KMSAN: uninit-value in io_rw_fail

KMSAN: uninit-value in io_rw_fail

[xingwei lee]

Hello I found a bug in io_uring and comfirmed at the latest upstream
mainine linux.
TITLE: KMSAN: uninit-value in io_rw_fail
and I find this bug maybe existed in the
https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
not have a stable reproducer.
However, I generate a stable reproducer and comfirmed in the latest mainline.

If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrivendell7@gmail.com>

kernel: mainline a4aebe936554dac6a91e5d091179c934f8325708
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01
with KMSAN enabled
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40


=* repro.c =*
#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_io_uring_enter
#define __NR_io_uring_enter 426
#endif
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
 struct timespec ts;
 if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...) {
 char buf[1024];
 va_list args;
 va_start(args, what);
 vsnprintf(buf, sizeof(buf), what, args);
 va_end(args);
 buf[sizeof(buf) - 1] = 0;
 int len = strlen(buf);
 int fd = open(file, O_WRONLY | O_CLOEXEC);
 if (fd == -1) return false;
 if (write(fd, buf, len) != len) {
   int err = errno;
   close(fd);
   errno = err;
   return false;
 }
 close(fd);
 return true;
}

#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320

struct io_sqring_offsets {
 uint32_t head;
 uint32_t tail;
 uint32_t ring_mask;
 uint32_t ring_entries;
 uint32_t flags;
 uint32_t dropped;
 uint32_t array;
 uint32_t resv1;
 uint64_t resv2;
};

struct io_cqring_offsets {
 uint32_t head;
 uint32_t tail;
 uint32_t ring_mask;
 uint32_t ring_entries;
 uint32_t overflow;
 uint32_t cqes;
 uint64_t resv[2];
};

struct io_uring_params {
 uint32_t sq_entries;
 uint32_t cq_entries;
 uint32_t flags;
 uint32_t sq_thread_cpu;
 uint32_t sq_thread_idle;
 uint32_t features;
 uint32_t resv[4];
 struct io_sqring_offsets sq_off;
 struct io_cqring_offsets cq_off;
};

#define IORING_OFF_SQ_RING 0
#define IORING_OFF_SQES 0x10000000ULL

static long syz_io_uring_setup(volatile long a0, volatile long a1,
                              volatile long a2, volatile long a3) {
 uint32_t entries = (uint32_t)a0;
 struct io_uring_params* setup_params = (struct io_uring_params*)a1;
 void** ring_ptr_out = (void**)a2;
 void** sqes_ptr_out = (void**)a3;
 uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
 uint32_t sq_ring_sz =
     setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
 uint32_t cq_ring_sz = setup_params->cq_off.cqes +
                       setup_params->cq_entries * SIZEOF_IO_URING_CQE;
 uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
 *ring_ptr_out =
     mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE,
          fd_io_uring, IORING_OFF_SQ_RING);
 uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
 *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE,
                      MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
 uint32_t* array =
     (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array);
 for (uint32_t index = 0; index < entries; index++) array[index] = index;
 return fd_io_uring;
}

static long syz_io_uring_submit(volatile long a0, volatile long a1,
                               volatile long a2) {
 char* ring_ptr = (char*)a0;
 char* sqes_ptr = (char*)a1;
 char* sqe = (char*)a2;
 uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET);
 uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET);
 uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask;
 char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE;
 memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);
 uint32_t sq_tail_next = *sq_tail_ptr + 1;
 __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);
 return 0;
}

static void kill_and_wait(int pid, int* status) {
 kill(-pid, SIGKILL);
 kill(pid, SIGKILL);
 for (int i = 0; i < 100; i++) {
   if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
   usleep(1000);
 }
 DIR* dir = opendir("/sys/fs/fuse/connections");
 if (dir) {
   for (;;) {
     struct dirent* ent = readdir(dir);
     if (!ent) break;
     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
       continue;
     char abort[300];
     snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
              ent->d_name);
     int fd = open(abort, O_WRONLY);
     if (fd == -1) {
       continue;
     }
     if (write(fd, abort, 1) < 0) {
     }
     close(fd);
   }
   closedir(dir);
 } else {
 }
 while (waitpid(-1, status, __WALL) != pid) {
 }
}

static void setup_test() {
 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 setpgrp();
 write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
 int iter = 0;
 for (;; iter++) {
   int pid = fork();
   if (pid < 0) exit(1);
   if (pid == 0) {
     setup_test();
     execute_one();
     exit(0);
   }
   int status = 0;
   uint64_t start = current_time_ms();
   for (;;) {
     if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
     sleep_ms(1);
     if (current_time_ms() - start < 5000) continue;
     kill_and_wait(pid, &status);
     break;
   }
 }
}

uint64_t r[3] = {0xffffffffffffffff, 0x0, 0x0};

void execute_one(void) {
 intptr_t res = 0;
 *(uint32_t*)0x200001c4 = 0;
 *(uint32_t*)0x200001c8 = 0x10100;
 *(uint32_t*)0x200001cc = 0;
 *(uint32_t*)0x200001d0 = 0;
 *(uint32_t*)0x200001d8 = -1;
 memset((void*)0x200001dc, 0, 12);
 res = -1;
 res = syz_io_uring_setup(/*entries=*/0x24f7, /*params=*/0x200001c0,
                          /*ring_ptr=*/0x20000040, /*sqes_ptr=*/0x20000100);
 if (res != -1) {
   r[0] = res;
   r[1] = *(uint64_t*)0x20000040;
   r[2] = *(uint64_t*)0x20000100;
 }
 *(uint8_t*)0x20000740 = 2;
 *(uint8_t*)0x20000741 = 0x10;
 *(uint16_t*)0x20000742 = 0;
 *(uint32_t*)0x20000744 = 0;
 *(uint64_t*)0x20000748 = 0;
 *(uint64_t*)0x20000750 = 0;
 *(uint32_t*)0x20000758 = 0xfffffe08;
 *(uint32_t*)0x2000075c = 0;
 *(uint64_t*)0x20000760 = 0;
 *(uint16_t*)0x20000768 = 0;
 *(uint16_t*)0x2000076a = 0;
 memset((void*)0x2000076c, 0, 20);
 syz_io_uring_submit(/*ring_ptr=*/r[1], /*sqes_ptr=*/r[2], /*sqe=*/0x20000740);
 syscall(__NR_io_uring_enter, /*fd=*/r[0], /*to_submit=*/0x2d3e,
         /*min_complete=*/0, /*flags=*/0ul, /*sigmask=*/0ul, /*size=*/0ul);
}
int main(void) {
 syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 loop();
 return 0;
}


=* repro.txt =*
r0 = syz_io_uring_setup(0x24f7, &(0x7f00000001c0)={0x0, 0x0, 0x10100},
&(0x7f0000000040)=<r1=>0x0, &(0x7f0000000100)=<r2=>0x0)
syz_io_uring_submit(r1, r2, &(0x7f0000000740)=@IORING_OP_WRITEV={0x2,
0x10, 0x0, @fd_index, 0x0, 0x0, 0xfffffffffffffe08})
io_uring_enter(r0, 0x2d3e, 0x0, 0x0, 0x0, 0x0)


Please also see:
https://gist.github.com/xrivendell7/0adf878b11e3a71676e1dc696e1c9398
I hope it helps.
Thanks!

Best regards.
xingwei Lee

Re: KMSAN: uninit-value in io_rw_fail

[Jens Axboe]

On 12/21/23 3:58 AM, xingwei lee wrote:
> Hello I found a bug in io_uring and comfirmed at the latest upstream
> mainine linux.
> TITLE: KMSAN: uninit-value in io_rw_fail
> and I find this bug maybe existed in the
> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
> not have a stable reproducer.
> However, I generate a stable reproducer and comfirmed in the latest mainline.

I took a look at that one and can't see anything wrong, is that one
still triggering? In any case, this one is different, as it's the writev
path. Can you try the below?

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
 	struct iovec *iov;
 	int ret;
 
+	iorw->bytes_done = 0;
+	iorw->free_iovec = NULL;
+
 	/* submission path, ->uring_lock should already be taken */
 	ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
 	if (unlikely(ret < 0))
 		return ret;
 
-	iorw->bytes_done = 0;
-	iorw->free_iovec = iov;
-	if (iov)
+	if (iov) {
+		iorw->free_iovec = iov;
 		req->flags |= REQ_F_NEED_CLEANUP;
+	}
+
 	return 0;
 }
 

-- 
Jens Axboe

Re: KMSAN: uninit-value in io_rw_fail

[xingwei lee]

Jens Axboe <axboe@kernel.dk> 于2023年12月21日周四 23:46写道：


On 12/21/23 3:58 AM, xingwei lee wrote:

Hello I found a bug in io_uring and comfirmed at the latest upstream
mainine linux.
TITLE: KMSAN: uninit-value in io_rw_fail
and I find this bug maybe existed in the
https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
not have a stable reproducer.
However, I generate a stable reproducer and comfirmed in the latest mainline.


I took a look at that one and can't see anything wrong, is that one
still triggering? In any case, this one is different, as it's the writev
path. Can you try the below?

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct
io_kiocb *req, int rw)
      struct iovec *iov;
      int ret;

+       iorw->bytes_done = 0;
+       iorw->free_iovec = NULL;
+
      /* submission path, ->uring_lock should already be taken */
      ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
      if (unlikely(ret < 0))
              return ret;

-       iorw->bytes_done = 0;
-       iorw->free_iovec = iov;
-       if (iov)
+       if (iov) {
+               iorw->free_iovec = iov;
              req->flags |= REQ_F_NEED_CLEANUP;
+       }
+
      return 0;
}


--
Jens Axboe

Hi Jens!
I test your patch in the lastest mainline commit:
5254c0cbc92d2a08e75443bdb914f1c4839cdf5a
without your patch kmsan still trigger the issue like this:

syzkaller login: root
lsLinux syzkaller 6.7.0-rc6-00248-g5254c0cbc92d #7 SMP PREEMPT_DYNAMIC
Sat Dec 23 16:19:30 CST 2023 x86_64

[  144.535556][ T8092] =====================================================
[  144.538187][ T8092] BUG: KMSAN: uninit-value in io_rw_fail+0x191/0x1a0
[  144.539959][ T8092]  io_rw_fail+0x191/0x1a0
[  144.541020][ T8092]  io_req_defer_failed+0x1fa/0x380
[  144.542458][ T8092]  io_queue_sqe_fallback+0x200/0x260
[  144.543714][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.544880][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.546222][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.547673][ T8092]  do_syscall_64+0x44/0x110
[  144.549724][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.551518][ T8092]
[  144.552075][ T8092] Uninit was created at:
[  144.553119][ T8092]  slab_post_alloc_hook+0x103/0x9e0
[  144.554387][ T8092]  __kmem_cache_alloc_node+0x5d5/0x9b0
[  144.555672][ T8092]  __kmalloc+0x118/0x410
[  144.556694][ T8092]  io_req_prep_async+0x376/0x590
[  144.557968][ T8092]  io_queue_sqe_fallback+0x98/0x260
[  144.559246][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.560397][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.561706][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.563024][ T8092]  do_syscall_64+0x44/0x110
[  144.564122][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.565559][ T8092]
[  144.566140][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Not tainted
6.7.0-rc6-00248-g5254c0cbc92d #7
[  144.567756][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[  144.569423][ T8092] =====================================================
[  144.570623][ T8092] Disabling lock debugging due to kernel taint
[  144.571689][ T8092] Kernel panic - not syncing: kmsan.panic set ...
[  144.572796][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Tainted: G    B
        6.7.0-rc6-00248-g5254c0cbc92d #7
[  144.574525][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[  144.576180][ T8092] Call Trace:
[  144.576782][ T8092]  <TASK>
[  144.577329][ T8092]  dump_stack_lvl+0x1af/0x230
[  144.578192][ T8092]  dump_stack+0x1e/0x20
[  144.578957][ T8092]  panic+0x4d6/0xc60
[  144.579714][ T8092]  kmsan_report+0x2d7/0x2e0
[  144.580753][ T8092]  ? kmsan_internal_set_shadow_origin+0x6c/0xe0
[  144.581892][ T8092]  ? __msan_warning+0x96/0x110
[  144.583055][ T8092]  ? io_rw_fail+0x191/0x1a0
[  144.583952][ T8092]  ? io_req_defer_failed+0x1fa/0x380
[  144.584903][ T8092]  ? io_queue_sqe_fallback+0x200/0x260
[  144.585884][ T8092]  ? io_submit_sqes+0x2466/0x2fc0
[  144.586798][ T8092]  ? __se_sys_io_uring_enter+0x3bd/0x4120
[  144.587825][ T8092]  ? __x64_sys_io_uring_enter+0x110/0x190
[  144.588848][ T8092]  ? do_syscall_64+0x44/0x110
[  144.589707][ T8092]  ? entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.590807][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.591866][ T8092]  ? __import_iovec+0x2b8/0xed0
[  144.592746][ T8092]  ? __stack_depot_save+0x37e/0x4a0
[  144.593688][ T8092]  ? kmsan_internal_set_shadow_origin+0x6c/0xe0
[  144.594818][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.595876][ T8092]  ? io_import_iovec+0x7d1/0x9d0
[  144.596776][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.597844][ T8092]  __msan_warning+0x96/0x110
[  144.598689][ T8092]  io_rw_fail+0x191/0x1a0
[  144.599489][ T8092]  ? io_setup_async_rw+0x7d0/0x7d0
[  144.600419][ T8092]  io_req_defer_failed+0x1fa/0x380
[  144.601349][ T8092]  io_queue_sqe_fallback+0x200/0x260
[  144.602320][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.603270][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.604075][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.604731][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.605359][ T8092]  do_syscall_64+0x44/0x110
[  144.605867][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.606525][ T8092] RIP: 0033:0x432e39
[  144.606959][ T8092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17
00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
[  144.608998][ T8092] RSP: 002b:00007ffcbc551c78 EFLAGS: 00000216
ORIG_RAX: 00000000000001aa
[  144.609905][ T8092] RAX: ffffffffffffffda RBX: 00007ffcbc551eb8
RCX: 0000000000432e39
[  144.610758][ T8092] RDX: 0000000000000000 RSI: 0000000000002d3e
RDI: 0000000000000003
[  144.611601][ T8092] RBP: 00007ffcbc551ca0 R08: 0000000000000000
R09: 0000000000000000
[  144.612452][ T8092] R10: 0000000000000000 R11: 0000000000000216
R12: 0000000000000001
[  144.613299][ T8092] R13: 00007ffcbc551ea8 R14: 0000000000000001
R15: 0000000000000001
[  144.614149][ T8092]  </TASK>
[  144.615019][ T8092] Kernel Offset: disabled
[  144.615507][ T8092] Rebooting in 86400 seconds..


