KMSAN: uninit-value in vcs_read (2)
Hello, syzbot found the following issue on: HEAD commit:14525656 compiler.h: reinstate missing KMSAN_INIT git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=176de9d710 kernel config: https://syzkaller.appspot.com/x/.config?x=c534a9fad6323722 dashboard link: https://syzkaller.appspot.com/bug?extid=ed5a476d9404e07b9165 compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ed5a476d9404e07b9...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428 CPU: 0 PID: 20988 Comm: syz-executor.2 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1df/0x240 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 kmsan_internal_check_memory+0x358/0x3d0 mm/kmsan/kmsan.c:457 kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428 instrument_copy_to_user include/linux/instrumented.h:91 [inline] _copy_to_user+0x100/0x1d0 lib/usercopy.c:30 copy_to_user include/linux/uaccess.h:161 [inline] vcs_read+0x17db/0x2340 drivers/tty/vt/vc_screen.c:424 do_loop_readv_writev fs/read_write.c:734 [inline] do_iter_read+0xb84/0xdb0 fs/read_write.c:955 vfs_readv fs/read_write.c:1073 [inline] do_preadv+0x3aa/0x5a0 fs/read_write.c:1165 __do_sys_preadv fs/read_write.c:1215 [inline] __se_sys_preadv+0xc6/0xe0 fs/read_write.c:1210 __x64_sys_preadv+0x62/0x80 fs/read_write.c:1210 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c1d9 Code: Bad RIP value. RSP: 002b:7f2e7c998c78 EFLAGS: 0246 ORIG_RAX: 0127 RAX: ffda RBX: 00023a40 RCX: 0045c1d9 RDX: 01a2 RSI: 200017c0 RDI: 0005 RBP: 0078bf48 R08: R09: R10: R11: 0246 R12: 0078bf0c R13: 00c9fb6f R14: 7f2e7cc0 R15: 0078bf0c Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116 vc_uniscr_copy_line+0x49b/0x730 drivers/tty/vt/vt.c:572 vcs_read+0xc72/0x2340 drivers/tty/vt/vc_screen.c:332 do_loop_readv_writev fs/read_write.c:734 [inline] do_iter_read+0xb84/0xdb0 fs/read_write.c:955 vfs_readv fs/read_write.c:1073 [inline] do_preadv+0x3aa/0x5a0 fs/read_write.c:1165 __do_sys_preadv fs/read_write.c:1215 [inline] __se_sys_preadv+0xc6/0xe0 fs/read_write.c:1210 __x64_sys_preadv+0x62/0x80 fs/read_write.c:1210 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was created at: kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:269 [inline] kmsan_alloc_page+0xb9/0x180 mm/kmsan/kmsan_shadow.c:293 __alloc_pages_nodemask+0x56a2/0x5dc0 mm/page_alloc.c:4889 alloc_pages_current+0x672/0x990 mm/mempolicy.c:2292 alloc_pages include/linux/gfp.h:545 [inline] __vmalloc_area_node mm/vmalloc.c:2489 [inline] __vmalloc_node_range+0x875/0x11f0 mm/vmalloc.c:2555 __vmalloc_node mm/vmalloc.c:2598 [inline] vmalloc+0x117/0x130 mm/vmalloc.c:2631 vc_uniscr_alloc drivers/tty/vt/vt.c:354 [inline] vc_do_resize+0x632/0x3290 drivers/tty/vt/vt.c:1222 vt_resize+0x10e/0x170 drivers/tty/vt/vt.c:1355 tty_ioctl+0x2ad4/0x2f00 drivers/tty/tty_io.c:2502 vfs_ioctl fs/ioctl.c:48 [inline] ksys_ioctl fs/ioctl.c:753 [inline] __do_sys_ioctl fs/ioctl.c:762 [inline] __se_sys_ioctl+0x2e9/0x410 fs/ioctl.c:760 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:760 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Bytes 0-127 of 128 are uninitialized Memory access of size 128 starts at 96eeb1987000 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: Re: KMSAN: uninit-value in vcs_read
On Thu, Nov 8, 2018 at 8:48 AM, syzbot wrote: >> On Tue, May 15, 2018 at 9:26 AM, syzbot >> wrote: >>> >>> Hello, > > >>> syzbot found the following crash on: > > >>> HEAD commit:e2ab7e8abba4 kmsan: temporarily disable >>> visitAsmInstructio.. >>> git tree: https://github.com/google/kmsan.git/master >>> console output: https://syzkaller.appspot.com/x/log.txt?x=158135db80 >>> kernel config: >>> https://syzkaller.appspot.com/x/.config?x=5bf8b7964e37a698 >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extid=fed4435f163beccc67eb >>> compiler: clang version 7.0.0 (trunk 329391) >>> syzkaller >>> repro:https://syzkaller.appspot.com/x/repro.syz?x=17a2f91b80 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bd452b80 > > >>> IMPORTANT: if you fix the bug, please add the following tag to the >>> commit: >>> Reported-by: syzbot+fed4435f163beccc6...@syzkaller.appspotmail.com > > >> #syz dup: KMSAN: kernel-infoleak in vcs_read > > > Can't dup bug to a bug in different reporting (upstream->moderation).Please > dup syzbot bugs only onto syzbot bugs for the same kernel/reporting. Let's try this: #syz fix: vt: prevent leaking uninitialized data to userspace via /dev/vcs* >>> == >>> BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 >>> [inline] >>> BUG: KMSAN: uninit-value in vcs_read+0x18ba/0x1cc0 >>> drivers/tty/vt/vc_screen.c:352 >>> CPU: 1 PID: 3501 Comm: syzkaller315412 Not tainted 4.16.0+ #82 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >>> Google 01/01/2011 >>> Call Trace: >>> __dump_stack lib/dump_stack.c:17 [inline] >>> dump_stack+0x185/0x1d0 lib/dump_stack.c:53 >>> kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 >>> kmsan_internal_check_memory+0x125/0x1d0 mm/kmsan/kmsan.c:1157 >>> kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 >>> copy_to_user include/linux/uaccess.h:184 [inline] >>> vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 >>> __vfs_read+0x19f/0x8e0 fs/read_write.c:411 >>> vfs_read+0x36c/0x6c0 fs/read_write.c:447 >>> SYSC_pread64+0x275/0x310 fs/read_write.c:611 >>> SyS_pread64+0x65/0x90 fs/read_write.c:598 >>> do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 >>> entry_SYSCALL_64_after_hwframe+0x3d/0xa2 >>> RIP: 0033:0x443d39 >>> RSP: 002b:7ffcbd3c35f8 EFLAGS: 0213 ORIG_RAX: 0011 >>> RAX: ffda RBX: 004002e0 RCX: 00443d39 >>> RDX: 0083 RSI: 2140 RDI: 0003 >>> RBP: 006ce018 R08: 004002e0 R09: 004002e0 >>> R10: R11: 0213 R12: 004019e0 >>> R13: 00401a70 R14: R15: > > >>> Uninit was stored to memory at: >>> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] >>> kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] >>> kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 >>> __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 >>> vcs_read+0xd01/0x1cc0 drivers/tty/vt/vc_screen.c:274 >>> __vfs_read+0x19f/0x8e0 fs/read_write.c:411 >>> vfs_read+0x36c/0x6c0 fs/read_write.c:447 >>> SYSC_pread64+0x275/0x310 fs/read_write.c:611 >>> SyS_pread64+0x65/0x90 fs/read_write.c:598 >>> do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 >>> entry_SYSCALL_64_after_hwframe+0x3d/0xa2 >>> Uninit was created at: >>> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] >>> kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 >>> kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 >>> __kmalloc+0x23c/0x350 mm/slub.c:3791 >>> kmalloc include/linux/slab.h:517 [inline] >>> vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 >>> con_install+0x8c/0x640 drivers/tty/vt/vt.c:2876 >>> tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline] >>> tty_init_dev+0x1b0/0x1020 drivers/tty/tty_io.c:1324 >>> tty_open_by_driver drivers/tty/tty_io.c:1959 [inline] >>> tty_open+0x15e9/0x2ea0 drivers/tty/tty_io.c:2007 >>> chrdev_open+0xc20/0xd90 fs/char_dev.c:417 >>> do_dentry_open+0xcc6/0x1430 fs/open.c:752 >>> vfs_open+0x1b7/0x2e0 fs/open.c:866 >>> do_last
Re: Re: KMSAN: uninit-value in vcs_read
On Tue, May 15, 2018 at 9:26 AM, syzbot wrote: Hello, syzbot found the following crash on: HEAD commit:e2ab7e8abba4 kmsan: temporarily disable visitAsmInstructio.. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=158135db80 kernel config: https://syzkaller.appspot.com/x/.config?x=5bf8b7964e37a698 dashboard link: https://syzkaller.appspot.com/bug?extid=fed4435f163beccc67eb compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17a2f91b80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bd452b80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fed4435f163beccc6...@syzkaller.appspotmail.com #syz dup: KMSAN: kernel-infoleak in vcs_read Can't dup bug to a bug in different reporting (upstream->moderation).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting. == BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] BUG: KMSAN: uninit-value in vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 CPU: 1 PID: 3501 Comm: syzkaller315412 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x125/0x1d0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 __vfs_read+0x19f/0x8e0 fs/read_write.c:411 vfs_read+0x36c/0x6c0 fs/read_write.c:447 SYSC_pread64+0x275/0x310 fs/read_write.c:611 SyS_pread64+0x65/0x90 fs/read_write.c:598 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x443d39 RSP: 002b:7ffcbd3c35f8 EFLAGS: 0213 ORIG_RAX: 0011 RAX: ffda RBX: 004002e0 RCX: 00443d39 RDX: 0083 RSI: 2140 RDI: 0003 RBP: 006ce018 R08: 004002e0 R09: 004002e0 R10: R11: 0213 R12: 004019e0 R13: 00401a70 R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 vcs_read+0xd01/0x1cc0 drivers/tty/vt/vc_screen.c:274 __vfs_read+0x19f/0x8e0 fs/read_write.c:411 vfs_read+0x36c/0x6c0 fs/read_write.c:447 SYSC_pread64+0x275/0x310 fs/read_write.c:611 SyS_pread64+0x65/0x90 fs/read_write.c:598 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 __kmalloc+0x23c/0x350 mm/slub.c:3791 kmalloc include/linux/slab.h:517 [inline] vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 con_install+0x8c/0x640 drivers/tty/vt/vt.c:2876 tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline] tty_init_dev+0x1b0/0x1020 drivers/tty/tty_io.c:1324 tty_open_by_driver drivers/tty/tty_io.c:1959 [inline] tty_open+0x15e9/0x2ea0 drivers/tty/tty_io.c:2007 chrdev_open+0xc20/0xd90 fs/char_dev.c:417 do_dentry_open+0xcc6/0x1430 fs/open.c:752 vfs_open+0x1b7/0x2e0 fs/open.c:866 do_last fs/namei.c:3379 [inline] path_openat+0x460a/0x6520 fs/namei.c:3520 do_filp_open+0x261/0x640 fs/namei.c:3554 do_sys_open+0x624/0x960 fs/open.c:1059 SYSC_open+0xab/0xc0 fs/open.c:1077 SyS_open+0x54/0x80 fs/open.c:1072 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Bytes 0-79 of 131 are uninitialized == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches -- You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00
Re: KMSAN: uninit-value in vcs_read
On Tue, May 15, 2018 at 9:26 AM, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:e2ab7e8abba4 kmsan: temporarily disable visitAsmInstructio.. > git tree: https://github.com/google/kmsan.git/master > console output: https://syzkaller.appspot.com/x/log.txt?x=158135db80 > kernel config: https://syzkaller.appspot.com/x/.config?x=5bf8b7964e37a698 > dashboard link: https://syzkaller.appspot.com/bug?extid=fed4435f163beccc67eb > compiler: clang version 7.0.0 (trunk 329391) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17a2f91b80 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bd452b80 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+fed4435f163beccc6...@syzkaller.appspotmail.com #syz dup: KMSAN: kernel-infoleak in vcs_read > == > BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 > [inline] > BUG: KMSAN: uninit-value in vcs_read+0x18ba/0x1cc0 > drivers/tty/vt/vc_screen.c:352 > CPU: 1 PID: 3501 Comm: syzkaller315412 Not tainted 4.16.0+ #82 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x185/0x1d0 lib/dump_stack.c:53 > kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 > kmsan_internal_check_memory+0x125/0x1d0 mm/kmsan/kmsan.c:1157 > kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 > copy_to_user include/linux/uaccess.h:184 [inline] > vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 > __vfs_read+0x19f/0x8e0 fs/read_write.c:411 > vfs_read+0x36c/0x6c0 fs/read_write.c:447 > SYSC_pread64+0x275/0x310 fs/read_write.c:611 > SyS_pread64+0x65/0x90 fs/read_write.c:598 > do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > RIP: 0033:0x443d39 > RSP: 002b:7ffcbd3c35f8 EFLAGS: 0213 ORIG_RAX: 0011 > RAX: ffda RBX: 004002e0 RCX: 00443d39 > RDX: 0083 RSI: 2140 RDI: 0003 > RBP: 006ce018 R08: 004002e0 R09: 004002e0 > R10: R11: 0213 R12: 004019e0 > R13: 00401a70 R14: R15: > > Uninit was stored to memory at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] > kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] > kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 > __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 > vcs_read+0xd01/0x1cc0 drivers/tty/vt/vc_screen.c:274 > __vfs_read+0x19f/0x8e0 fs/read_write.c:411 > vfs_read+0x36c/0x6c0 fs/read_write.c:447 > SYSC_pread64+0x275/0x310 fs/read_write.c:611 > SyS_pread64+0x65/0x90 fs/read_write.c:598 > do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > Uninit was created at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] > kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 > kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 > __kmalloc+0x23c/0x350 mm/slub.c:3791 > kmalloc include/linux/slab.h:517 [inline] > vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 > con_install+0x8c/0x640 drivers/tty/vt/vt.c:2876 > tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline] > tty_init_dev+0x1b0/0x1020 drivers/tty/tty_io.c:1324 > tty_open_by_driver drivers/tty/tty_io.c:1959 [inline] > tty_open+0x15e9/0x2ea0 drivers/tty/tty_io.c:2007 > chrdev_open+0xc20/0xd90 fs/char_dev.c:417 > do_dentry_open+0xcc6/0x1430 fs/open.c:752 > vfs_open+0x1b7/0x2e0 fs/open.c:866 > do_last fs/namei.c:3379 [inline] > path_openat+0x460a/0x6520 fs/namei.c:3520 > do_filp_open+0x261/0x640 fs/namei.c:3554 > do_sys_open+0x624/0x960 fs/open.c:1059 > SYSC_open+0xab/0xc0 fs/open.c:1077 > SyS_open+0x54/0x80 fs/open.c:1072 > do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > > Bytes 0-79 of 131 are uninitialized > == > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkalle
KMSAN: uninit-value in vcs_read
Hello, syzbot found the following crash on: HEAD commit:e2ab7e8abba4 kmsan: temporarily disable visitAsmInstructio.. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=158135db80 kernel config: https://syzkaller.appspot.com/x/.config?x=5bf8b7964e37a698 dashboard link: https://syzkaller.appspot.com/bug?extid=fed4435f163beccc67eb compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17a2f91b80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bd452b80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fed4435f163beccc6...@syzkaller.appspotmail.com == BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] BUG: KMSAN: uninit-value in vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 CPU: 1 PID: 3501 Comm: syzkaller315412 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x125/0x1d0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 __vfs_read+0x19f/0x8e0 fs/read_write.c:411 vfs_read+0x36c/0x6c0 fs/read_write.c:447 SYSC_pread64+0x275/0x310 fs/read_write.c:611 SyS_pread64+0x65/0x90 fs/read_write.c:598 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x443d39 RSP: 002b:7ffcbd3c35f8 EFLAGS: 0213 ORIG_RAX: 0011 RAX: ffda RBX: 004002e0 RCX: 00443d39 RDX: 0083 RSI: 2140 RDI: 0003 RBP: 006ce018 R08: 004002e0 R09: 004002e0 R10: R11: 0213 R12: 004019e0 R13: 00401a70 R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 vcs_read+0xd01/0x1cc0 drivers/tty/vt/vc_screen.c:274 __vfs_read+0x19f/0x8e0 fs/read_write.c:411 vfs_read+0x36c/0x6c0 fs/read_write.c:447 SYSC_pread64+0x275/0x310 fs/read_write.c:611 SyS_pread64+0x65/0x90 fs/read_write.c:598 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 __kmalloc+0x23c/0x350 mm/slub.c:3791 kmalloc include/linux/slab.h:517 [inline] vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 con_install+0x8c/0x640 drivers/tty/vt/vt.c:2876 tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline] tty_init_dev+0x1b0/0x1020 drivers/tty/tty_io.c:1324 tty_open_by_driver drivers/tty/tty_io.c:1959 [inline] tty_open+0x15e9/0x2ea0 drivers/tty/tty_io.c:2007 chrdev_open+0xc20/0xd90 fs/char_dev.c:417 do_dentry_open+0xcc6/0x1430 fs/open.c:752 vfs_open+0x1b7/0x2e0 fs/open.c:866 do_last fs/namei.c:3379 [inline] path_openat+0x460a/0x6520 fs/namei.c:3520 do_filp_open+0x261/0x640 fs/namei.c:3554 do_sys_open+0x624/0x960 fs/open.c:1059 SYSC_open+0xab/0xc0 fs/open.c:1077 SyS_open+0x54/0x80 fs/open.c:1072 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Bytes 0-79 of 131 are uninitialized == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches