Re: KMSAN: uninit-value in io_rw_fail

[Jens Axboe <axboe@kernel.dk>]

On 12/21/23 3:58 AM, xingwei lee wrote:
> Hello I found a bug in io_uring and comfirmed at the latest upstream
> mainine linux.
> TITLE: KMSAN: uninit-value in io_rw_fail
> and I find this bug maybe existed in the
> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
> not have a stable reproducer.
> However, I generate a stable reproducer and comfirmed in the latest mainline.

I took a look at that one and can't see anything wrong, is that one
still triggering? In any case, this one is different, as it's the writev
path. Can you try the below?

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
 	struct iovec *iov;
 	int ret;
 
+	iorw->bytes_done = 0;
+	iorw->free_iovec = NULL;
+
 	/* submission path, ->uring_lock should already be taken */
 	ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
 	if (unlikely(ret < 0))
 		return ret;
 
-	iorw->bytes_done = 0;
-	iorw->free_iovec = iov;
-	if (iov)
+	if (iov) {
+		iorw->free_iovec = iov;
 		req->flags |= REQ_F_NEED_CLEANUP;
+	}
+
 	return 0;
 }
 

-- 
Jens Axboe