On 3/16/24 9:28 AM, Pavel Begunkov wrote: > On 3/16/24 13:37, syzbot wrote: >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >> KMSAN: uninit-value in io_sendrecv_fail > > diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c > index 3ae4bb988906..826989e2f601 100644 > --- a/io_uring/io_uring.c > +++ b/io_uring/io_uring.c > @@ -1063,6 +1063,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx) > /* not necessary, but safer to zero */ > memset(&req->cqe, 0, sizeof(req->cqe)); > memset(&req->big_cqe, 0, sizeof(req->big_cqe)); > + memset(&req->cmd, 0, sizeof(req->cmd)); > } > > What's the point of testing it? You said it yourself, it hides the > problem under the carpet but doesn't solve it. Do some valid IO first, > then send that failed request. If done_io is aliased with with some > interesting field of a previously completed request you're royally > screwed, but syz would be just happy about it. Yeah I agree, as per my email. I think we're better off just doing the EARLY_FAIL in general, and forget about the specific case. I just wanted to make sure I wasn't off in the weeds, since I can't trigger this. Could probably write a specific test case for it, but the syzbot reproducer didn't for me. -- Jens Axboe
