Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)

[Alexander Potapenko]

On Fri, Jan 26, 2024 at 2:36 AM 'Edward Adam Davis' via syzkaller-bugs
<syzkaller-bugs@xxxxxxxxxxxxxxxx> wrote:
>
> please test uninit-value in virtqueue_add (4)

Hi Edward,

KMSAN is currently broken at trunk, see
https://lore.kernel.org/linux-mm/20240115184430.2710652-1-glider@xxxxxxxxxx/
Therefore syzbot is unable to test patches before a couple of changes
reach upstream.

I checked your patch, and it is still triggering the same bug, which
is expected, because there are whole uninitialized pages, and the
patch below only initializes two instances of struct scatterlist that
are unlikely to be cloned to fill those pages.
There must be some non-instrumented code that fills those pages with
data, e.g. a DMA write, an assembly routine or some VM-to-kernel
interaction that KMSAN fails to handle.

>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index 9d1bdcdc1331..4ca6627a7459 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
>                             size_t req_size, size_t resp_size)
>  {
>         struct scsi_cmnd *sc = cmd->sc;
> -       struct scatterlist *sgs[6], req, resp;
> +       struct scatterlist *sgs[6], req = {}, resp = {};
>         struct sg_table *out, *in;
>         unsigned out_num = 0, in_num = 0;