syzbot


KMSAN: uninit-value in kvm_clear_dirty_log_protect

Status: fixed on 2019/03/06 07:43
Subsystems: kvm
[Documentation on labels]
Fix commit: 98938aa8edd6 KVM: validate userspace input in kvm_clear_dirty_log_protect()
First crash: 1951d, last: 1907d

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
==================================================================
BUG: KMSAN: uninit-value in kvm_clear_dirty_log_protect+0x78b/0xaa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1263
CPU: 1 PID: 10751 Comm: syz-executor.0 Not tainted 5.0.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
 kvm_clear_dirty_log_protect+0x78b/0xaa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1263
 kvm_vm_ioctl_clear_dirty_log+0x143/0x210 arch/x86/kvm/x86.c:4468
 kvm_vm_ioctl+0xe48/0x2df0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3126
 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457f29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f309e2aec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29
RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f309e2af6d4
R13: 00000000004ca398 R14: 00000000004d2f70 R15: 00000000ffffffff

Uninit was created at:
 kmsan_save_stack_with_flags+0x7a/0x130 mm/kmsan/kmsan.c:205
 kmsan_internal_alloc_meta_for_pages+0x113/0x580 mm/kmsan/kmsan_hooks.c:98
 kmsan_alloc_page+0x7e/0x100 mm/kmsan/kmsan_hooks.c:396
 __alloc_pages_nodemask+0x137b/0x5e30 mm/page_alloc.c:4572
 alloc_pages_current+0x69d/0x9b0 mm/mempolicy.c:2106
 alloc_pages include/linux/gfp.h:511 [inline]
 alloc_slab_page mm/slub.c:1492 [inline]
 allocate_slab mm/slub.c:1637 [inline]
 new_slab+0x3c6/0x20b0 mm/slub.c:1711
 new_slab_objects mm/slub.c:2465 [inline]
 ___slab_alloc+0x1577/0x2060 mm/slub.c:2617
 __slab_alloc mm/slub.c:2657 [inline]
 slab_alloc_node mm/slub.c:2720 [inline]
 slab_alloc mm/slub.c:2762 [inline]
 kmem_cache_alloc_trace+0xac3/0xb40 mm/slub.c:2781
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 apparmor_sk_alloc_security+0xe7/0x220 security/apparmor/lsm.c:772
 security_sk_alloc+0x125/0x1f0 security/security.c:1490
 sk_prot_alloc+0x269/0x500 net/core/sock.c:1480
 sk_alloc+0xde/0xb90 net/core/sock.c:1531
 inet6_create+0x72c/0x1600 net/ipv6/af_inet6.c:183
 __sock_create+0x65f/0xf30 net/socket.c:1277
 sock_create_kern+0xf0/0x100 net/socket.c:1323
 inet_ctl_sock_create+0xfd/0x2f0 net/ipv4/af_inet.c:1614
 igmp6_net_init+0x8a/0x6c0 net/ipv6/mcast.c:2962
 ops_init+0x52c/0x6c0 net/core/net_namespace.c:129
 setup_net+0x290/0xf80 net/core/net_namespace.c:314
 copy_net_ns+0x597/0x890 net/core/net_namespace.c:437
 create_new_namespaces+0x8d9/0xda0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0x25e/0x340 kernel/nsproxy.c:206
 ksys_unshare+0x8d3/0x1160 kernel/fork.c:2542
 __do_sys_unshare kernel/fork.c:2610 [inline]
 __se_sys_unshare+0x41/0x60 kernel/fork.c:2608
 __x64_sys_unshare+0x32/0x50 kernel/fork.c:2608
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/03/06 04:44 https://github.com/google/kmsan.git master 6c55aa96dcda 16559f86 .config console log report ci-upstream-kmsan-gce
2019/03/02 18:57 https://github.com/google/kmsan.git master fa1981bee40f 1c0e457a .config console log report ci-upstream-kmsan-gce
2019/03/01 20:11 https://github.com/google/kmsan.git master fa1981bee40f 68d9e495 .config console log report ci-upstream-kmsan-gce
2019/02/11 18:30 https://github.com/google/kmsan.git master fa1981bee40f 73f5f452 .config console log report ci-upstream-kmsan-gce
2019/02/02 06:10 https://github.com/google/kmsan.git master fa1981bee40f 564f9a4f .config console log report ci-upstream-kmsan-gce
2019/01/20 10:48 https://github.com/google/kmsan.git master 02f2d5aea531 353f32ea .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.