Re: [syzbot] KMSAN: uninit-value in generic_bin_search (2)

From: Josef Bacik
Date: Mon Jun 14 2021 - 14:53:07 EST

Next message: Lukasz Luba: "[PATCH v4 0/3] Add allowed CPU capacity knowledge to EAS"
Previous message: Bart Van Assche: "Re: [PATCH v3 8/9] scsi: ufs: Update the fast abort path in ufshcd_abort() for PM requests"
In reply to: syzbot: "[syzbot] KMSAN: uninit-value in generic_bin_search (2)"
Next in thread: Dmitry Vyukov: "Re: [syzbot] KMSAN: uninit-value in generic_bin_search (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/14/21 1:41 AM, syzbot wrote:

Hello,

syzbot found the following issue on:

HEAD commit: 6099c9da x86: entry: speculatively unpoison pt_regs in do_..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12c7a057d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4e6842a91012889c
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa9678d1cda7a0432b7
compiler: Debian clang version 11.0.1-2
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8aa9678d1cda7a0432b7@xxxxxxxxxxxxxxxxxxxxxxxxx

tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
exit_to_user_mode_prepare+0x486/0x560 kernel/entry/common.c:208
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x35/0x60 kernel/entry/common.c:301
__do_fast_syscall_32+0x14f/0x180 arch/x86/entry/common.c:145
do_fast_syscall_32+0x77/0xd0 arch/x86/entry/common.c:168
do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:211
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
=====================================================
=====================================================
BUG: KMSAN: uninit-value in btrfs_comp_cpu_keys fs/btrfs/ctree.c:1556 [inline]
BUG: KMSAN: uninit-value in comp_keys fs/btrfs/ctree.c:1528 [inline]
BUG: KMSAN: uninit-value in generic_bin_search+0x799/0xbc0 fs/btrfs/ctree.c:1702
CPU: 1 PID: 9364 Comm: syz-executor.2 Tainted: G B 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
btrfs_comp_cpu_keys fs/btrfs/ctree.c:1556 [inline]
comp_keys fs/btrfs/ctree.c:1528 [inline]
generic_bin_search+0x799/0xbc0 fs/btrfs/ctree.c:1702
btrfs_bin_search fs/btrfs/ctree.c:1724 [inline]

This appears to be a bug in KMSAN, the code is doing the correct thing and it appears to be complaining about tmp, which is initialized either in the if or else part. The else part may be what's confusing KMSAM here as it's essentially

struct btrfs_disk_key tmp;
struct btrfs_disk_key unaligned;

else {
memcpy(&unaligned, ptr, len); // read_extent_buffer is basically memcpy
tmp = &unaligned;
}

Thanks,

Josef

Next message: Lukasz Luba: "[PATCH v4 0/3] Add allowed CPU capacity knowledge to EAS"
Previous message: Bart Van Assche: "Re: [PATCH v3 8/9] scsi: ufs: Update the fast abort path in ufshcd_abort() for PM requests"
In reply to: syzbot: "[syzbot] KMSAN: uninit-value in generic_bin_search (2)"
Next in thread: Dmitry Vyukov: "Re: [syzbot] KMSAN: uninit-value in generic_bin_search (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]