Re: [syzbot] [bpf?] [net?] KMSAN: uninit-value in dev_map_lookup_elem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 3/26/24 6:07 PM, Alexei Starovoitov wrote:
On Tue, Mar 26, 2024 at 5:54 PM Martin KaFai Lau <martin.lau@xxxxxxxxx> wrote:
On 3/25/24 2:36 AM, syzbot wrote:
Hello,

syzbot found the following issue on:

HEAD commit:    5e74df2f8f15 Merge tag 'x86-urgent-2024-03-24' of git://gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=148872a5180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e6bd769cb793b98a
dashboard link: https://syzkaller.appspot.com/bug?extid=1a3cf6f08d68868f9db3
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15921a6e180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12e081f1180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1a82880723a7/disk-5e74df2f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fd3046ac43b9/vmlinux-5e74df2f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2097be59cbc1/bzImage-5e74df2f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1a3cf6f08d68868f9db3@xxxxxxxxxxxxxxxxxxxxxxxxx

=====================================================
BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
   __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
   dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
   ____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]
   bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38
   ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
   __bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237
It should be in the interpreter mode.

The C reproducer is trying to run the following bpf prog:

     0: (18) r0 = 0x0
     2: (18) r1 = map[id:49]
     4: (b7) r8 = 16777216
     5: (7b) *(u64 *)(r10 -8) = r8
     6: (bf) r2 = r10
     7: (07) r2 += -229
             ^^^^^^^^^^

     8: (b7) r3 = 8
     9: (b7) r4 = 0
    10: (85) call dev_map_lookup_elem#1543472
    11: (95) exit

I think this KMSAN report (and a few others related to lookup/delete_elem)
should only happen in the interpreter mode.

Does it worth to suppress it by always initializing the stack in the interpreter
mode considering the interpreter is not very speed sensitive ?
Maybe we can mark it as initialized from kmsan pov ?
There are kasan_poison/unpoison helpers that may fit ?

Maybe use kmsan_unpoison_memory()?

In lib/Kconfig.kmsan, we have

config KMSAN
        bool "KMSAN: detector of uninitialized values use"
        depends on HAVE_ARCH_KMSAN && HAVE_KMSAN_COMPILER
        depends on DEBUG_KERNEL && !KASAN && !KCSAN
        depends on !PREEMPT_RT
        select STACKDEPOT
        select STACKDEPOT_ALWAYS_INIT
        help
          KernelMemorySanitizer (KMSAN) is a dynamic detector of uses of
          uninitialized values in the kernel. It is based on compiler
          instrumentation provided by Clang and thus requires Clang to build.

          An important note is that KMSAN is not intended for production use,
          because it drastically increases kernel memory footprint and slows
          the whole system down.

          See <file:Documentation/dev-tools/kmsan.rst> for more details.

So enable KMSAN, KASAN and KCSAN needs to be disabled.





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux