Re: [syzbot] [io-uring?] KMSAN: uninit-value in io_sendrecv_fail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/15/24 4:28 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    8ede842f669b Merge tag 'rust-6.9' of https://github.com/Ru..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=138f0ad6180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
> dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15b4a6fa180000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14a59799180000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/af1cd47b84ef/disk-8ede842f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be9297712c37/vmlinux-8ede842f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/c569fb33468d/bzImage-8ede842f.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+f8e9a371388aa62ecab4@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> =====================================================
> BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
>  io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
>  io_req_defer_failed+0x3bd/0x610 io_uring/io_uring.c:1050
>  io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
>  io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2304
>  io_submit_sqes+0x19cd/0x2fb0 io_uring/io_uring.c:2480
>  __do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
>  __se_sys_io_uring_enter+0x409/0x43e0 io_uring/io_uring.c:3591
>  __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b

This is similar to the issue fixed by:

commit 0a535eddbe0dc1de4386046ab849f08aeb2f8faf
Author: Jens Axboe <axboe@xxxxxxxxx>
Date:   Thu Dec 21 08:49:18 2023 -0700

    io_uring/rw: ensure io->bytes_done is always initialized

which I did fix separately for this case, just not in the 6.9 pile. I'll
move it over there to silence this one.

Only side effect of this is that cqe->res may not be -EINVAL, when it
should've been, for an ill formed request that was issued with
ISOQE_ASYNC.

#syz test: git://git.kernel.dk/linux.git io_uring-6.0

-- 
Jens Axboe
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux