On Thu, Jan 3, 2019 at 9:36 AM Vlastimil Babka <vbabka@xxxxxxx> wrote: > > > On 12/31/18 8:51 AM, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 79fc24ff6184 kmsan: highmem: use kmsan_clear_page() in cop.. > > git tree: kmsan > > console output: https://syzkaller.appspot.com/x/log.txt?x=13c48b67400000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=901dd030b2cc57e7 > > dashboard link: https://syzkaller.appspot.com/bug?extid=b19c2dc2c990ea657a71 > > compiler: clang version 8.0.0 (trunk 349734) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+b19c2dc2c990ea657a71@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > ================================================================== > > BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline] > > BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 > > The report doesn't seem to indicate where the uninit value resides in > the mempolicy object. Yes, it doesn't and it's not trivial to do. The tool reports uses of unint _values_. Values don't necessary reside in memory. It can be a register, that come from another register that was calculated as a sum of two other values, which may come from a function argument, etc. > I'll have to guess. mm/mempolicy.c:353 contains: > > if (!mpol_store_user_nodemask(pol) && > nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) > > "mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't > see being uninitialized after leaving mpol_new(). So I'll guess it's > actually about accessing pol->w.cpuset_mems_allowed on line 354. > > For w.cpuset_mems_allowed to be not initialized and the nodes_equal() > reachable for a mempolicy where mpol_set_nodemask() is called in > do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy > with empty set of nodes, i.e. MPOL_LOCAL equivalent. Let's see if the > patch below helps. This code is a maze to me. Note the uninit access > should be benign, rebinding this kind of policy is always a no-op. > > ----8<---- > From ff0ca29da6bc2572d7b267daa77ced6083e3f02d Mon Sep 17 00:00:00 2001 > From: Vlastimil Babka <vbabka@xxxxxxx> > Date: Thu, 3 Jan 2019 09:31:59 +0100 > Subject: [PATCH] mm, mempolicy: fix uninit memory access > > --- > mm/mempolicy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/mempolicy.c b/mm/mempolicy.c > index d4496d9d34f5..a0b7487b9112 100644 > --- a/mm/mempolicy.c > +++ b/mm/mempolicy.c > @@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) > { > if (!pol) > return; > - if (!mpol_store_user_nodemask(pol) && > + if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && > nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) > return; > > -- > 2.19.2 > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/a71997c3-e8ae-a787-d5ce-3db05768b27c%40suse.cz. > For more options, visit https://groups.google.com/d/optout.
