xrivendell7/report Secret

## report
TITLE: KMSAN: uninit-value in io_rw_fail
CORRUPTED: false ()
MAINTAINERS (TO): [axboe@kernel.dk io-uring@vger.kernel.org]
MAINTAINERS (CC): [asml.silence@gmail.com linux-kernel@vger.kernel.org]

=====================================================
BUG: KMSAN: uninit-value in io_fixup_rw_res io_uring/rw.c:311 [inline]
BUG: KMSAN: uninit-value in io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
 io_fixup_rw_res io_uring/rw.c:311 [inline]
 io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
 io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
 io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
 io_submit_sqe io_uring/io_uring.c:2328 [inline]
 io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
 __do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
 __se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
 __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
 slab_post_alloc_hook+0x1c6/0xbd0 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0x115/0x3e0 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 io_alloc_async_data io_uring/io_uring.c:1780 [inline]
 io_req_prep_async+0x384/0x5a0 io_uring/io_uring.c:1801
 io_queue_sqe_fallback+0x95/0x260 io_uring/io_uring.c:2097
 io_submit_sqe io_uring/io_uring.c:2328 [inline]
 io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
 __do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
 __se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
 __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 2 PID: 8051 Comm: 5e5 Not tainted 6.7.0-rc5-00189-gbd7f77dae695 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
=====================================================


TITLE: kernel panic: kmsan.panic set ...
CORRUPTED: false ()
MAINTAINERS (TO): [axboe@kernel.dk io-uring@vger.kernel.org]
MAINTAINERS (CC): [asml.silence@gmail.com linux-kernel@vger.kernel.org]

 io_fixup_rw_res io_uring/rw.c:311 [inline]
 io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
 io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
 io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
 io_submit_sqe io_uring/io_uring.c:2328 [inline]
 io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
 __do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
 __se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
 __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
 slab_post_alloc_hook+0x1c6/0xbd0 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0x115/0x3e0 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 io_alloc_async_data io_uring/io_uring.c:1780 [inline]
 io_req_prep_async+0x384/0x5a0 io_uring/io_uring.c:1801
 io_queue_sqe_fallback+0x95/0x260 io_uring/io_uring.c:2097
 io_submit_sqe io_uring/io_uring.c:2328 [inline]
 io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
 __do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
 __se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
 __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 2 PID: 8051 Comm: 5e5 Not tainted 6.7.0-rc5-00189-gbd7f77dae695 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
=====================================================
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: kmsan.panic set ...
CPU: 2 PID: 8051 Comm: 5e5 Tainted: G    B              6.7.0-rc5-00189-gbd7f77dae695 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __msan_warning+0x96/0x110 mm/kmsan/instrumentation.c:317
 io_fixup_rw_res io_uring/rw.c:311 [inline]
 io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
 io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
 io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
 io_submit_sqe io_uring/io_uring.c:2328 [inline]
 io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
 __do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
 __se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
 __x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x432e39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
RSP: 002b:00007ffeeaf6ac18 EFLAGS: 00000216 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007ffeeaf6ae58 RCX: 0000000000432e39
RDX: 0000000000000000 RSI: 0000000000002d3e RDI: 0000000000000003
RBP: 00007ffeeaf6ac40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000001
R13: 00007ffeeaf6ae48 R14: 0000000000000001 R15: 0000000000000001

## repro.c
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_io_uring_enter
#define __NR_io_uring_enter 426
#endif
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...) {
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1) return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320

struct io_sqring_offsets {
  uint32_t head;
  uint32_t tail;
  uint32_t ring_mask;
  uint32_t ring_entries;
  uint32_t flags;
  uint32_t dropped;
  uint32_t array;
  uint32_t resv1;
  uint64_t resv2;
};

struct io_cqring_offsets {
  uint32_t head;
  uint32_t tail;
  uint32_t ring_mask;
  uint32_t ring_entries;
  uint32_t overflow;
  uint32_t cqes;
  uint64_t resv[2];
};

struct io_uring_params {
  uint32_t sq_entries;
  uint32_t cq_entries;
  uint32_t flags;
  uint32_t sq_thread_cpu;
  uint32_t sq_thread_idle;
  uint32_t features;
  uint32_t resv[4];
  struct io_sqring_offsets sq_off;
  struct io_cqring_offsets cq_off;
};

