Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Date: Wed, 06 Mar 2024 05:14:39 -0800	[thread overview]
Message-ID: <000000000000b7b41d0612fdbdb5@google.com> (raw)
In-Reply-To: <000000000000fd588e060de27ef4@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.7

diff --git a/arch/x86/lib/copy_mc.c b/arch/x86/lib/copy_mc.c
index 6e8b7e600def..6858f80fc9a2 100644
--- a/arch/x86/lib/copy_mc.c
+++ b/arch/x86/lib/copy_mc.c
@@ -61,12 +61,18 @@ unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned
  */
 unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigned len)
 {
-	if (copy_mc_fragile_enabled)
-		return copy_mc_fragile(dst, src, len);
-	if (static_cpu_has(X86_FEATURE_ERMS))
-		return copy_mc_enhanced_fast_string(dst, src, len);
-	memcpy(dst, src, len);
-	return 0;
+	unsigned long ret;
+
+	if (copy_mc_fragile_enabled) {
+		ret = copy_mc_fragile(dst, src, len);
+	} else if (static_cpu_has(X86_FEATURE_ERMS)) {
+		ret = copy_mc_enhanced_fast_string(dst, src, len);
+	} else {
+		memcpy(dst, src, len);
+		ret = 0;
+	}
+	kmsan_memmove(dst, src, len - ret);
+	return ret;
 }
 EXPORT_SYMBOL_GPL(copy_mc_to_kernel);
 
@@ -78,15 +84,13 @@ unsigned long __must_check copy_mc_to_user(void __user *dst, const void *src, un
 		__uaccess_begin();
 		ret = copy_mc_fragile((__force void *)dst, src, len);
 		__uaccess_end();
-		return ret;
-	}
-
-	if (static_cpu_has(X86_FEATURE_ERMS)) {
+	} else if (static_cpu_has(X86_FEATURE_ERMS)) {
 		__uaccess_begin();
 		ret = copy_mc_enhanced_fast_string((__force void *)dst, src, len);
 		__uaccess_end();
-		return ret;
+	} else {
+		ret = copy_user_generic((__force void *)dst, src, len);
 	}
-
-	return copy_user_generic((__force void *)dst, src, len);
+	kmsan_copy_to_user(dst, src, len, ret);
+	return ret;
 }
diff --git a/include/linux/kmsan-checks.h b/include/linux/kmsan-checks.h
index c4cae333deec..4c2a614dab2d 100644
--- a/include/linux/kmsan-checks.h
+++ b/include/linux/kmsan-checks.h
@@ -61,6 +61,17 @@ void kmsan_check_memory(const void *address, size_t size);
 void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
 			size_t left);
 
+/**
+ * kmsan_memmove() - Notify KMSAN about a data copy within kernel.
+ * @to:   destination address in the kernel.
+ * @from: source address in the kernel.
+ * @size: number of bytes to copy.
+ *
+ * Invoked after non-instrumented version (e.g. implemented using assembly
+ * code) of memmove()/memcpy() is called, in order to copy KMSAN's metadata.
+ */
+void kmsan_memmove(void *to, const void *from, size_t size);
+
 #else
 
 static inline void kmsan_poison_memory(const void *address, size_t size,
@@ -77,6 +88,9 @@ static inline void kmsan_copy_to_user(void __user *to, const void *from,
 				      size_t to_copy, size_t left)
 {
 }
+static inline void kmsan_memmove(void *to, const void *from, size_t size)
+{
+}
 
 #endif
 
diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c
index 5d6e2dee5692..364f778ee226 100644
--- a/mm/kmsan/hooks.c
+++ b/mm/kmsan/hooks.c
@@ -285,6 +285,17 @@ void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
 }
 EXPORT_SYMBOL(kmsan_copy_to_user);
 
+void kmsan_memmove(void *to, const void *from, size_t size)
+{
+	if (!kmsan_enabled || kmsan_in_runtime())
+		return;
+
+	kmsan_enter_runtime();
+	kmsan_internal_memmove_metadata(to, (void *)from, size);
+	kmsan_leave_runtime();
+}
+EXPORT_SYMBOL(kmsan_memmove);
+
 /* Helper function to check an URB. */
 void kmsan_handle_urb(const struct urb *urb, bool is_out)
 {

next prev parent reply	other threads:[~2024-03-06 13:14 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-01 13:38 [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4) syzbot
2024-01-02  7:38 ` Tetsuo Handa
2024-01-03  9:59   ` Tetsuo Handa
2024-02-21 11:04   ` Tetsuo Handa
2024-01-02  7:38 ` [syzbot] " syzbot
2024-01-02 13:03 ` Michael S. Tsirkin
2024-01-04 20:45   ` Stefan Hajnoczi
2024-01-24 10:47     ` Alexander Potapenko
2024-01-24 21:25       ` Stefan Hajnoczi
2024-01-26  0:43 ` Edward Adam Davis
2024-01-26  1:26   ` [syzbot] [mm] " syzbot
2024-01-26  1:35 ` [syzbot] [virtualization?] " Edward Adam Davis
2024-01-26  1:43   ` [syzbot] [mm] " syzbot
2024-01-26 10:19   ` [syzbot] [virtualization?] " Alexander Potapenko
2024-01-26  6:57 ` Edward Adam Davis
2024-01-26  7:34   ` [syzbot] [mm] " syzbot
2024-02-24  5:53 ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24  6:22   ` [syzbot] [mm] " syzbot
2024-02-24 10:47   ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24 11:19     ` [syzbot] [mm] " syzbot
2024-02-24 14:03     ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-24 14:24       ` [syzbot] [mm] " syzbot
2024-02-25  0:01       ` [syzbot] [virtualization?] " Tetsuo Handa
2024-02-25  0:21         ` [syzbot] [mm] " syzbot
2024-02-25  0:27 ` [syzbot] [virtualization?] " Edward Adam Davis
2024-02-25  0:52   ` [syzbot] [mm] " syzbot
2024-02-25  1:50 ` [syzbot] Re: [syzbot] [virtualization?] " syzbot
2024-02-25  2:42 ` syzbot
2024-02-25  3:59 ` syzbot
2024-03-06 13:14 ` syzbot [this message]
2024-03-26 10:35 ` Tetsuo Handa

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6e8b7e600de dfblob:6858f80fc9a dfblob:c4cae333dee
dfblob:4c2a614dab2 dfblob:5d6e2dee569 dfblob:364f778ee22 )
 OR (
bs:"Re: [syzbot] Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b7b41d0612fdbdb5@google.com \
    --to=syzbot+d7521c1e3841ed075a42@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.