with the patch that you provided make a little change to apply to this
commit: 5254c0cbc92d2a08e75443bdb914f1c4839cdf5a

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct
io_kiocb *req, int rw)
      struct iovec *iov;
      int ret;

+       iorw->bytes_done = 0;
+       iorw->free_iovec = NULL;
+
      /* submission path, ->uring_lock should already be taken */
      ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
      if (unlikely(ret < 0))
              return ret;

-       iorw->bytes_done = 0;
-       iorw->free_iovec = iov;
-       if (iov)
+       if (iov) {
+               iorw->free_iovec = iov;
              req->flags |= REQ_F_NEED_CLEANUP;
+       }
+
      return 0;
}

since the reproducer is in a loop
and I ran for about 30 minutes it didn't trigger any issues.

I hope it helps.

Best regards.
xingwei Lee

Re: KMSAN: uninit-value in io_rw_fail

[Jens Axboe]

On 12/23/23 2:07 AM, xingwei lee wrote:
> with the patch that you provided make a little change to apply to this
> commit: 5254c0cbc92d2a08e75443bdb914f1c4839cdf5a
> 
> diff --git a/io_uring/rw.c b/io_uring/rw.c
> index 4943d683508b..0c856726b15d 100644
> --- a/io_uring/rw.c
> +++ b/io_uring/rw.c
> @@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct
> io_kiocb *req, int rw)
>       struct iovec *iov;
>       int ret;
> 
> +       iorw->bytes_done = 0;
> +       iorw->free_iovec = NULL;
> +
>       /* submission path, ->uring_lock should already be taken */
>       ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
>       if (unlikely(ret < 0))
>               return ret;
> 
> -       iorw->bytes_done = 0;
> -       iorw->free_iovec = iov;
> -       if (iov)
> +       if (iov) {
> +               iorw->free_iovec = iov;
>               req->flags |= REQ_F_NEED_CLEANUP;
> +       }
> +
>       return 0;
> }
> 
> since the reproducer is in a loop
> and I ran for about 30 minutes it didn't trigger any issues.
> 
> I hope it helps.

Yep, thanks for testing!

-- 
Jens Axboe