On Thu 19-06-25 16:21:17, avinashlalotra wrote:
> KMSAN reported an uninitialized value use in
> fsnotify_connector_destroy_workfn(), specifically when accessing
> `conn->destroy_next`:
>
> BUG: KMSAN: uninit-value in fsnotify_connector_destroy_workfn+0x108/0x160
> Uninit was created at:
> slab_alloc_node mm/slub.c:4197 [inline]
> kmem_cache_alloc_noprof+0x81b/0xec0 mm/slub.c:4204
> fsnotify_attach_connector_to_object fs/notify/mark.c:663
>
> The struct fsnotify_mark_connector was allocated using
> kmem_cache_alloc(), but the `destroy_next` field was never initialized,
> leading to a use of uninitialized memory when the work function later
> traversed the destroy list.
>
> Fix this by explicitly initializing `destroy_next` to NULL immediately
> after allocation.
>
> Reported-by: syzbot+aaeb1646d01d0358cb2a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: abinashlalotra <abinashsinghlalotra@xxxxxxxxx>
This doesn't make sense. If you checked definition of
fsnotify_mark_connector you'd see that destroy_next is in union with void
*obj:
union {
/* Object pointer [lock] */
void *obj;
/* Used listing heads to free after srcu period expires */
struct fsnotify_mark_connector *destroy_next;
};
and we do initialize 'obj' pointer in
fsnotify_attach_connector_to_object(). So this report was caused either by
some other memory corruption or KMSAN getting utterly confused...
Honza
>
> ---
> v2: Corrected the syzbot Reported-by email address.
> ---
> fs/notify/mark.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/notify/mark.c b/fs/notify/mark.c
> index 798340db69d7..28013046f732 100644
> --- a/fs/notify/mark.c
> +++ b/fs/notify/mark.c
> @@ -665,6 +665,7 @@ static int fsnotify_attach_connector_to_object(fsnotify_connp_t *connp,
> return -ENOMEM;
> spin_lock_init(&conn->lock);
> INIT_HLIST_HEAD(&conn->list);
> + conn->destroy_next = NULL;
> conn->flags = 0;
> conn->prio = 0;
> conn->type = obj_type;
> --
> 2.43.0
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
