

  unsigned char d_iname[DNAME_INLINE_LEN];        /* small names */

field is interpreted as "only bytes up to first '\0' are valid".

>>From c4fe364445f7b2490209aba90b289f0543b3cfa8 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <>
Date: Wed, 13 Sep 2017 18:47:50 +0900
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()

Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes are
initialized at __d_alloc(), we can't copy the whole size unconditionally.

 WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
  i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
 RIP: 0010:take_dentry_name_snapshot+0x28/0x50
 RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
 RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
 RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
 RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
 R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
 R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
 FS:  00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0

Signed-off-by: Tetsuo Handa <>
 fs/dcache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index f901413..ad6d328 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -291,7 +291,8 @@ void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry
 		name->name = p->name;
 	} else {
-		memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
+		memcpy(name->inline_name, dentry->d_iname,
+		       dentry->d_name.len + 1);
 		name->name = name->inline_name;

      reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-04 12:12 fs: Uninitialized memory read at take_dentry_name_snapshot Tetsuo Handa
2017-09-04 13:21 ` Al Viro
2017-09-04 14:11   ` Tetsuo Handa
2017-09-04 14:22     ` Al Viro
2017-09-04 16:56       ` Vegard Nossum
2017-09-13 10:12         ` Tetsuo Handa [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Fsdevel Archive on

Archives are clonable:
	git clone --mirror linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ \
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone