Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> 于2024年3月3日周日 20:46写道: > > On Sun, Mar 3, 2024 at 2:46 PM xingwei lee wrote: > > > > Hello, I reproduced this bug. > > > > If you fix this issue, please add the following tag to the commit: > > Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> > > > > Notice: I use the same config with syzbot dashboard. > > kernel version: e326df53af0021f48a481ce9d489efda636c2dc6 > > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3 > > with KMSAN enabled > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > > > ===================================================== > > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] > > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] > > BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197 > > crc32_body lib/crc32.c:110 [inline] > > crc32_le_generic lib/crc32.c:179 [inline] > > crc32_le_base+0x475/0xe70 lib/crc32.c:197 > > nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline] > > nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327 > > nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112 > > nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415 > > nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline] > > nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606 > > kthread+0x422/0x5a0 kernel/kthread.c:388 > > ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147 > > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > > Uninit was created at: > > __alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591 > > alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133 > > alloc_pages mm/mempolicy.c:2204 [inline] > > folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211 > > filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974 > > __filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918 > > pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99 > > grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109 > > block_write_begin+0x5a/0x4a0 fs/buffer.c:2223 > > nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261 > > generic_perform_write+0x417/0xce0 mm/filemap.c:3927 > > __generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022 > > generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048 > > __kernel_write_iter+0x365/0xa00 fs/read_write.c:523 > > dump_emit_page fs/coredump.c:888 [inline] > > dump_user_range+0x5d7/0xe00 fs/coredump.c:915 > > elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077 > > do_coredump+0x3bb6/0x4e60 fs/coredump.c:764 > > get_signal+0x28f7/0x30b0 kernel/signal.c:2890 > > arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309 > > exit_to_user_mode_loop kernel/entry/common.c:105 [inline] > > exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] > > irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225 > > irqentry_exit+0x16/0x40 kernel/entry/common.c:328 > > exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566 > > asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570 > > CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > > 1.16.2-debian-1.16.2-1 04/01/2014 > > ===================================================== > > > > =* repro.c =* > > #define _GNU_SOURCE > > > > #include <dirent.h> > > #include <endian.h> > > #include <errno.h> > > #include <fcntl.h> > > #include <sched.h> > > #include <signal.h> > > #include <stdarg.h> > > #include <stdbool.h> > > #include <stdint.h> > > #include <stdio.h> > > #include <stdlib.h> > > #include <string.h> > > #include <sys/mount.h> > > #include <sys/prctl.h> > > #include <sys/resource.h> > > #include <sys/stat.h> > > #include <sys/syscall.h> > > #include <sys/time.h> > > #include <sys/types.h> > > #include <sys/wait.h> > > #include <time.h> > > #include <unistd.h> > > > > #include <linux/capability.h> > > > > static void sleep_ms(uint64_t ms) > > { > > usleep(ms * 1000); > > } > > > > static uint64_t current_time_ms(void) > > { > > struct timespec ts; > > if (clock_gettime(CLOCK_MONOTONIC, &ts)) > > exit(1); > > return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; > > } > > > > static bool write_file(const char* file, const char* what, ...) > > { > > char buf[1024]; > > va_list args; > > va_start(args, what); > > vsnprintf(buf, sizeof(buf), what, args); > > va_end(args); > > buf[sizeof(buf) - 1] = 0; > > int len = strlen(buf); > > int fd = open(file, O_WRONLY | O_CLOEXEC); > > if (fd == -1) > > return false; > > if (write(fd, buf, len) != len) { > > int err = errno; > > close(fd); > > errno = err; > > return false; > > } > > close(fd); > > return true; > > } > > > > #define MAX_FDS 30 > > > > static void setup_common() > > { > > if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { > > } > > } > > > > static void setup_binderfs() > > { > > if (mkdir("/dev/binderfs", 0777)) { > > } > > if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { > > } > > if (symlink("/dev/binderfs", "./binderfs")) { > > } > > } > > > > static void loop(); > > > > static void sandbox_common() > > { > > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > > setsid(); > > struct rlimit rlim; > > rlim.rlim_cur = rlim.rlim_max = (200 << 20); > > setrlimit(RLIMIT_AS, &rlim); > > rlim.rlim_cur = rlim.rlim_max = 32 << 20; > > setrlimit(RLIMIT_MEMLOCK, &rlim); > > rlim.rlim_cur = rlim.rlim_max = 136 << 20; > > setrlimit(RLIMIT_FSIZE, &rlim); > > rlim.rlim_cur = rlim.rlim_max = 1 << 20; > > setrlimit(RLIMIT_STACK, &rlim); > > rlim.rlim_cur = rlim.rlim_max = 128 << 20; > > setrlimit(RLIMIT_CORE, &rlim); > > rlim.rlim_cur = rlim.rlim_max = 256; > > setrlimit(RLIMIT_NOFILE, &rlim); > > if (unshare(CLONE_NEWNS)) { > > } > > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > > } > > if (unshare(CLONE_NEWIPC)) { > > } > > if (unshare(0x02000000)) { > > } > > if (unshare(CLONE_NEWUTS)) { > > } > > if (unshare(CLONE_SYSVSEM)) { > > } > > typedef struct { > > const char* name; > > const char* value; > > } sysctl_t; > > static const sysctl_t sysctls[] = { > > {"/proc/sys/kernel/shmmax", "16777216"}, > > {"/proc/sys/kernel/shmall", "536870912"}, > > {"/proc/sys/kernel/shmmni", "1024"}, > > {"/proc/sys/kernel/msgmax", "8192"}, > > {"/proc/sys/kernel/msgmni", "1024"}, > > {"/proc/sys/kernel/msgmnb", "1024"}, > > {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, > > }; > > unsigned i; > > for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) > > write_file(sysctls[i].name, sysctls[i].value); > > } > > > > static int wait_for_loop(int pid) > > { > > if (pid < 0) > > exit(1); > > int status = 0; > > while (waitpid(-1, &status, __WALL) != pid) { > > } > > return WEXITSTATUS(status); > > } > > > > static void drop_caps(void) > > { > > struct __user_cap_header_struct cap_hdr = {}; > > struct __user_cap_data_struct cap_data[2] = {}; > > cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; > > cap_hdr.pid = getpid(); > > if (syscall(SYS_capget, &cap_hdr, &cap_data)) > > exit(1); > > const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); > > cap_data[0].effective &= ~drop; > > cap_data[0].permitted &= ~drop; > > cap_data[0].inheritable &= ~drop; > > if (syscall(SYS_capset, &cap_hdr, &cap_data)) > > exit(1); > > } > > > > static int do_sandbox_none(void) > > { > > if (unshare(CLONE_NEWPID)) { > > } > > int pid = fork(); > > if (pid != 0) > > return wait_for_loop(pid); > > setup_common(); > > sandbox_common(); > > drop_caps(); > > if (unshare(CLONE_NEWNET)) { > > } > > write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); > > setup_binderfs(); > > loop(); > > exit(1); > > } > > > > static void kill_and_wait(int pid, int* status) > > { > > kill(-pid, SIGKILL); > > kill(pid, SIGKILL); > > for (int i = 0; i < 100; i++) { > > if (waitpid(-1, status, WNOHANG | __WALL) == pid) > > return; > > usleep(1000); > > } > > DIR* dir = opendir("/sys/fs/fuse/connections"); > > if (dir) { > > for (;;) { > > struct dirent* ent = readdir(dir); > > if (!ent) > > break; > > if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) > > continue; > > char abort[300]; > > snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", > > ent->d_name); > > int fd = open(abort, O_WRONLY); > > if (fd == -1) { > > continue; > > } > > if (write(fd, abort, 1) < 0) { > > } > > close(fd); > > } > > closedir(dir); > > } else { > > } > > while (waitpid(-1, status, __WALL) != pid) { > > } > > } > > > > static void setup_test() > > { > > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > > setpgrp(); > > write_file("/proc/self/oom_score_adj", "1000"); > > } > > > > static void close_fds() > > { > > for (int fd = 3; fd < MAX_FDS; fd++) > > close(fd); > > } > > > > #define USLEEP_FORKED_CHILD (3 * 50 * 1000) > > > > static long handle_clone_ret(long ret) > > { > > if (ret != 0) { > > return ret; > > } > > usleep(USLEEP_FORKED_CHILD); > > syscall(__NR_exit, 0); > > while (1) { > > } > > } > > > > static long syz_clone(volatile long flags, volatile long stack, > > volatile long stack_len, volatile long ptid, > > volatile long ctid, volatile long tls) > > { > > long sp = (stack + stack_len) & ~15; > > long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); > > return handle_clone_ret(ret); > > } > > > > static void execute_one(void); > > > > #define WAIT_FLAGS __WALL > > > > static void loop(void) > > { > > int iter = 0; > > for (;; iter++) { > > int pid = fork(); > > if (pid < 0) > > exit(1); > > if (pid == 0) { > > setup_test(); > > execute_one(); > > close_fds(); > > exit(0); > > } > > int status = 0; > > uint64_t start = current_time_ms(); > > for (;;) { > > if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) > > break; > > sleep_ms(1); > > if (current_time_ms() - start < 5000) > > continue; > > kill_and_wait(pid, &status); > > break; > > } > > } > > } > > > > void execute_one(void) > > { > > syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140, > > /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0); > > } > > int main(void) > > { > > syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, > > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, > > /*offset=*/0ul); > > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, > > /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, > > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, > > /*offset=*/0ul); > > syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, > > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, > > /*offset=*/0ul); > > do_sandbox_none(); > > return 0; > > } > > > > > > Remember to run this repro.txt with the command: syz-execprog -repeat > > 0 ./repro.txt and wait for about 1minus, the bug triggered very > > steady. > > > > =* repro.txt =* > > syz_mount_image$nilfs2(&(0x7f0000000000), > > &(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1, > > 0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E") > > r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async) > > r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0) > > cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async) > > r2 = syz_open_procfs(0xffffffffffffffff, > > &(0x7f0000000100)='mountinfo\x00') (async) > > r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0) > > r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async) > > ptrace(0x10, 0x0) (async) > > r5 = syz_clone(0x80000000, > > &(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c", > > 0xb3, &(0x7f0000000080), &(0x7f00000000c0), > > &(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c") > > fcntl$setown(r4, 0x8, r5) (async) > > sendfile(r3, r2, 0x0, 0x100800001) (async) > > sendfile(r0, r1, 0x0, 0x1000000201003) > > > > > > and see also in > > https://gist.github.com/xrivendell7/744812c87156085e12c7f617ef237875. > > BTW, found in my personal observation, the syzlang reproducer can > > trigger the bug more stably, so try to use the syz-execprog -repeat 0 > > ./repro.txt to trigger this bug. > > > > I hope it helps. > > Best regards! > > xingwei Lee > > Hi, > > Please let me know if you can test one. > > Does this issue still appear on 6.8-rc4 or later? Hi, sorry for the delayed response. I test my reproducer in the linux 6.8-rc4 with KMSAN kernel config for one hours, it doesn’t trigger any crash or report as follows: [ 315.607028][ T37] audit: type=1804 audit(1709708422.469:31293): pid=86478 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 315.608038][T86480] 884-0[86480]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke) [ 315.611270][T86480] Code: Unable to access opcode bytes at 0x5c7ab4. [ 320.575680][ T37] kauditd_printk_skb: 1253 callbacks suppressed [ 320.575689][ T37] audit: type=1804 audit(1709708427.439:32130): pid=88573 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.576419][T88575] 884-0[88575]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 [ 320.576695][ T37] audit: type=1804 audit(1709708427.439:32131): pid=88574 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.579042][T88575] likely on CPU 0 (core 0, socket 0) [ 320.584184][T88575] Code: Unable to access opcode bytes at 0x5c7ab4. [ 320.593832][ T37] audit: type=1804 audit(1709708427.459:32132): pid=88578 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.594549][T88580] 884-0[88580]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 1 (core 1, socke) [ 320.596256][ T37] audit: type=1804 audit(1709708427.459:32133): pid=88579 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.597901][T88580] Code: Unable to access opcode bytes at 0x5c7ab4. [ 320.610954][ T37] audit: type=1804 audit(1709708427.479:32134): pid=88583 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.611700][T88585] 884-0[88585]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 likely on CPU 2 (core 2, socke) [ 320.613455][ T37] audit: type=1804 audit(1709708427.479:32135): pid=88584 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 320.615959][T88585] Code: Unable to access opcode bytes at 0x5c7ab4. [ 320.628571][ T37] audit: type=1804 audit(1709708427.489:32136): pid=88588 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.582663][ T37] kauditd_printk_skb: 1280 callbacks suppressed [ 325.582673][ T37] audit: type=1804 audit(1709708432.449:32990): pid=90727 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.583320][T90729] 884-0[90729]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 [ 325.583460][ T37] audit: type=1804 audit(1709708432.449:32991): pid=90728 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.585838][T90729] likely on CPU 1 (core 1, socket 0) [ 325.590985][T90729] Code: Unable to access opcode bytes at 0x5c7ab4. [ 325.599620][ T37] audit: type=1804 audit(1709708432.459:32992): pid=90732 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.601818][T90734] 884-0[90734]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 [ 325.601827][ T37] audit: type=1804 audit(1709708432.459:32993): pid=90733 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.603945][T90734] likely on CPU 2 (core 2, socket 0) [ 325.607037][T90734] Code: Unable to access opcode bytes at 0x5c7ab4. [ 325.617928][ T37] audit: type=1804 audit(1709708432.479:32994): pid=90737 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.618862][T90739] 884-0[90739]: segfault at 5c7ade ip 00000000005c7ade sp 00000000200001f8 error 14 [ 325.620190][ T37] audit: type=1804 audit(1709708432.479:32995): pid=90738 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 [ 325.623238][T90739] likely on CPU 0 (core 0, socket 0) [ 325.623803][T90739] Code: Unable to access opcode bytes at 0x5c7ab4. [ 325.632693][ T37] audit: type=1804 audit(1709708432.499:32996): pid=90742 uid=0 auid=0 ses=1 subj=unconfined op=invalid_pcr cause=0 It’s seems this issue have been fixed. > > I'd like to isolate that the issue is still not fixed with the latest > fixes, but I need to do some trial and error to reestablish a testable > (bootable) KMSAN-enabled kernel config. > > Thanks, > Ryusuke Konishi