[syzbot] KMSAN: uninit-value in do_user_addr_fault (3)

Dmitry Vyukov dvyukov at google.com
Thu Mar 24 07:16:42 PDT 2022


On Thu, 24 Mar 2022 at 14:48, syzbot
<syzbot+6684a9d1b4d61d0b8f3e at syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    724946410067 x86: kmsan: enable KMSAN builds for x86
> git tree:       https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=1734f916700000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=76f99026248b24e4
> dashboard link: https://syzkaller.appspot.com/bug?extid=6684a9d1b4d61d0b8f3e
> compiler:       clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b1cbf2700000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=131d38a6700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6684a9d1b4d61d0b8f3e at syzkaller.appspotmail.com

+linux-riscv as there are some riscv bugs bucketed here as well:

BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260
arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf800bd53d60 by task syz-executor.0/2044

CPU: 0 PID: 2044 Comm: syz-executor.0 Not tainted
5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260
arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c
arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
[<ffffffff80473abe>] kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38

If risc-v stack walking is intentionally imprecise, then it needs
kasan annotations as other arches do for async stack walking. Or
otherwise it looks like a stack walking precision bug.





> =====================================================
> BUG: KMSAN: uninit-value in arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
>  arch_stack_walk+0x1ad/0x3c0 arch/x86/kernel/stacktrace.c:21
>  stack_trace_save+0x43/0x60 kernel/stacktrace.c:122
>  kmsan_save_stack_with_flags mm/kmsan/core.c:80 [inline]
>  kmsan_internal_chain_origin+0xa9/0x110 mm/kmsan/core.c:217
>  kmsan_internal_memmove_metadata+0x1f2/0x2e0 mm/kmsan/core.c:165
>  __msan_memcpy+0x65/0x90 mm/kmsan/instrumentation.c:127
>  sock_write_iter+0x605/0x690 net/socket.c:1062
>  do_iter_readv_writev+0xa7f/0xc70
>  do_iter_write+0x52c/0x1500 fs/read_write.c:851
>  vfs_writev fs/read_write.c:924 [inline]
>  do_writev+0x645/0xe00 fs/read_write.c:967
>  __do_sys_writev fs/read_write.c:1040 [inline]
>  __se_sys_writev fs/read_write.c:1037 [inline]
>  __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Local variable regs created at:
>  __bpf_prog_run32+0x84/0x180 kernel/bpf/core.c:1796
>  bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline]
>  __bpf_prog_run include/linux/filter.h:626 [inline]
>  bpf_prog_run include/linux/filter.h:633 [inline]
>  __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
>
> CPU: 1 PID: 3474 Comm: syz-executor178 Not tainted 5.17.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> =====================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller at googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches



More information about the linux-riscv mailing list