From: Thomas Gleixner <tglx@linutronix.de>
To: I Hsin Cheng <richard120310@gmail.com>,
syzbot+d5e61dcfda08821a226d@syzkaller.appspotmail.com
Cc: anna-maria@linutronix.de, frederic@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org,
Alexander Potapenko <glider@google.com>,
Marco Elver <elver@google.com>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [RFC PATCH RESEND] timerqueue: Complete rb_node initialization within timerqueue_init
Date: Sun, 06 Apr 2025 13:46:43 +0200 [thread overview]
Message-ID: <878qodwlzw.ffs@tglx> (raw)
In-Reply-To: <20250405080533.519290-1-richard120310@gmail.com>
On Sat, Apr 05 2025 at 16:05, I. Hsin Cheng wrote:
> The children of "node" within "struct timerqueue_node" may be uninit
> status after the initialization. Initialize them as NULL under
> timerqueue_init to prevent the problem.
Which problem?
It's completely sufficient to use RB_INIT_NODE() on initialization.
As you did not provide a link and no explanation, I had to waste some
time to search though the syzbot site and looked at the actual issue:
BUG: KMSAN: uninit-value in rb_next+0x200/0x210 lib/rbtree.c:505
rb_next+0x200/0x210 lib/rbtree.c:505
rb_erase_cached include/linux/rbtree.h:124 [inline]
timerqueue_del+0xee/0x1a0 lib/timerqueue.c:57
__remove_hrtimer kernel/time/hrtimer.c:1123 [inline]
__run_hrtimer kernel/time/hrtimer.c:1771 [inline]
__hrtimer_run_queues+0x3b7/0xe40 kernel/time/hrtimer.c:1855
hrtimer_interrupt+0x41b/0xb10 kernel/time/hrtimer.c:1917
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0xa7/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x7e/0x90 arch/x86/kernel/apic/apic.c:1049
So this code removes a queued timer from the RB tree and that KMSAN
warning happens in rb_next(), which is invoked from rb_erase_cached().
The issue happens in lib/rbtree.c:505
505: while (node->rb_left)
506: node = node->rb_left;
which is walking the tree down left. So that means it hits a pointer
which points to uninitialized memory.
All timers are queued with rb_add_cached(), which calls rb_link_node()
and that does:
node->rb_left = node->rb_right = NULL;
Which means there can't be a timer enqueued in the RB tree which has
rb_left/right uninitialized.
So how does this end up at uninitialized memory? There are two
obvious explanations:
1) A stray pointer corrupts the RB tree
2) A queued timer has been freed
So what would this "initialization" help? Nothing at all.
We are not adding some random pointless initialization to paper
over a problem which is absolutely not understood.
Thanks,
tglx
prev parent reply other threads:[~2025-04-06 11:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:11 [syzbot] [kernel?] KMSAN: uninit-value in timerqueue_del syzbot
2025-04-05 8:03 ` [RFC PATCH] timerqueue: Complete rb_node initialization within timerqueue_init I Hsin Cheng
2025-04-05 8:05 ` [RFC PATCH RESEND] " I Hsin Cheng
2025-04-06 11:46 ` Thomas Gleixner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878qodwlzw.ffs@tglx \
--to=tglx@linutronix.de \
--cc=anna-maria@linutronix.de \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=frederic@kernel.org \
--cc=glider@google.com \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=richard120310@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+d5e61dcfda08821a226d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.