[syzbot] [serial?] KMSAN: kernel-infoleak in con_font_op (2)

From: syzbot
Date: Thu Oct 10 2024 - 12:46:31 EST


Hello,

syzbot found the following issue on:

HEAD commit: 8f602276d390 Merge tag 'bcachefs-2024-10-05' of git://evil..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a8f307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d302f14701986aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=955da2d57931604ee691
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/241996bfa3de/disk-8f602276.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/417de1b4ca32/vmlinux-8f602276.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c793c19b953/bzImage-8f602276.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+955da2d57931604ee691@xxxxxxxxxxxxxxxxxxxxxxxxx

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:187 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_inline_copy_to_user include/linux/uaccess.h:187 [inline]
_copy_to_user+0xbc/0x110 lib/usercopy.c:26
copy_to_user include/linux/uaccess.h:216 [inline]
con_font_get drivers/tty/vt/vt.c:4760 [inline]
con_font_op+0x14a2/0x1710 drivers/tty/vt/vt.c:4854
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x2b6e/0x2fe0 drivers/tty/vt/vt_ioctl.c:751
tty_ioctl+0xd0c/0x1990 drivers/tty/tty_io.c:2803
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0x25e/0x450 fs/ioctl.c:893
__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:893
x64_sys_call+0x18bf/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
__kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
__kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
con_font_get drivers/tty/vt/vt.c:4729 [inline]
con_font_op+0x659/0x1710 drivers/tty/vt/vt.c:4854
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x2b6e/0x2fe0 drivers/tty/vt/vt_ioctl.c:751
tty_ioctl+0xd0c/0x1990 drivers/tty/tty_io.c:2803
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0x25e/0x450 fs/ioctl.c:893
__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:893
x64_sys_call+0x18bf/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 61440-76799 of 76800 are uninitialized
Memory access of size 76800 starts at ffff8880b5c00000
Data copied to user address 0000000020000880

CPU: 0 UID: 0 PID: 7973 Comm: syz.2.4245 Tainted: G W 6.12.0-rc1-syzkaller-00349-g8f602276d390 #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup