| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Dec 2023 08:46:30 -0700
From: Jens Axboe <axboe@...nel.dk>
To: xingwei lee <xrivendell7@...il.com>,
syzbot+12dde80bf174ac8ae285@...kaller.appspotmail.com
Cc: asml.silence@...il.com, io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
glider@...gle.com
Subject: Re: KMSAN: uninit-value in io_rw_fail
On 12/21/23 3:58 AM, xingwei lee wrote:
> Hello I found a bug in io_uring and comfirmed at the latest upstream
> mainine linux.
> TITLE: KMSAN: uninit-value in io_rw_fail
> and I find this bug maybe existed in the
> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285 but do
> not have a stable reproducer.
> However, I generate a stable reproducer and comfirmed in the latest mainline.
I took a look at that one and can't see anything wrong, is that one
still triggering? In any case, this one is different, as it's the writev
path. Can you try the below?
diff --git a/io_uring/rw.c b/io_uring/rw.c
index 4943d683508b..0c856726b15d 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -589,15 +589,19 @@ static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
struct iovec *iov;
int ret;
+ iorw->bytes_done = 0;
+ iorw->free_iovec = NULL;
+
/* submission path, ->uring_lock should already be taken */
ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
if (unlikely(ret < 0))
return ret;
- iorw->bytes_done = 0;
- iorw->free_iovec = iov;
- if (iov)
+ if (iov) {
+ iorw->free_iovec = iov;
req->flags |= REQ_F_NEED_CLEANUP;
+ }
+
return 0;
}
--
Jens Axboe
Powered by blists - more mailing lists