Re: KMSAN: uninit-value in io_rw_fail

[xingwei lee <xrivendell7@gmail.com>]

Jens Axboe <axboe@kernel.dk> 于2023年12月21日周四 23:46写道：


On 12/21/23 3:58 AM, xingwei lee wrote:

Hello I found a bug in io_uring and comfirmed at the latest upstream
mainine linux.
TITLE: KMSAN: uninit-value in io_rw_fail
and I find this bug maybe existed in the
https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
not have a stable reproducer.
However, I generate a stable reproducer and comfirmed in the latest mainline.


I took a look at that one and can't see anything wrong, is that one
still triggering? In any case, this one is different, as it's the writev
path. Can you try the below?

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct
io_kiocb *req, int rw)
      struct iovec *iov;
      int ret;

+       iorw->bytes_done = 0;
+       iorw->free_iovec = NULL;
+
      /* submission path, ->uring_lock should already be taken */
      ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
      if (unlikely(ret < 0))
              return ret;

-       iorw->bytes_done = 0;
-       iorw->free_iovec = iov;
-       if (iov)
+       if (iov) {
+               iorw->free_iovec = iov;
              req->flags |= REQ_F_NEED_CLEANUP;
+       }
+
      return 0;
}


--
Jens Axboe

Hi Jens!
I test your patch in the lastest mainline commit:
5254c0cbc92d2a08e75443bdb914f1c4839cdf5a
without your patch kmsan still trigger the issue like this:

syzkaller login: root
lsLinux syzkaller 6.7.0-rc6-00248-g5254c0cbc92d #7 SMP PREEMPT_DYNAMIC
Sat Dec 23 16:19:30 CST 2023 x86_64

[  144.535556][ T8092] =====================================================
[  144.538187][ T8092] BUG: KMSAN: uninit-value in io_rw_fail+0x191/0x1a0
[  144.539959][ T8092]  io_rw_fail+0x191/0x1a0
[  144.541020][ T8092]  io_req_defer_failed+0x1fa/0x380
[  144.542458][ T8092]  io_queue_sqe_fallback+0x200/0x260
[  144.543714][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.544880][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.546222][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.547673][ T8092]  do_syscall_64+0x44/0x110
[  144.549724][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.551518][ T8092]
[  144.552075][ T8092] Uninit was created at:
[  144.553119][ T8092]  slab_post_alloc_hook+0x103/0x9e0
[  144.554387][ T8092]  __kmem_cache_alloc_node+0x5d5/0x9b0
[  144.555672][ T8092]  __kmalloc+0x118/0x410
[  144.556694][ T8092]  io_req_prep_async+0x376/0x590
[  144.557968][ T8092]  io_queue_sqe_fallback+0x98/0x260
[  144.559246][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.560397][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.561706][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.563024][ T8092]  do_syscall_64+0x44/0x110
[  144.564122][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.565559][ T8092]
[  144.566140][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Not tainted
6.7.0-rc6-00248-g5254c0cbc92d #7
[  144.567756][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[  144.569423][ T8092] =====================================================
[  144.570623][ T8092] Disabling lock debugging due to kernel taint
[  144.571689][ T8092] Kernel panic - not syncing: kmsan.panic set ...
[  144.572796][ T8092] CPU: 2 PID: 8092 Comm: 5e5 Tainted: G    B
        6.7.0-rc6-00248-g5254c0cbc92d #7
[  144.574525][ T8092] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[  144.576180][ T8092] Call Trace:
[  144.576782][ T8092]  <TASK>
[  144.577329][ T8092]  dump_stack_lvl+0x1af/0x230
[  144.578192][ T8092]  dump_stack+0x1e/0x20
[  144.578957][ T8092]  panic+0x4d6/0xc60
[  144.579714][ T8092]  kmsan_report+0x2d7/0x2e0
[  144.580753][ T8092]  ? kmsan_internal_set_shadow_origin+0x6c/0xe0
[  144.581892][ T8092]  ? __msan_warning+0x96/0x110
[  144.583055][ T8092]  ? io_rw_fail+0x191/0x1a0
[  144.583952][ T8092]  ? io_req_defer_failed+0x1fa/0x380
[  144.584903][ T8092]  ? io_queue_sqe_fallback+0x200/0x260
[  144.585884][ T8092]  ? io_submit_sqes+0x2466/0x2fc0
[  144.586798][ T8092]  ? __se_sys_io_uring_enter+0x3bd/0x4120
[  144.587825][ T8092]  ? __x64_sys_io_uring_enter+0x110/0x190
[  144.588848][ T8092]  ? do_syscall_64+0x44/0x110
[  144.589707][ T8092]  ? entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.590807][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.591866][ T8092]  ? __import_iovec+0x2b8/0xed0
[  144.592746][ T8092]  ? __stack_depot_save+0x37e/0x4a0
[  144.593688][ T8092]  ? kmsan_internal_set_shadow_origin+0x6c/0xe0
[  144.594818][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.595876][ T8092]  ? io_import_iovec+0x7d1/0x9d0
[  144.596776][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.597844][ T8092]  __msan_warning+0x96/0x110
[  144.598689][ T8092]  io_rw_fail+0x191/0x1a0
[  144.599489][ T8092]  ? io_setup_async_rw+0x7d0/0x7d0
[  144.600419][ T8092]  io_req_defer_failed+0x1fa/0x380
[  144.601349][ T8092]  io_queue_sqe_fallback+0x200/0x260
[  144.602320][ T8092]  io_submit_sqes+0x2466/0x2fc0
[  144.603270][ T8092]  __se_sys_io_uring_enter+0x3bd/0x4120
[  144.604075][ T8092]  ? kmsan_get_shadow_origin_ptr+0x4c/0xa0
[  144.604731][ T8092]  __x64_sys_io_uring_enter+0x110/0x190
[  144.605359][ T8092]  do_syscall_64+0x44/0x110
[  144.605867][ T8092]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  144.606525][ T8092] RIP: 0033:0x432e39
[  144.606959][ T8092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17
00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
[  144.608998][ T8092] RSP: 002b:00007ffcbc551c78 EFLAGS: 00000216
ORIG_RAX: 00000000000001aa
[  144.609905][ T8092] RAX: ffffffffffffffda RBX: 00007ffcbc551eb8
RCX: 0000000000432e39
[  144.610758][ T8092] RDX: 0000000000000000 RSI: 0000000000002d3e
RDI: 0000000000000003
[  144.611601][ T8092] RBP: 00007ffcbc551ca0 R08: 0000000000000000
R09: 0000000000000000
[  144.612452][ T8092] R10: 0000000000000000 R11: 0000000000000216
R12: 0000000000000001
[  144.613299][ T8092] R13: 00007ffcbc551ea8 R14: 0000000000000001
R15: 0000000000000001
[  144.614149][ T8092]  </TASK>
[  144.615019][ T8092] Kernel Offset: disabled
[  144.615507][ T8092] Rebooting in 86400 seconds..


with the patch that you provided make a little change to apply to this
commit: 5254c0cbc92d2a08e75443bdb914f1c4839cdf5a

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct
io_kiocb *req, int rw)
      struct iovec *iov;
      int ret;

+       iorw->bytes_done = 0;
+       iorw->free_iovec = NULL;
+
      /* submission path, ->uring_lock should already be taken */
      ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
      if (unlikely(ret < 0))
              return ret;

-       iorw->bytes_done = 0;
-       iorw->free_iovec = iov;
-       if (iov)
+       if (iov) {
+               iorw->free_iovec = iov;
              req->flags |= REQ_F_NEED_CLEANUP;
+       }
+
      return 0;
}

since the reproducer is in a loop
and I ran for about 30 minutes it didn't trigger any issues.

I hope it helps.

Best regards.
xingwei Lee