* [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4)
@ 2024-04-01 21:52 syzbot
2024-04-03 9:39 ` Herbert Xu
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: syzbot @ 2024-04-01 21:52 UTC (permalink / raw)
To: davem, herbert, linux-crypto, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 8d025e2092e2 Merge tag 'erofs-for-6.9-rc2-fixes' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1385be41180000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2599baf258ef795
dashboard link: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5ccde1a19e22/disk-8d025e20.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/45420817e7d9/vmlinux-8d025e20.xz
kernel image: https://storage.googleapis.com/syzbot-assets/354bdafd8c8f/bzImage-8d025e20.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201
crc32_body lib/crc32.c:110 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
__crc32c_le_base+0x43c/0xd80 lib/crc32.c:201
chksum_update+0x5b/0xd0 crypto/crc32c_generic.c:88
crypto_shash_update+0x79/0xa0 crypto/shash.c:70
csum_tree_block+0x35f/0x5d0 fs/btrfs/disk-io.c:96
btree_csum_one_bio+0x4d5/0xeb0 fs/btrfs/disk-io.c:294
btrfs_bio_csum fs/btrfs/bio.c:538 [inline]
btrfs_submit_chunk fs/btrfs/bio.c:741 [inline]
btrfs_submit_bio+0x1eb6/0x2930 fs/btrfs/bio.c:770
write_one_eb+0x13fa/0x1570 fs/btrfs/extent_io.c:1750
submit_eb_page fs/btrfs/extent_io.c:1909 [inline]
btree_write_cache_pages+0x1d2a/0x29a0 fs/btrfs/extent_io.c:1959
btree_writepages+0x84/0x270 fs/btrfs/disk-io.c:516
do_writepages+0x427/0xc30 mm/page-writeback.c:2612
filemap_fdatawrite_wbc+0x1d8/0x270 mm/filemap.c:397
__filemap_fdatawrite_range mm/filemap.c:430 [inline]
filemap_fdatawrite_range+0xe1/0x110 mm/filemap.c:448
btrfs_write_marked_extents+0x2e7/0x620 fs/btrfs/transaction.c:1154
btrfs_sync_log+0x9fd/0x3830 fs/btrfs/tree-log.c:2969
btrfs_sync_file+0x144c/0x1c60 fs/btrfs/file.c:1968
vfs_fsync_range+0x20d/0x270 fs/sync.c:188
generic_write_sync include/linux/fs.h:2793 [inline]
btrfs_do_write_iter+0x1c5f/0x2270 fs/btrfs/file.c:1695
btrfs_file_write_iter+0x38/0x50 fs/btrfs/file.c:1705
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
__alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
__alloc_pages_bulk+0x19e/0x21e0 mm/page_alloc.c:4523
alloc_pages_bulk_array include/linux/gfp.h:202 [inline]
btrfs_alloc_page_array+0x9e/0x460 fs/btrfs/extent_io.c:689
alloc_eb_folio_array fs/btrfs/extent_io.c:724 [inline]
alloc_extent_buffer+0xa68/0x4180 fs/btrfs/extent_io.c:3859
btrfs_find_create_tree_block+0x46/0x60 fs/btrfs/disk-io.c:610
btrfs_init_new_buffer fs/btrfs/extent-tree.c:5063 [inline]
btrfs_alloc_tree_block+0x35c/0x17c0 fs/btrfs/extent-tree.c:5178
btrfs_alloc_log_tree_node fs/btrfs/disk-io.c:960 [inline]
btrfs_add_log_tree+0x1b7/0x7a0 fs/btrfs/disk-io.c:1008
start_log_trans fs/btrfs/tree-log.c:208 [inline]
btrfs_log_inode_parent+0x9b6/0x1dd0 fs/btrfs/tree-log.c:7066
btrfs_log_dentry_safe+0x9a/0x100 fs/btrfs/tree-log.c:7171
btrfs_sync_file+0x126c/0x1c60 fs/btrfs/file.c:1933
vfs_fsync_range+0x20d/0x270 fs/sync.c:188
generic_write_sync include/linux/fs.h:2793 [inline]
btrfs_do_write_iter+0x1c5f/0x2270 fs/btrfs/file.c:1695
btrfs_file_write_iter+0x38/0x50 fs/btrfs/file.c:1705
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 5344 Comm: syz-executor.4 Not tainted 6.9.0-rc1-syzkaller-00061-g8d025e2092e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4) 2024-04-01 21:52 [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4) syzbot @ 2024-04-03 9:39 ` Herbert Xu 2024-05-09 7:22 ` [syzbot] [btrfs] " syzbot 2025-04-23 16:37 ` [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() I Hsin Cheng 2 siblings, 0 replies; 7+ messages in thread From: Herbert Xu @ 2024-04-03 9:39 UTC (permalink / raw) To: syzbot; +Cc: davem, linux-crypto, linux-kernel, syzkaller-bugs #syz set subsystems: btrfs -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [btrfs] KMSAN: uninit-value in __crc32c_le_base (4) 2024-04-01 21:52 [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4) syzbot 2024-04-03 9:39 ` Herbert Xu @ 2024-05-09 7:22 ` syzbot 2025-04-23 16:37 ` [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() I Hsin Cheng 2 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2024-05-09 7:22 UTC (permalink / raw) To: clm, davem, dsterba, herbert, josef, linux-btrfs, linux-crypto, linux-kernel, syzkaller-bugs syzbot has found a reproducer for the following issue on: HEAD commit: 6d7ddd805123 Merge tag 'soc-fixes-6.9-3' of git://git.kern.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=1094303f180000 kernel config: https://syzkaller.appspot.com/x/.config?x=617171361dd3cd47 dashboard link: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11047204980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a2905c980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/49caca594b2f/disk-6d7ddd80.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/cad0ed0e7e81/vmlinux-6d7ddd80.xz kernel image: https://storage.googleapis.com/syzbot-assets/c5403827515b/bzImage-6d7ddd80.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/dfb350d62061/mount_2.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com ===================================================== BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] BUG: KMSAN: uninit-value in __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 crc32_body lib/crc32.c:110 [inline] crc32_le_generic lib/crc32.c:179 [inline] __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 chksum_update+0x5b/0xd0 crypto/crc32c_generic.c:88 crypto_shash_update+0x79/0xa0 crypto/shash.c:70 csum_tree_block+0x35f/0x5d0 fs/btrfs/disk-io.c:96 btree_csum_one_bio+0x4d5/0xeb0 fs/btrfs/disk-io.c:294 btrfs_bio_csum fs/btrfs/bio.c:538 [inline] btrfs_submit_chunk fs/btrfs/bio.c:741 [inline] btrfs_submit_bio+0x1eb6/0x2930 fs/btrfs/bio.c:770 write_one_eb+0x13fa/0x1570 fs/btrfs/extent_io.c:1740 submit_eb_page fs/btrfs/extent_io.c:1899 [inline] btree_write_cache_pages+0x1d2a/0x29a0 fs/btrfs/extent_io.c:1949 btree_writepages+0x84/0x270 fs/btrfs/disk-io.c:516 do_writepages+0x427/0xc30 mm/page-writeback.c:2612 filemap_fdatawrite_wbc+0x1d8/0x270 mm/filemap.c:397 __filemap_fdatawrite_range mm/filemap.c:430 [inline] filemap_fdatawrite_range+0xe1/0x110 mm/filemap.c:448 btrfs_write_marked_extents+0x2e7/0x620 fs/btrfs/transaction.c:1153 btrfs_sync_log+0x9fd/0x3830 fs/btrfs/tree-log.c:2969 btrfs_sync_file+0x144c/0x1c60 fs/btrfs/file.c:1968 vfs_fsync_range+0x20d/0x270 fs/sync.c:188 generic_write_sync include/linux/fs.h:2795 [inline] btrfs_do_write_iter+0x1c5f/0x2270 fs/btrfs/file.c:1695 btrfs_file_write_iter+0x38/0x50 fs/btrfs/file.c:1705 do_iter_readv_writev+0x7e6/0x960 vfs_writev+0x574/0x1450 fs/read_write.c:971 do_writev+0x251/0x5c0 fs/read_write.c:1018 __do_sys_writev fs/read_write.c:1091 [inline] __se_sys_writev fs/read_write.c:1088 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1088 x64_sys_call+0x23dc/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_bulk+0x19e/0x21e0 mm/page_alloc.c:4523 