Jens Axboe <axboe@xxxxxxxxx> 于2023年12月21日周四 23:46写道: On 12/21/23 3:58 AM, xingwei lee wrote: Hello I found a bug in io_uring and comfirmed at the latest upstream mainine linux. TITLE: KMSAN: uninit-value in io_rw_fail and I find this bug maybe existed in the https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do not have a stable reproducer. However, I generate a stable reproducer and comfirmed in the latest mainline. I took a look at that one and can't see anything wrong, is that one still triggering? In any case, this one is different, as it's the writev path. Can you try the below? diff --git a/io_uring/rw.c b/io_uring/rw.c index 4943d683508b..0c856726b15d 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct io_kiocb *req, int rw) struct iovec *iov; int ret; + iorw->bytes_done = 0; + iorw->free_iovec = NULL; + /* submission path, ->uring_lock should already be taken */ ret = io_import_iovec(rw, req, &iov, &iorw->s, 0); if (unlikely(ret < 0)) return ret; - iorw->bytes_done = 0; - iorw->free_iovec = iov; - if (iov) + if (iov) { + iorw->free_iovec = iov; req->flags |= REQ_F_NEED_CLEANUP; + } + return 0; } -- Jens Axboe Hi Jens! I test your patch in the lastest mainline commit: 5254c0cbc92d2a08e75443bdb914f1c4839cdf5a without your patch kmsan still trigger the issue like this: syzkaller login: root lsLinux syzkaller 6.7.0-rc6-00248-g5254c0cbc92d #7 SMP PREEMPT_DYNAMIC Sat Dec 23 16:19:30 CST 2023 x86_64 [ 144.535556][ T8092] ===================================================== [ 144.538187][ T8092] BUG: KMSAN: uninit-value in io_rw_fail+0x191/0x1a0 [ 144.539959][ T8092] io_rw_fail+0x191/0x1a0 [ 144.541020][ T8092] io_req_defer_failed+0x1fa/0x380 [ 144.542458][ T8092] io_queue_sqe_fallback+0x200/0x260 [ 144.543714][ T8092] io_submit_sqes+0x2466/0x2fc0 [ 144.544880][ T8092] __se_sys_io_uring_enter+0x3bd/0x4120 [ 144.546222][ T8092] __x64_sys_io_uring_enter+0x110/0x190 [ 144.547673][ T8092] do_syscall_64+0x44/0x110 [ 144.549724][ T8092] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 144.551518][ T8092] [ 144.552075][ T8092] Uninit was created at: [ 144.553119][ T8092] slab_post_alloc_hook+0x103/0x9e0 [ 144.554387][ T8092] __kmem_cache_alloc_node+0x5d5/0x9b0 [ 144.555672][ T8092] __kmalloc+0x118/0x410 [ 144.556694][ T8092] io_req_prep_async+0x376/0x590 [ 144.557968][ T8092] io_queue_sqe_fallback+0x98/0x260 [ 144.559246][ T8092] io_submit_sqes+0x2466/0x2fc0 [ 144.560397][ T8092] __se_sys_io_uring_enter+0x3bd/0x4120 [ 144.561706][ T8092] __x64_sys_io_uring_enter+0x110/0x190 [ 144.563024][ T8092] do_syscall_64+0x44/0x110 [ 144.564122][ T8092] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 144.565559][ T8092] [ 144.566140][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Not tainted 6.7.0-rc6-00248-g5254c0cbc92d #7 [ 144.567756][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 144.569423][ T8092] ===================================================== [ 144.570623][ T8092] Disabling lock debugging due to kernel taint [ 144.571689][ T8092] Kernel panic - not syncing: kmsan.panic set ... [ 144.572796][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Tainted: G B 6.7.0-rc6-00248-g5254c0cbc92d #7 [ 144.574525][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 144.576180][ T8092] Call Trace: [ 144.576782][ T8092] <TASK> [ 144.577329][ T8092] dump_stack_lvl+0x1af/0x230 [ 144.578192][ T8092] dump_stack+0x1e/0x20 [ 144.578957][ T8092] panic+0x4d6/0xc60 [ 144.579714][ T8092] kmsan_report+0x2d7/0x2e0 [ 144.580753][ T8092] ? kmsan_internal_set_shadow_origin+0x6c/0xe0 [ 144.581892][ T8092] ? __msan_warning+0x96/0x110 [ 144.583055][ T8092] ? io_rw_fail+0x191/0x1a0 [ 144.583952][ T8092] ? io_req_defer_failed+0x1fa/0x380 [ 144.584903][ T8092] ? io_queue_sqe_fallback+0x200/0x260 [ 144.585884][ T8092] ? io_submit_sqes+0x2466/0x2fc0 [ 144.586798][ T8092] ? __se_sys_io_uring_enter+0x3bd/0x4120 [ 144.587825][ T8092] ? __x64_sys_io_uring_enter+0x110/0x190 [ 144.588848][ T8092] ? do_syscall_64+0x44/0x110 [ 144.589707][ T8092] ? entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 144.590807][ T8092] ? kmsan_get_shadow_origin_ptr+0x4c/0xa0 [ 144.591866][ T8092] ? __import_iovec+0x2b8/0xed0 [ 144.592746][ T8092] ? __stack_depot_save+0x37e/0x4a0 [ 144.593688][ T8092] ? kmsan_internal_set_shadow_origin+0x6c/0xe0 [ 144.594818][ T8092] ? kmsan_get_shadow_origin_ptr+0x4c/0xa0 [ 144.595876][ T8092] ? io_import_iovec+0x7d1/0x9d0 [ 144.596776][ T8092] ? kmsan_get_shadow_origin_ptr+0x4c/0xa0 [ 144.597844][ T8092] __msan_warning+0x96/0x110 [ 144.598689][ T8092] io_rw_fail+0x191/0x1a0 [ 144.599489][ T8092] ? io_setup_async_rw+0x7d0/0x7d0 [ 144.600419][ T8092] io_req_defer_failed+0x1fa/0x380 [ 144.601349][ T8092] io_queue_sqe_fallback+0x200/0x260 [ 144.602320][ T8092] io_submit_sqes+0x2466/0x2fc0 [ 144.603270][ T8092] __se_sys_io_uring_enter+0x3bd/0x4120 [ 144.604075][ T8092] ? kmsan_get_shadow_origin_ptr+0x4c/0xa0 [ 144.604731][ T8092] __x64_sys_io_uring_enter+0x110/0x190 [ 144.605359][ T8092] do_syscall_64+0x44/0x110 [ 144.605867][ T8092] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 144.606525][ T8092] RIP: 0033:0x432e39 [ 144.606959][ T8092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8 [ 144.608998][ T8092] RSP: 002b:00007ffcbc551c78 EFLAGS: 00000216 ORIG_RAX: 00000000000001aa [ 144.609905][ T8092] RAX: ffffffffffffffda RBX: 00007ffcbc551eb8 RCX: 0000000000432e39 [ 144.610758][ T8092] RDX: 0000000000000000 RSI: 0000000000002d3e RDI: 0000000000000003 [ 144.611601][ T8092] RBP: 00007ffcbc551ca0 R08: 0000000000000000 R09: 0000000000000000 [ 144.612452][ T8092] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000001 [ 144.613299][ T8092] R13: 00007ffcbc551ea8 R14: 0000000000000001 R15: 0000000000000001 [ 144.614149][ T8092] </TASK> [ 144.615019][ T8092] Kernel Offset: disabled [ 144.615507][ T8092] Rebooting in 86400 seconds.. with the patch that you provided make a little change to apply to this commit: 5254c0cbc92d2a08e75443bdb914f1c4839cdf5a diff --git a/io_uring/rw.c b/io_uring/rw.c index 4943d683508b..0c856726b15d 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct io_kiocb *req, int rw) struct iovec *iov; int ret; + iorw->bytes_done = 0; + iorw->free_iovec = NULL; + /* submission path, ->uring_lock should already be taken */ ret = io_import_iovec(rw, req, &iov, &iorw->s, 0); if (unlikely(ret < 0)) return ret; - iorw->bytes_done = 0; - iorw->free_iovec = iov; - if (iov) + if (iov) { + iorw->free_iovec = iov; req->flags |= REQ_F_NEED_CLEANUP; + } + return 0; } since the reproducer is in a loop and I ran for about 30 minutes it didn't trigger any issues. I hope it helps. Best regards. xingwei Lee
