From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2CEC17993 for ; Thu, 25 Jun 2026 07:07:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782371247; cv=none; b=JMaw5oqSnm5ks41UD7jdiKc6ufP2ZK2YwUHXggvJozlqit1XYy2KDx3sVIZyIsVaeMwgiNBmVbobseNsM5U7TDq028BPxiHnFH5c0gh4cDsZvWKfOPZNsA9f+ViVt6yXD6Jg/GWS0M63H5/lz+HMvWIaH9nA0FlyAxMP+xfmb2s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782371247; c=relaxed/simple; bh=6Kzo3d9XIwZnqTQqnNhMtR0MQESkNP4ycxIOgGonPB8=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=stBcrhCKGFoBfr4TeXyVnc3+YQI7Z+DgtMCGXq76Of5RDTWTmboBOHR3Hv8YH7zmSo9U6oBHtwTtvubYTFr7jDEt3C1MmdE1Mav45A3rOLhej40huQjYlmbvsKgOlimvj/75G03EPD/6/8g4NAnevUavEVgEvAvmuKmRGzj75Kc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IeSx5kmG; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IeSx5kmG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D28271F000E9; Thu, 25 Jun 2026 07:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1782371246; bh=XD9V7SNrA4hgC7gMibM63X7FjyCTA88fLs7E1gD2Uh4=; h=From:To:Subject:In-Reply-To:References:Date; b=IeSx5kmGBevhQCTaxCnVHElbubbJYp60+b3F9VntOtOOsp5o2B+yCaDjNWNIslgem vwAnfhE/I+f70HTPcbvD/kmA7nTTMif3vQSrK/lqtQk4g7qWx8U6qjYOQAC3r3OSxg n9UsNkZZ4OYaw/7pfqcmqCER9rrSQbApMM9lbD9FkkvomoTulp6x9TgSAFyCPArQQ5 Z7bbBxTZ0l2ZS4LMjJNiJufpmK8PT+FlLJkNojHYYQh3x9WOL8cPj6E6Dnb7YlCGPm rXxGnCS1hV915tn5Bn0GmtTin4yWDvo8XvuH9GLhl5PQt1Ini6eFvEhEnciZR9S8+u Ow34LqEJW4V1Q== From: Thomas Gleixner To: syzbot , linux-kernel@vger.kernel.org, luto@kernel.org, peterz@infradead.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in exc_page_fault In-Reply-To: <6a3c7f84.43b4ff68.30a095.0003.GAE@google.com> References: <6a3c7f84.43b4ff68.30a095.0003.GAE@google.com> Date: Thu, 25 Jun 2026 09:07:23 +0200 Message-ID: <871pdvksic.ffs@fw13> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain #syz set subsystems: kasan On Wed, Jun 24 2026 at 18:08, syzbot wrote: > syzbot found the following issue on: > > HEAD commit: 9ecfb2f7287a Merge tag 'trace-ring-buffer-v7.2' of git://g.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1471e8ea580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a9e1383387f0e112 > dashboard link: https://syzkaller.appspot.com/bug?extid=411634dace73dad6f4d4 > compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/c8d222bd96ba/disk-9ecfb2f7.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/629368d40b7e/vmlinux-9ecfb2f7.xz > kernel image: https://storage.googleapis.com/syzbot-assets/156086f5f12a/bzImage-9ecfb2f7.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+411634dace73dad6f4d4@syzkaller.appspotmail.com As I already explained here: https://lore.kernel.org/871pe1ng7m.ffs@fw13 this is a KMSAN/compiler bug: > BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline] > BUG: KMSAN: kernel-infoleak in rseq_update_usr include/linux/rseq_entry.h:536 [inline] > BUG: KMSAN: kernel-infoleak in rseq_exit_user_update include/linux/rseq_entry.h:645 [inline] > BUG: KMSAN: kernel-infoleak in __rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:674 [inline] > BUG: KMSAN: kernel-infoleak in rseq_exit_to_user_mode_restart include/linux/rseq_entry.h:703 [inline] > BUG: KMSAN: kernel-infoleak in exit_to_user_mode_loop kernel/entry/common.c:103 [inline] > BUG: KMSAN: kernel-infoleak in __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] > BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline] > BUG: KMSAN: kernel-infoleak in irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline] > BUG: KMSAN: kernel-infoleak in irqentry_exit+0x4a6/0xa40 kernel/entry/common.c:165 > exc_page_fault+0x7e/0xb0 arch/x86/mm/fault.c:1539 > asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:595 There was a real issue before 6d99479799c6 got applied, but KMSAN still claims that a local variable which is completely unrelated and was created in a (previous) syscall is the problem: > Local variable st.i.i created at: > __do_sys_statfs fs/statfs.c:193 [inline] > __se_sys_statfs fs/statfs.c:191 [inline] > __x64_sys_statfs+0x73/0x200 fs/statfs.c:191 > x64_sys_call+0x334c/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:138 That's clearly some stale information. > Bytes 0-3 of 4 are uninitialized > Memory access of size 4 starts at ffff88811856be78 > Data copied to user address 00007ff99a04cac0 The local variable access in rseq_set_ids_get_csaddr() is ids->cpu_id. ids is a stack variable created _and_ correctly initialized in rseq_exit_user_update().