syzbot

 sign-in | mailing list | source | docs
🐞 Open [964] Subsystems 🐞 Fixed [4563] 🐞 Invalid [10513] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in udf_evict_inode (2)

Status: fixed on 2022/03/08 16:11
Labels: udf (incorrect?)
Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com
Fix commit: f05f2429eec6 udf: Fix error handling in udf_new_inode()
First crash: 541d, last: 483d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 5.10 000/563] 5.10.94-rc1 review 580 (580) 2022/02/09 07:59
[PATCH 5.16 0000/1039] 5.16.3-rc1 review 1058 (1058) 2022/02/03 14:49
[PATCH 5.15 000/846] 5.15.17-rc1 review 859 (859) 2022/01/27 16:04
[PATCH AUTOSEL 5.10 01/34] ALSA: usb-audio: Fix dB level of Bose Revolve+ SoundLink 36 (36) 2022/01/22 18:45
[PATCH AUTOSEL 5.16 01/52] clk: imx: Use div64_ul instead of do_div 59 (59) 2022/01/22 18:43
[PATCH AUTOSEL 5.15 01/44] clk: imx: Use div64_ul instead of do_div 44 (44) 2022/01/17 17:01
[PATCH] udf: Fix error handling in udf_new_inode() 1 (1) 2021/12/14 10:14
[syzbot] KMSAN: uninit-value in udf_evict_inode (2) 0 (1) 2021/12/13 15:28
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in udf_evict_inode udf 159 933d 981d 17/24 fixed on 2020/11/16 12:12
upstream KMSAN: uninit-value in ext4_inode_journal_mode (2) 170 281d 511d 0/24 auto-obsoleted due to no activity on 2022/12/23 22:05
upstream KMSAN: uninit-value in nf_nat_setup_info (2) C 764 431d 511d 0/24 auto-obsoleted due to no activity on 2022/09/28 07:28

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in udf_evict_inode+0x2b6/0x830 fs/udf/inode.c:148
 udf_evict_inode+0x2b6/0x830 fs/udf/inode.c:148
 evict+0x4f4/0xdd0 fs/inode.c:590
 iput_final fs/inode.c:1670 [inline]
 iput+0xc53/0x1100 fs/inode.c:1696
 udf_new_inode+0x5d2/0x16e0 fs/udf/ialloc.c:89
 udf_tmpfile+0x7e/0x2d0 fs/udf/namei.c:631
 vfs_tmpfile+0x2df/0x5c0 fs/namei.c:3474
 do_tmpfile+0x29f/0x6c0 fs/namei.c:3509
 path_openat+0x41bf/0x5ea0 fs/namei.c:3550
 do_filp_open+0x306/0x760 fs/namei.c:3586
 do_sys_openat2+0x263/0x8f0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_compat_sys_openat fs/open.c:1288 [inline]
 __se_compat_sys_openat fs/open.c:1286 [inline]
 __ia32_compat_sys_openat+0x353/0x3c0 fs/open.c:1286
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was stored to memory at:
 udf_new_inode+0xac1/0x16e0 fs/udf/ialloc.c:67
 udf_tmpfile+0x7e/0x2d0 fs/udf/namei.c:631
 vfs_tmpfile+0x2df/0x5c0 fs/namei.c:3474
 do_tmpfile+0x29f/0x6c0 fs/namei.c:3509
 path_openat+0x41bf/0x5ea0 fs/namei.c:3550
 do_filp_open+0x306/0x760 fs/namei.c:3586
 do_sys_openat2+0x263/0x8f0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_compat_sys_openat fs/open.c:1288 [inline]
 __se_compat_sys_openat fs/open.c:1286 [inline]
 __ia32_compat_sys_openat+0x353/0x3c0 fs/open.c:1286
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was stored to memory at:
 udf_alloc_inode+0x28a/0x2c0 fs/udf/super.c:149
 alloc_inode fs/inode.c:235 [inline]
 new_inode_pseudo+0xa6/0x5a0 fs/inode.c:944
 new_inode+0x5a/0x3c0 fs/inode.c:973
 udf_new_inode+0x139/0x16e0 fs/udf/ialloc.c:60
 udf_tmpfile+0x7e/0x2d0 fs/udf/namei.c:631
 vfs_tmpfile+0x2df/0x5c0 fs/namei.c:3474
 do_tmpfile+0x29f/0x6c0 fs/namei.c:3509
 path_openat+0x41bf/0x5ea0 fs/namei.c:3550
 do_filp_open+0x306/0x760 fs/namei.c:3586
 do_sys_openat2+0x263/0x8f0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_compat_sys_openat fs/open.c:1288 [inline]
 __se_compat_sys_openat fs/open.c:1286 [inline]
 __ia32_compat_sys_openat+0x353/0x3c0 fs/open.c:1286
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was created at:
 __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409
 alloc_pages+0x8a5/0xb80
 alloc_slab_page mm/slub.c:1810 [inline]
 allocate_slab+0x287/0x1c10 mm/slub.c:1947
 new_slab mm/slub.c:2010 [inline]
 ___slab_alloc+0xb85/0x1e30 mm/slub.c:3039
 __slab_alloc mm/slub.c:3126 [inline]
 slab_alloc_node mm/slub.c:3217 [inline]
 slab_alloc mm/slub.c:3259 [inline]
 kmem_cache_alloc+0xbb3/0x11c0 mm/slub.c:3264
 udf_alloc_inode+0x60/0x2c0 fs/udf/super.c:139
 alloc_inode fs/inode.c:235 [inline]
 iget_locked+0x3ac/0x1430 fs/inode.c:1209
 __udf_iget+0x13d/0x4710 fs/udf/inode.c:1906
 udf_iget fs/udf/udfdecl.h:151 [inline]
 udf_fill_super+0x2df8/0x3200 fs/udf/super.c:2285
 mount_bdev+0x626/0x920 fs/super.c:1370
 udf_mount+0xc9/0xe0 fs/udf/super.c:122
 legacy_get_tree+0x163/0x2e0 fs/fs_context.c:610
 vfs_get_tree+0xd8/0x5d0 fs/super.c:1500
 do_new_mount+0x7b5/0x16f0 fs/namespace.c:2988
 path_mount+0x1021/0x28b0 fs/namespace.c:3318
 do_mount fs/namespace.c:3331 [inline]
 __do_sys_mount fs/namespace.c:3539 [inline]
 __se_sys_mount+0x8a8/0x9d0 fs/namespace.c:3516
 __ia32_sys_mount+0x157/0x1b0 fs/namespace.c:3516
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

CPU: 1 PID: 3532 Comm: syz-executor.2 Tainted: G        W         5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2022/02/04 21:12 https://github.com/google/kmsan.git master 85cfd6e539bd e13a05ed .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/25 19:28 https://github.com/google/kmsan.git master 85cfd6e539bd 2cbffd88 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/25 19:27 https://github.com/google/kmsan.git master 85cfd6e539bd 2cbffd88 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/22 09:30 https://github.com/google/kmsan.git master 85cfd6e539bd 214351e1 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/17 07:23 https://github.com/google/kmsan.git master fa3879a274df 723cfaf0 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/04 10:56 https://github.com/google/kmsan.git master 81c325bbf94e 7f723fbe .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2022/01/02 16:59 https://github.com/google/kmsan.git master 81c325bbf94e e1768e9c .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/28 10:09 https://github.com/google/kmsan.git master 81c325bbf94e 6b3c5e64 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/21 12:48 https://github.com/google/kmsan.git master 81c325bbf94e a938f0b8 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/21 10:55 https://github.com/google/kmsan.git master 81c325bbf94e 62bd192b .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/17 03:12 https://github.com/google/kmsan.git master b0a8b5053e8b 44068e19 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/16 02:50 https://github.com/google/kmsan.git master cc9a49821cdb 572bcb40 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
2021/12/08 22:35 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in udf_evict_inode
* Struck through repros no longer work on HEAD.