alloc_pages_bulk_array include/linux/gfp.h:202 [inline] btrfs_alloc_page_array fs/btrfs/extent_io.c:690 [inline] alloc_eb_folio_array+0x19b/0x760 fs/btrfs/extent_io.c:714 alloc_extent_buffer+0x965/0x3ad0 fs/btrfs/extent_io.c:3849 btrfs_find_create_tree_block+0x46/0x60 fs/btrfs/disk-io.c:610 btrfs_init_new_buffer fs/btrfs/extent-tree.c:5071 [inline] btrfs_alloc_tree_block+0x35c/0x17c0 fs/btrfs/extent-tree.c:5186 btrfs_alloc_log_tree_node fs/btrfs/disk-io.c:960 [inline] btrfs_add_log_tree+0x1b7/0x7a0 fs/btrfs/disk-io.c:1008 start_log_trans fs/btrfs/tree-log.c:208 [inline] btrfs_log_inode_parent+0x9b6/0x1dd0 fs/btrfs/tree-log.c:7066 btrfs_log_dentry_safe+0x9a/0x100 fs/btrfs/tree-log.c:7171 btrfs_sync_file+0x126c/0x1c60 fs/btrfs/file.c:1933 vfs_fsync_range+0x20d/0x270 fs/sync.c:188 generic_write_sync include/linux/fs.h:2795 [inline] btrfs_do_write_iter+0x1c5f/0x2270 fs/btrfs/file.c:1695 btrfs_file_write_iter+0x38/0x50 fs/btrfs/file.c:1705 do_iter_readv_writev+0x7e6/0x960 vfs_writev+0x574/0x1450 fs/read_write.c:971 do_writev+0x251/0x5c0 fs/read_write.c:1018 __do_sys_writev fs/read_write.c:1091 [inline] __se_sys_writev fs/read_write.c:1088 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1088 x64_sys_call+0x23dc/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 PID: 5036 Comm: syz-executor761 Not tainted 6.9.0-rc7-syzkaller-00023-g6d7ddd805123 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 ===================================================== --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() 2024-04-01 21:52 [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4) syzbot 2024-04-03 9:39 ` Herbert Xu 2024-05-09 7:22 ` [syzbot] [btrfs] " syzbot @ 2025-04-23 16:37 ` I Hsin Cheng 2025-04-23 16:45 ` Kent Overstreet 2 siblings, 1 reply; 7+ messages in thread From: I Hsin Cheng @ 2025-04-23 16:37 UTC (permalink / raw) To: syzbot+549710bad9c798e25b15, kent.overstreet Cc: bfoster, linux-bcachefs, linux-kernel, davem, herbert, linux-crypto, syzkaller-bugs, skhan, linux-kernel-mentees, I Hsin Cheng Use "kvzalloc()" instead of "kvmalloc()" in btree_bounce_alloc() to prevent uninit-value issue. Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 Fixes: cb6fc943b650 ("bcachefs: kill kvpmalloc()") Signed-off-by: I Hsin Cheng <richard120310@gmail.com> --- syzbot reported an uninit-value issue. [1] Though the uninit value was detected in the context of crc32_body(), the memory was actually allocated in "btree_bounce_alloc()". Use "kvzalloc()" to allocate the memory can solve the issue, and I've tested against syzbot. [2] If there're any further tests needed to be performed, please let me know. I'll be more than happy to assist you with that, thanks ! [1]: BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] BUG: KMSAN: uninit-value in __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 crc32_body lib/crc32.c:110 [inline] crc32_le_generic lib/crc32.c:179 [inline] __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 chksum_update+0x5b/0xd0 crypto/crc32c_generic.c:88 crypto_shash_update+0x79/0xa0 crypto/shash.c:52 crc32c+0xba/0x170 lib/libcrc32c.c:47 bch2_checksum_update+0x106/0x1d0 fs/bcachefs/checksum.c:83 bch2_checksum+0x3c5/0x7c0 fs/bcachefs/checksum.c:216 __bch2_btree_node_write+0x528c/0x67c0 fs/bcachefs/btree_io.c:2151 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 kthread+0x3e2/0x540 kernel/kthread.c:389 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was stored to memory at: memcpy_u64s_small fs/bcachefs/util.h:511 [inline] bkey_p_copy fs/bcachefs/bkey.h:46 [inline] bch2_sort_keys+0x1b4d/0x2cb0 fs/bcachefs/bkey_sort.c:194 __bch2_btree_node_write+0x3acd/0x67c0 fs/bcachefs/btree_io.c:2100 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 kthread+0x3e2/0x540 kernel/kthread.c:389 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3994 __do_kmalloc_node mm/slub.c:4027 [inline] __kmalloc_node+0xb10/0x10c0 mm/slub.c:4046 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] btree_bounce_alloc fs/bcachefs/btree_io.c:118 [inline] bch2_btree_node_read_done+0x4e68/0x75e0 fs/bcachefs/btree_io.c:1185 btree_node_read_work+0x8a5/0x1eb0 fs/bcachefs/btree_io.c:1324 bch2_btree_node_read+0x3d42/0x4b50 __bch2_btree_root_read fs/bcachefs/btree_io.c:1748 [inline] bch2_btree_root_read+0xa6c/0x13d0 fs/bcachefs/btree_io.c:1772 read_btree_roots+0x454/0xee0 fs/bcachefs/recovery.c:457 bch2_fs_recovery+0x7b6a/0x93e0 fs/bcachefs/recovery.c:785 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1043 bch2_fs_open+0x152a/0x15f0 fs/bcachefs/super.c:2105 bch2_mount+0x90d/0x1d90 fs/bcachefs/fs.c:1906 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1779 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 x64_sys_call+0x2bf4/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [2]: https://lore.kernel.org/all/000000000000736bd406151001d7@google.com/T/#m748384a36239a7f66e63cfde949e3db6bf14d5c6 syzbot reply me with: Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com Tested-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com Tested on: commit: 614da38e Merge tag 'hid-for-linus-2024051401' of git:/.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=10be763f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=49342144b6a907af dashboard link: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 compiler: Debian clang version 15.0.6, Debian LLD 15.0.6 patch: https://syzkaller.appspot.com/x/patch.diff?x=15b99a6f980000 Note: testing is done by a robot and is best-effort only. Best regards, I Hsin Cheng --- fs/bcachefs/btree_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c index debb0edc3455..dc00c5273ffe 100644 --- a/fs/bcachefs/btree_io.c +++ b/fs/bcachefs/btree_io.c @@ -115,7 +115,7 @@ static void *btree_bounce_alloc(struct bch_fs *c, size_t size, BUG_ON(size > c->opts.btree_node_size); *used_mempool = false; - p = kvmalloc(size, __GFP_NOWARN|GFP_NOWAIT); + p = kvzalloc(size, __GFP_NOWARN|GFP_NOWAIT); if (!p) { *used_mempool = true; p = mempool_alloc(&c->btree_bounce_pool, GFP_NOFS); -- 2.43.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() 2025-04-23 16:37 ` [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() I Hsin Cheng @ 2025-04-23 16:45 ` Kent Overstreet 2025-04-25 16:53 ` I Hsin Cheng 0 siblings, 1 reply; 7+ messages in thread From: Kent Overstreet @ 2025-04-23 16:45 UTC (permalink / raw) To: I Hsin Cheng Cc: syzbot+549710bad9c798e25b15, bfoster, linux-bcachefs, linux-kernel, davem, herbert, linux-crypto, syzkaller-bugs, skhan, linux-kernel-mentees On Thu, Apr 24, 2025 at 12:37:18AM +0800, I Hsin Cheng wrote: > Use "kvzalloc()" instead of "kvmalloc()" in btree_bounce_alloc() to > prevent uninit-value issue. > > Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 > Fixes: cb6fc943b650 ("bcachefs: kill kvpmalloc()") > Signed-off-by: I Hsin Cheng <richard120310@gmail.com> > --- > syzbot reported an uninit-value issue. [1] > > Though the uninit value was detected in the context of crc32_body(), the > memory was actually allocated in "btree_bounce_alloc()". Use > "kvzalloc()" to allocate the memory can solve the issue, and I've tested > against syzbot. [2] > > If there're any further tests needed to be performed, please let me > know. I'll be more than happy to assist you with that, thanks ! See Documentation/filesystems/bcachefs/SubmittingPatches. And this isn't the correct fix - the correct fix is already in Linus's tree. > > [1]: > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] > BUG: KMSAN: uninit-value in __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 > crc32_body lib/crc32.c:110 [inline] > crc32_le_generic lib/crc32.c:179 [inline] > __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 > chksum_update+0x5b/0xd0 crypto/crc32c_generic.c:88 > crypto_shash_update+0x79/0xa0 crypto/shash.c:52 > crc32c+0xba/0x170 lib/libcrc32c.c:47 > bch2_checksum_update+0x106/0x1d0 fs/bcachefs/checksum.c:83 > bch2_checksum+0x3c5/0x7c0 fs/bcachefs/checksum.c:216 > __bch2_btree_node_write+0x528c/0x67c0 fs/bcachefs/btree_io.c:2151 > bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 > btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] > __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 > bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 > journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 > __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 > bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 > kthread+0x3e2/0x540 kernel/kthread.c:389 > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Uninit was stored to memory at: > memcpy_u64s_small fs/bcachefs/util.h:511 [inline] > bkey_p_copy fs/bcachefs/bkey.h:46 [inline] > bch2_sort_keys+0x1b4d/0x2cb0 fs/bcachefs/bkey_sort.c:194 > __bch2_btree_node_write+0x3acd/0x67c0 fs/bcachefs/btree_io.c:2100 > bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 > btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] > __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 > bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 > journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 > __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 > bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 > kthread+0x3e2/0x540 kernel/kthread.c:389 > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Uninit was created at: > __kmalloc_large_node+0x231/0x370 mm/slub.c:3994 > __do_kmalloc_node mm/slub.c:4027 [inline] > __kmalloc_node+0xb10/0x10c0 mm/slub.c:4046 > kmalloc_node include/linux/slab.h:648 [inline] > kvmalloc_node+0xc0/0x2d0 mm/util.c:634 > kvmalloc include/linux/slab.h:766 [inline] > btree_bounce_alloc fs/bcachefs/btree_io.c:118 [inline] > bch2_btree_node_read_done+0x4e68/0x75e0 fs/bcachefs/btree_io.c:1185 > btree_node_read_work+0x8a5/0x1eb0 fs/bcachefs/btree_io.c:1324 > bch2_btree_node_read+0x3d42/0x4b50 > __bch2_btree_root_read fs/bcachefs/btree_io.c:1748 [inline] > bch2_btree_root_read+0xa6c/0x13d0 fs/bcachefs/btree_io.c:1772 > read_btree_roots+0x454/0xee0 fs/bcachefs/recovery.c:457 > bch2_fs_recovery+0x7b6a/0x93e0 fs/bcachefs/recovery.c:785 > bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1043 > bch2_fs_open+0x152a/0x15f0 fs/bcachefs/super.c:2105 > bch2_mount+0x90d/0x1d90 fs/bcachefs/fs.c:1906 > legacy_get_tree+0x114/0x290 fs/fs_context.c:662 > vfs_get_tree+0xa7/0x570 fs/super.c:1779 > do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 > path_mount+0x742/0x1f20 fs/namespace.c:3679 > do_mount fs/namespace.c:3692 [inline] > __do_sys_mount fs/namespace.c:3898 [inline] > __se_sys_mount+0x725/0x810 fs/namespace.c:3875 > __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 > x64_sys_call+0x2bf4/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:166 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > [2]: > https://lore.kernel.org/all/000000000000736bd406151001d7@google.com/T/#m748384a36239a7f66e63cfde949e3db6bf14d5c6 > > syzbot reply me with: > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > Tested-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > > Tested on: > > commit: 614da38e Merge tag 'hid-for-linus-2024051401' of git:/.. > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > console output: https://syzkaller.appspot.com/x/log.txt?x=10be763f980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=49342144b6a907af > dashboard link: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 > compiler: Debian clang version 15.0.6, Debian LLD 15.0.6 > patch: https://syzkaller.appspot.com/x/patch.diff?x=15b99a6f980000 > > Note: testing is done by a robot and is best-effort only. > > Best regards, > I Hsin Cheng > --- > fs/bcachefs/btree_io.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c > index debb0edc3455..dc00c5273ffe 100644 > --- a/fs/bcachefs/btree_io.c > +++ b/fs/bcachefs/btree_io.c > @@ -115,7 +115,7 @@ static void *btree_bounce_alloc(struct bch_fs *c, size_t size, > BUG_ON(size > c->opts.btree_node_size); > > *used_mempool = false; > - p = kvmalloc(size, __GFP_NOWARN|GFP_NOWAIT); > + p = kvzalloc(size, __GFP_NOWARN|GFP_NOWAIT); > if (!p) { > *used_mempool = true; > p = mempool_alloc(&c->btree_bounce_pool, GFP_NOFS); > -- > 2.43.0 > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() 2025-04-23 16:45 ` Kent Overstreet @ 2025-04-25 16:53 ` I Hsin Cheng 2025-04-26 15:03 ` Kent Overstreet 0 siblings, 1 reply; 7+ messages in thread From: I Hsin Cheng @ 2025-04-25 16:53 UTC (permalink / raw) To: Kent Overstreet Cc: syzbot+549710bad9c798e25b15, bfoster, linux-bcachefs, linux-kernel, davem, herbert, linux-crypto, syzkaller-bugs, skhan, linux-kernel-mentees On Wed, Apr 23, 2025 at 12:45:20PM -0400, Kent Overstreet wrote: > On Thu, Apr 24, 2025 at 12:37:18AM +0800, I Hsin Cheng wrote: > > Use "kvzalloc()" instead of "kvmalloc()" in btree_bounce_alloc() to > > prevent uninit-value issue. > > > > Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 > > Fixes: cb6fc943b650 ("bcachefs: kill kvpmalloc()") > > Signed-off-by: I Hsin Cheng <richard120310@gmail.com> > > --- > > syzbot reported an uninit-value issue. [1] > > > > Though the uninit value was detected in the context of crc32_body(), the > > memory was actually allocated in "btree_bounce_alloc()". Use > > "kvzalloc()" to allocate the memory can solve the issue, and I've tested > > against syzbot. [2] > > > > If there're any further tests needed to be performed, please let me > > know. I'll be more than happy to assist you with that, thanks ! > > See Documentation/filesystems/bcachefs/SubmittingPatches. > Sure ! Thanks for the info. > And this isn't the correct fix - the correct fix is already in Linus's > tree. Ahh ok, may I ask for the commit hash or title so I can learn from it ? Best regards, I Hsin Cheng > > > > > [1]: > > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] > > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] > > BUG: KMSAN: uninit-value in __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 > > crc32_body lib/crc32.c:110 [inline] > > crc32_le_generic lib/crc32.c:179 [inline] > > __crc32c_le_base+0x43c/0xd80 lib/crc32.c:201 > > chksum_update+0x5b/0xd0 crypto/crc32c_generic.c:88 > > crypto_shash_update+0x79/0xa0 crypto/shash.c:52 > > crc32c+0xba/0x170 lib/libcrc32c.c:47 > > bch2_checksum_update+0x106/0x1d0 fs/bcachefs/checksum.c:83 > > bch2_checksum+0x3c5/0x7c0 fs/bcachefs/checksum.c:216 > > __bch2_btree_node_write+0x528c/0x67c0 fs/bcachefs/btree_io.c:2151 > > bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 > > btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] > > __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 > > bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 > > journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 > > __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 > > bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 > > kthread+0x3e2/0x540 kernel/kthread.c:389 > > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > > > Uninit was stored to memory at: > > memcpy_u64s_small fs/bcachefs/util.h:511 [inline] > > bkey_p_copy fs/bcachefs/bkey.h:46 [inline] > > bch2_sort_keys+0x1b4d/0x2cb0 fs/bcachefs/bkey_sort.c:194 > > __bch2_btree_node_write+0x3acd/0x67c0 fs/bcachefs/btree_io.c:2100 > > bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2288 > > btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline] > > __btree_node_flush+0x4d0/0x640 fs/bcachefs/btree_trans_commit.c:229 > > bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:238 > > journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:553 > > __bch2_journal_reclaim+0xd88/0x1610 fs/bcachefs/journal_reclaim.c:685 > > bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:727 > > kthread+0x3e2/0x540 kernel/kthread.c:389 > > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > > > Uninit was created at: > > __kmalloc_large_node+0x231/0x370 mm/slub.c:3994 > > __do_kmalloc_node mm/slub.c:4027 [inline] > > __kmalloc_node+0xb10/0x10c0 mm/slub.c:4046 > > kmalloc_node include/linux/slab.h:648 [inline] > > kvmalloc_node+0xc0/0x2d0 mm/util.c:634 > > kvmalloc include/linux/slab.h:766 [inline] > > btree_bounce_alloc fs/bcachefs/btree_io.c:118 [inline] > > bch2_btree_node_read_done+0x4e68/0x75e0 fs/bcachefs/btree_io.c:1185 > > btree_node_read_work+0x8a5/0x1eb0 fs/bcachefs/btree_io.c:1324 > > bch2_btree_node_read+0x3d42/0x4b50 > > __bch2_btree_root_read fs/bcachefs/btree_io.c:1748 [inline] > > bch2_btree_root_read+0xa6c/0x13d0 fs/bcachefs/btree_io.c:1772 > > read_btree_roots+0x454/0xee0 fs/bcachefs/recovery.c:457 > > bch2_fs_recovery+0x7b6a/0x93e0 fs/bcachefs/recovery.c:785 > > bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1043 > > bch2_fs_open+0x152a/0x15f0 fs/bcachefs/super.c:2105 > > bch2_mount+0x90d/0x1d90 fs/bcachefs/fs.c:1906 > > legacy_get_tree+0x114/0x290 fs/fs_context.c:662 > > vfs_get_tree+0xa7/0x570 fs/super.c:1779 > > do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 > > path_mount+0x742/0x1f20 fs/namespace.c:3679 > > do_mount fs/namespace.c:3692 [inline] > > __do_sys_mount fs/namespace.c:3898 [inline] > > __se_sys_mount+0x725/0x810 fs/namespace.c:3875 > > __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 > > x64_sys_call+0x2bf4/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:166 > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > > [2]: > > https://lore.kernel.org/all/000000000000736bd406151001d7@google.com/T/#m748384a36239a7f66e63cfde949e3db6bf14d5c6 > > > > syzbot reply me with: > > Hello, > > > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > > > Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > > Tested-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > > > > Tested on: > > > > commit: 614da38e Merge tag 'hid-for-linus-2024051401' of git:/.. > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > > console output: https://syzkaller.appspot.com/x/log.txt?x=10be763f980000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=49342144b6a907af > > dashboard link: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 > > compiler: Debian clang version 15.0.6, Debian LLD 15.0.6 > > patch: https://syzkaller.appspot.com/x/patch.diff?x=15b99a6f980000 > > > > Note: testing is done by a robot and is best-effort only. > > > > Best regards, > > I Hsin Cheng > > --- > > fs/bcachefs/btree_io.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c > > index debb0edc3455..dc00c5273ffe 100644 > > --- a/fs/bcachefs/btree_io.c > > +++ b/fs/bcachefs/btree_io.c > > @@ -115,7 +115,7 @@ static void *btree_bounce_alloc(struct bch_fs *c, size_t size, > > BUG_ON(size > c->opts.btree_node_size); > > > > *used_mempool = false; > > - p = kvmalloc(size, __GFP_NOWARN|GFP_NOWAIT); > > + p = kvzalloc(size, __GFP_NOWARN|GFP_NOWAIT); > > if (!p) { > > *used_mempool = true; > > p = mempool_alloc(&c->btree_bounce_pool, GFP_NOFS); > > -- > > 2.43.0 > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() 2025-04-25 16:53 ` I Hsin Cheng @ 2025-04-26 15:03 ` Kent Overstreet 0 siblings, 0 replies; 7+ messages in thread From: Kent Overstreet @ 2025-04-26 15:03 UTC (permalink / raw) To: I Hsin Cheng Cc: syzbot+549710bad9c798e25b15, bfoster, linux-bcachefs, linux-kernel, davem, herbert, linux-crypto, syzkaller-bugs, skhan, linux-kernel-mentees On Sat, Apr 26, 2025 at 12:53:49AM +0800, I Hsin Cheng wrote: > On Wed, Apr 23, 2025 at 12:45:20PM -0400, Kent Overstreet wrote: > > On Thu, Apr 24, 2025 at 12:37:18AM +0800, I Hsin Cheng wrote: > > > Use "kvzalloc()" instead of "kvmalloc()" in btree_bounce_alloc() to > > > prevent uninit-value issue. > > > > > > Reported-by: syzbot+549710bad9c798e25b15@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=549710bad9c798e25b15 > > > Fixes: cb6fc943b650 ("bcachefs: kill kvpmalloc()") > > > Signed-off-by: I Hsin Cheng <richard120310@gmail.com> > > > --- > > > syzbot reported an uninit-value issue. [1] > > > > > > Though the uninit value was detected in the context of crc32_body(), the > > > memory was actually allocated in "btree_bounce_alloc()". Use > > > "kvzalloc()" to allocate the memory can solve the issue, and I've tested > > > against syzbot. [2] > > > > > > If there're any further tests needed to be performed, please let me > > > know. I'll be more than happy to assist you with that, thanks ! > > > > See Documentation/filesystems/bcachefs/SubmittingPatches. > > > > Sure ! Thanks for the info. > > > And this isn't the correct fix - the correct fix is already in Linus's > > tree. > > Ahh ok, may I ask for the commit hash or title so I can learn from it ? 9c3a2c9b471a bcachefs: Disable asm memcpys when kmsan enabled ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-04-26 15:03 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-01 21:52 [syzbot] [crypto?] KMSAN: uninit-value in __crc32c_le_base (4) syzbot 2024-04-03 9:39 ` Herbert Xu 2024-05-09 7:22 ` [syzbot] [btrfs] " syzbot 2025-04-23 16:37 ` [PATCH] bcachefs: Fix unit-value within btree_bounce_alloc() I Hsin Cheng 2025-04-23 16:45 ` Kent Overstreet 2025-04-25 16:53 ` I Hsin Cheng 2025-04-26 15:03 ` Kent Overstreet
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).