From: Vlastimil Babka <vbabka@suse.cz>
To: syzbot <syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com>,
aarcange@redhat.com, akpm@linux-foundation.org,
glider@google.com, kirill.shutemov@linux.intel.com,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux@dominikbrodowski.net, mhocko@suse.com, rientjes@google.com,
syzkaller-bugs@googlegroups.com, xieyisheng1@huawei.com,
zhongjiang@huawei.com
Subject: Re: KMSAN: uninit-value in mpol_rebind_mm
Date: Thu, 3 Jan 2019 09:36:55 +0100 [thread overview]
Message-ID: <a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz> (raw)
In-Reply-To: <000000000000c06550057e4cac7c@google.com>
On 12/31/18 8:51 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 79fc24ff6184 kmsan: highmem: use kmsan_clear_page() in cop..
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=13c48b67400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=901dd030b2cc57e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=b19c2dc2c990ea657a71
> compiler: clang version 8.0.0 (trunk 349734)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline]
> BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
The report doesn't seem to indicate where the uninit value resides in
the mempolicy object. I'll have to guess. mm/mempolicy.c:353 contains:
if (!mpol_store_user_nodemask(pol) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't
see being uninitialized after leaving mpol_new(). So I'll guess it's
actually about accessing pol->w.cpuset_mems_allowed on line 354.
For w.cpuset_mems_allowed to be not initialized and the nodes_equal()
reachable for a mempolicy where mpol_set_nodemask() is called in
do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy
with empty set of nodes, i.e. MPOL_LOCAL equivalent. Let's see if the
patch below helps. This code is a maze to me. Note the uninit access
should be benign, rebinding this kind of policy is always a no-op.
----8<----
>From ff0ca29da6bc2572d7b267daa77ced6083e3f02d Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Thu, 3 Jan 2019 09:31:59 +0100
Subject: [PATCH] mm, mempolicy: fix uninit memory access
---
mm/mempolicy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index d4496d9d34f5..a0b7487b9112 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)
{
if (!pol)
return;
- if (!mpol_store_user_nodemask(pol) &&
+ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
return;
--
2.19.2
WARNING: multiple messages have this Message-ID
From: Vlastimil Babka <vbabka@suse.cz>
To: syzbot <syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com>,
aarcange@redhat.com, akpm@linux-foundation.org,
glider@google.com, kirill.shutemov@linux.intel.com,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux@dominikbrodowski.net, mhocko@suse.com, rientjes@google.com,
syzkaller-bugs@googlegroups.com, xieyisheng1@huawei.com,
zhongjiang@huawei.com
Subject: Re: KMSAN: uninit-value in mpol_rebind_mm
Date: Thu, 3 Jan 2019 09:36:55 +0100 [thread overview]
Message-ID: <a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz> (raw)
Message-ID: <20190103083655.7sx8-OLX5zPaC_yMzGoTB4KLY1OnSWwBP1yiOjXTkNA@z> (raw)
In-Reply-To: <000000000000c06550057e4cac7c@google.com>
On 12/31/18 8:51 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 79fc24ff6184 kmsan: highmem: use kmsan_clear_page() in cop..
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=13c48b67400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=901dd030b2cc57e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=b19c2dc2c990ea657a71
> compiler: clang version 8.0.0 (trunk 349734)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline]
> BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
The report doesn't seem to indicate where the uninit value resides in
the mempolicy object. I'll have to guess. mm/mempolicy.c:353 contains:
if (!mpol_store_user_nodemask(pol) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't
see being uninitialized after leaving mpol_new(). So I'll guess it's
actually about accessing pol->w.cpuset_mems_allowed on line 354.
For w.cpuset_mems_allowed to be not initialized and the nodes_equal()
reachable for a mempolicy where mpol_set_nodemask() is called in
do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy
with empty set of nodes, i.e. MPOL_LOCAL equivalent. Let's see if the
patch below helps. This code is a maze to me. Note the uninit access
should be benign, rebinding this kind of policy is always a no-op.
----8<----
From ff0ca29da6bc2572d7b267daa77ced6083e3f02d Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Thu, 3 Jan 2019 09:31:59 +0100
Subject: [PATCH] mm, mempolicy: fix uninit memory access
---
mm/mempolicy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index d4496d9d34f5..a0b7487b9112 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)
{
if (!pol)
return;
- if (!mpol_store_user_nodemask(pol) &&
+ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
return;
--
2.19.2
next prev parent reply other threads:[~2019-01-03 8:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-31 7:51 syzbot
2018-12-31 7:51 ` syzbot
2019-01-03 8:36 ` Vlastimil Babka [this message]
2019-01-03 8:36 ` Vlastimil Babka
2019-01-03 8:42 ` Dmitry Vyukov
2019-01-03 8:42 ` Dmitry Vyukov
2019-01-03 11:14 ` Alexander Potapenko
2019-01-03 11:14 ` Alexander Potapenko
2019-01-03 11:41 ` Vlastimil Babka
2019-01-04 8:50 ` Vlastimil Babka
2019-01-04 8:57 ` Dmitry Vyukov
2019-01-04 8:57 ` Dmitry Vyukov
2019-01-05 1:28 ` Andrew Morton
2019-01-15 10:06 ` Vlastimil Babka
2019-01-15 10:06 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz \
--to=vbabka@suse.cz \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=glider@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@dominikbrodowski.net \
--cc=mhocko@suse.com \
--cc=rientjes@google.com \
--cc=syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xieyisheng1@huawei.com \
--cc=zhongjiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox