Re: [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter
Date: Tue, 11 Nov 2025 17:25:04 -0800	[thread overview]
Message-ID: <6913e1f0.a70a0220.22f260.0152.GAE@google.com> (raw)
In-Reply-To: <20251112005422.2038252-1-kartikey406@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-infoleak in hugetlbfs_read_iter

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_iovec include/linux/iov_iter.h:52 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:330 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4e4/0x33f0 lib/iov_iter.c:185
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 copy_to_user_iter lib/iov_iter.c:24 [inline]
 iterate_iovec include/linux/iov_iter.h:52 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 _copy_to_iter+0x4e4/0x33f0 lib/iov_iter.c:185
 copy_page_to_iter+0x482/0x910 lib/iov_iter.c:362
 copy_folio_to_iter include/linux/uio.h:204 [inline]
 hugetlbfs_read_iter+0x6cd/0xe10 fs/hugetlbfs/inode.c:281
 do_iter_readv_writev+0x9e1/0xc20 fs/read_write.c:-1
 vfs_readv+0x34a/0xf30 fs/read_write.c:1018
 do_preadv fs/read_write.c:1132 [inline]
 __do_sys_preadv fs/read_write.c:1179 [inline]
 __se_sys_preadv fs/read_write.c:1174 [inline]
 __x64_sys_preadv+0x2a3/0x510 fs/read_write.c:1174
 x64_sys_call+0x3064/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:296
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_frozen_pages_noprof+0x689/0xf00 mm/page_alloc.c:5206
 alloc_buddy_hugetlb_folio mm/hugetlb.c:1944 [inline]
 only_alloc_fresh_hugetlb_folio+0x2b0/0x1280 mm/hugetlb.c:1984
 alloc_pool_huge_folio+0x60f/0x760 mm/hugetlb.c:2042
 set_max_huge_pages mm/hugetlb.c:3912 [inline]
 __nr_hugepages_store_common+0x609/0x1420 mm/hugetlb.c:4206
 hugetlb_sysctl_handler_common mm/hugetlb.c:5129 [inline]
 hugetlb_sysctl_handler+0x1f7/0x2a0 mm/hugetlb.c:5139
 proc_sys_call_handler+0x86b/0xdc0 fs/proc/proc_sysctl.c:600
 proc_sys_write+0x3b/0x50 fs/proc/proc_sysctl.c:626
 __kernel_write_iter+0x6fa/0xdd0 fs/read_write.c:619
 __kernel_write fs/read_write.c:639 [inline]
 kernel_write+0x322/0x710 fs/read_write.c:660
 process_sysctl_arg+0x74b/0x1150 fs/proc/proc_sysctl.c:1687
 parse_one kernel/params.c:153 [inline]
 parse_args+0x652/0x1190 kernel/params.c:186
 do_sysctl_args+0xf8/0x210 fs/proc/proc_sysctl.c:1719
 kernel_init+0xf7/0x5e0 init/main.c:1506
 ret_from_fork+0x1f5/0x4c0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Bytes 0-5 of 6 are uninitialized
Memory access of size 6 starts at ffff88811b20000f
Data copied to user address 0000200000000080

CPU: 0 UID: 0 PID: 6511 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================


Tested on:

commit:         24172e0d Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cbdc12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbf50e713aaa5cb0
dashboard link: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13508692580000

next      parent reply	other threads:[~2025-11-12  1:25 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20251112005422.2038252-1-kartikey406@gmail.com>
2025-11-12  1:25 ` syzbot [this message]
     [not found] <20251112124054.2318311-1-kartikey406@gmail.com>
2025-11-12 14:33 ` [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter syzbot
     [not found] <20251112012749.2082979-1-kartikey406@gmail.com>
2025-11-12  2:28 ` syzbot
2025-11-10 18:09 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6913e1f0.a70a0220.22f260.0152.GAE@google.com \
    --to=syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.