From: syzbot <syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com>
To: abbotti@mev.co.uk, hsweeten@visionengravers.com,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [kernel?] KMSAN: kernel-infoleak in do_insn_ioctl
Date: Thu, 17 Jul 2025 12:14:33 -0700 [thread overview]
Message-ID: <68794b99.a70a0220.693ce.0053.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: e2291551827f Merge tag 'probes-fixes-v6.16-rc6' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1220e7d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdecd0cbf7c2893
dashboard link: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/45d0dd363fc0/disk-e2291551.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2ac861991e19/vmlinux-e2291551.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6c77d2eaafd/bzImage-e2291551.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:196 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xcc/0x120 lib/usercopy.c:26
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_inline_copy_to_user include/linux/uaccess.h:196 [inline]
_copy_to_user+0xcc/0x120 lib/usercopy.c:26
copy_to_user include/linux/uaccess.h:225 [inline]
do_insn_ioctl+0x516/0x630 drivers/comedi/comedi_fops.c:1641
comedi_unlocked_ioctl+0x13dd/0x1e00 drivers/comedi/comedi_fops.c:2263
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0x239/0x400 fs/ioctl.c:893
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:893
x64_sys_call+0x1ebe/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x95f/0x1310 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
do_insn_ioctl+0x108/0x630 drivers/comedi/comedi_fops.c:1623
comedi_unlocked_ioctl+0x13dd/0x1e00 drivers/comedi/comedi_fops.c:2263
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0x239/0x400 fs/ioctl.c:893
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:893
x64_sys_call+0x1ebe/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 4-583 of 584 are uninitialized
Memory access of size 584 starts at ffff88810355d000
CPU: 0 UID: 0 PID: 12350 Comm: syz.1.1721 Tainted: G W 6.16.0-rc6-syzkaller-00037-ge2291551827f #0 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-07-17 19:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 19:14 syzbot [this message]
2025-07-21 18:59 ` [syzbot] [kernel?] KMSAN: kernel-infoleak in do_insn_ioctl syzbot
2025-07-24 20:27 ` syztest Arnaud Lecomte
2025-07-24 21:05 ` [syzbot] [comedi?] KMSAN: kernel-infoleak in do_insn_ioctl syzbot
2025-07-25 10:21 ` Forwarded: Re: [syzbot] [kernel?] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68794b99.a70a0220.693ce.0053.GAE@google.com \
--to=syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com \
--cc=abbotti@mev.co.uk \
--cc=hsweeten@visionengravers.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.