#define IORING_OFF_SQ_RING 0
#define IORING_OFF_SQES 0x10000000ULL

static long syz_io_uring_setup(volatile long a0, volatile long a1,
                               volatile long a2, volatile long a3) {
  uint32_t entries = (uint32_t)a0;
  struct io_uring_params* setup_params = (struct io_uring_params*)a1;
  void** ring_ptr_out = (void**)a2;
  void** sqes_ptr_out = (void**)a3;
  uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
  uint32_t sq_ring_sz =
      setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
  uint32_t cq_ring_sz = setup_params->cq_off.cqes +
                        setup_params->cq_entries * SIZEOF_IO_URING_CQE;
  uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
  *ring_ptr_out =
      mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE,
           fd_io_uring, IORING_OFF_SQ_RING);
  uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
  *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE,
                       MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
  uint32_t* array =
      (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array);
  for (uint32_t index = 0; index < entries; index++) array[index] = index;
  return fd_io_uring;
}

static long syz_io_uring_submit(volatile long a0, volatile long a1,
                                volatile long a2) {
  char* ring_ptr = (char*)a0;
  char* sqes_ptr = (char*)a1;
  char* sqe = (char*)a2;
  uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET);
  uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET);
  uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask;
  char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE;
  memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);
  uint32_t sq_tail_next = *sq_tail_ptr + 1;
  __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);
  return 0;
}

static void kill_and_wait(int pid, int* status) {
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent) break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test() {
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0) exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000) continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[3] = {0xffffffffffffffff, 0x0, 0x0};

void execute_one(void) {
  intptr_t res = 0;
  *(uint32_t*)0x200001c4 = 0;
  *(uint32_t*)0x200001c8 = 0x10100;
  *(uint32_t*)0x200001cc = 0;
  *(uint32_t*)0x200001d0 = 0;
  *(uint32_t*)0x200001d8 = -1;
  memset((void*)0x200001dc, 0, 12);
  res = -1;
  res = syz_io_uring_setup(/*entries=*/0x24f7, /*params=*/0x200001c0,
                           /*ring_ptr=*/0x20000040, /*sqes_ptr=*/0x20000100);
  if (res != -1) {
    r[0] = res;
    r[1] = *(uint64_t*)0x20000040;
    r[2] = *(uint64_t*)0x20000100;
  }
  *(uint8_t*)0x20000740 = 2;
  *(uint8_t*)0x20000741 = 0x10;
  *(uint16_t*)0x20000742 = 0;
  *(uint32_t*)0x20000744 = 0;
  *(uint64_t*)0x20000748 = 0;
  *(uint64_t*)0x20000750 = 0;
  *(uint32_t*)0x20000758 = 0xfffffe08;
  *(uint32_t*)0x2000075c = 0;
  *(uint64_t*)0x20000760 = 0;
  *(uint16_t*)0x20000768 = 0;
  *(uint16_t*)0x2000076a = 0;
  memset((void*)0x2000076c, 0, 20);
  syz_io_uring_submit(/*ring_ptr=*/r[1], /*sqes_ptr=*/r[2], /*sqe=*/0x20000740);
  syscall(__NR_io_uring_enter, /*fd=*/r[0], /*to_submit=*/0x2d3e,
          /*min_complete=*/0, /*flags=*/0ul, /*sigmask=*/0ul, /*size=*/0ul);
}
int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  loop();
  return 0;
}

## repro.txt
r0 = syz_io_uring_setup(0x24f7, &(0x7f00000001c0)={0x0, 0x0, 0x10100}, &(0x7f0000000040)=<r1=>0x0, &(0x7f0000000100)=<r2=>0x0)
syz_io_uring_submit(r1, r2, &(0x7f0000000740)=@IORING_OP_WRITEV={0x2, 0x10, 0x0, @fd_index, 0x0, 0x0, 0xfffffffffffffe08})
io_uring_enter(r0, 0x2d3e, 0x0, 0x0, 0x0, 0x0)
	TITLE: KMSAN: uninit-value in io_rw_fail
	CORRUPTED: false ()
	MAINTAINERS (TO): [axboe@kernel.dk io-uring@vger.kernel.org]
	MAINTAINERS (CC): [asml.silence@gmail.com linux-kernel@vger.kernel.org]

	=====================================================
	BUG: KMSAN: uninit-value in io_fixup_rw_res io_uring/rw.c:311 [inline]
	BUG: KMSAN: uninit-value in io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
	io_fixup_rw_res io_uring/rw.c:311 [inline]
	io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
	io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
	io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
	io_submit_sqe io_uring/io_uring.c:2328 [inline]
	io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
	__do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
	__se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
	__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	Uninit was created at:
	slab_post_alloc_hook+0x1c6/0xbd0 mm/slab.h:768
	slab_alloc_node mm/slub.c:3478 [inline]
	__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
	__do_kmalloc_node mm/slab_common.c:1006 [inline]
	__kmalloc+0x115/0x3e0 mm/slab_common.c:1020
	kmalloc include/linux/slab.h:604 [inline]
	io_alloc_async_data io_uring/io_uring.c:1780 [inline]
	io_req_prep_async+0x384/0x5a0 io_uring/io_uring.c:1801
	io_queue_sqe_fallback+0x95/0x260 io_uring/io_uring.c:2097
	io_submit_sqe io_uring/io_uring.c:2328 [inline]
	io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
	__do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
	__se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
	__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	CPU: 2 PID: 8051 Comm: 5e5 Not tainted 6.7.0-rc5-00189-gbd7f77dae695 #5
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	=====================================================


	TITLE: kernel panic: kmsan.panic set ...
	CORRUPTED: false ()
	MAINTAINERS (TO): [axboe@kernel.dk io-uring@vger.kernel.org]
	MAINTAINERS (CC): [asml.silence@gmail.com linux-kernel@vger.kernel.org]

	io_fixup_rw_res io_uring/rw.c:311 [inline]
	io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
	io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
	io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
	io_submit_sqe io_uring/io_uring.c:2328 [inline]
	io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
	__do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
	__se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
	__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	Uninit was created at:
	slab_post_alloc_hook+0x1c6/0xbd0 mm/slab.h:768
	slab_alloc_node mm/slub.c:3478 [inline]
	__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
	__do_kmalloc_node mm/slab_common.c:1006 [inline]
	__kmalloc+0x115/0x3e0 mm/slab_common.c:1020
	kmalloc include/linux/slab.h:604 [inline]
	io_alloc_async_data io_uring/io_uring.c:1780 [inline]
	io_req_prep_async+0x384/0x5a0 io_uring/io_uring.c:1801
	io_queue_sqe_fallback+0x95/0x260 io_uring/io_uring.c:2097
	io_submit_sqe io_uring/io_uring.c:2328 [inline]
	io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
	__do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
	__se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
	__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	CPU: 2 PID: 8051 Comm: 5e5 Not tainted 6.7.0-rc5-00189-gbd7f77dae695 #5
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	=====================================================
	Disabling lock debugging due to kernel taint
	Kernel panic - not syncing: kmsan.panic set ...
	CPU: 2 PID: 8051 Comm: 5e5 Tainted: G B 6.7.0-rc5-00189-gbd7f77dae695 #5
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	Call Trace:
	<TASK>
	__msan_warning+0x96/0x110 mm/kmsan/instrumentation.c:317
	io_fixup_rw_res io_uring/rw.c:311 [inline]
	io_rw_fail+0x1a7/0x1b0 io_uring/rw.c:1099
	io_req_defer_failed+0x217/0x3e0 io_uring/io_uring.c:1065
	io_queue_sqe_fallback+0x1f4/0x260 io_uring/io_uring.c:2100
	io_submit_sqe io_uring/io_uring.c:2328 [inline]
	io_submit_sqes+0x2527/0x30d0 io_uring/io_uring.c:2448
	__do_sys_io_uring_enter io_uring/io_uring.c:3712 [inline]
	__se_sys_io_uring_enter+0x40c/0x4440 io_uring/io_uring.c:3647
	__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3647
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	RIP: 0033:0x432e39
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
	RSP: 002b:00007ffeeaf6ac18 EFLAGS: 00000216 ORIG_RAX: 00000000000001aa
	RAX: ffffffffffffffda RBX: 00007ffeeaf6ae58 RCX: 0000000000432e39
	RDX: 0000000000000000 RSI: 0000000000002d3e RDI: 0000000000000003
	RBP: 00007ffeeaf6ac40 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000001
	R13: 00007ffeeaf6ae48 R14: 0000000000000001 R15: 0000000000000001
	// autogenerated by syzkaller (https://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <dirent.h>
	#include <endian.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <signal.h>
	#include <stdarg.h>
	#include <stdbool.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/mman.h>
	#include <sys/prctl.h>
	#include <sys/stat.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <sys/wait.h>
	#include <time.h>
	#include <unistd.h>

	#ifndef __NR_io_uring_enter
	#define __NR_io_uring_enter 426
	#endif
	#ifndef __NR_io_uring_setup
	#define __NR_io_uring_setup 425
	#endif

	static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

	static uint64_t current_time_ms(void) {
	struct timespec ts;
	if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
	return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
	}

	static bool write_file(const char* file, const char* what, ...) {
	char buf[1024];
	va_list args;
	va_start(args, what);
	vsnprintf(buf, sizeof(buf), what, args);
	va_end(args);
	buf[sizeof(buf) - 1] = 0;
	int len = strlen(buf);
	int fd = open(file, O_WRONLY \| O_CLOEXEC);
	if (fd == -1) return false;
	if (write(fd, buf, len) != len) {
	int err = errno;
	close(fd);
	errno = err;
	return false;
	}
	close(fd);
	return true;
	}

	#define SIZEOF_IO_URING_SQE 64
	#define SIZEOF_IO_URING_CQE 16
	#define SQ_HEAD_OFFSET 0
	#define SQ_TAIL_OFFSET 64
	#define SQ_RING_MASK_OFFSET 256
	#define SQ_RING_ENTRIES_OFFSET 264
	#define SQ_FLAGS_OFFSET 276
	#define SQ_DROPPED_OFFSET 272
	#define CQ_HEAD_OFFSET 128
	#define CQ_TAIL_OFFSET 192
	#define CQ_RING_MASK_OFFSET 260
	#define CQ_RING_ENTRIES_OFFSET 268
	#define CQ_RING_OVERFLOW_OFFSET 284
	#define CQ_FLAGS_OFFSET 280
	#define CQ_CQES_OFFSET 320

	struct io_sqring_offsets {
	uint32_t head;
	uint32_t tail;
	uint32_t ring_mask;
	uint32_t ring_entries;
	uint32_t flags;
	uint32_t dropped;
	uint32_t array;
	uint32_t resv1;
	uint64_t resv2;
	};

	struct io_cqring_offsets {
	uint32_t head;
	uint32_t tail;
	uint32_t ring_mask;
	uint32_t ring_entries;
	uint32_t overflow;
	uint32_t cqes;
	uint64_t resv[2];
	};

	struct io_uring_params {
	uint32_t sq_entries;
	uint32_t cq_entries;
	uint32_t flags;
	uint32_t sq_thread_cpu;
	uint32_t sq_thread_idle;
	uint32_t features;
	uint32_t resv[4];
	struct io_sqring_offsets sq_off;
	struct io_cqring_offsets cq_off;
	};

	#define IORING_OFF_SQ_RING 0
	#define IORING_OFF_SQES 0x10000000ULL

	static long syz_io_uring_setup(volatile long a0, volatile long a1,
	volatile long a2, volatile long a3) {
	uint32_t entries = (uint32_t)a0;
	struct io_uring_params* setup_params = (struct io_uring_params*)a1;
	void ring_ptr_out = (void)a2;
	void sqes_ptr_out = (void)a3;
	uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
	uint32_t sq_ring_sz =
	setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
	uint32_t cq_ring_sz = setup_params->cq_off.cqes +
	setup_params->cq_entries * SIZEOF_IO_URING_CQE;
	uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
	*ring_ptr_out =
	mmap(0, ring_sz, PROT_READ \| PROT_WRITE, MAP_SHARED \| MAP_POPULATE,
	fd_io_uring, IORING_OFF_SQ_RING);
	uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
	*sqes_ptr_out = mmap(0, sqes_sz, PROT_READ \| PROT_WRITE,
	MAP_SHARED \| MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
	uint32_t* array =
	(uint32_t)((uintptr_t)ring_ptr_out + setup_params->sq_off.array);
	for (uint32_t index = 0; index < entries; index++) array[index] = index;
	return fd_io_uring;
	}

	static long syz_io_uring_submit(volatile long a0, volatile long a1,
	volatile long a2) {
	char* ring_ptr = (char*)a0;
	char* sqes_ptr = (char*)a1;
	char* sqe = (char*)a2;
	uint32_t sq_ring_mask = (uint32_t)(ring_ptr + SQ_RING_MASK_OFFSET);
	uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET);
	uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask;
	char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE;
	memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);
	uint32_t sq_tail_next = *sq_tail_ptr + 1;
	__atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);
	return 0;
	}

	static void kill_and_wait(int pid, int* status) {
	kill(-pid, SIGKILL);
	kill(pid, SIGKILL);
	for (int i = 0; i < 100; i++) {
	if (waitpid(-1, status, WNOHANG \| __WALL) == pid) return;
	usleep(1000);
	}
	DIR* dir = opendir("/sys/fs/fuse/connections");
	if (dir) {
	for (;;) {
	struct dirent* ent = readdir(dir);
	if (!ent) break;
	if (strcmp(ent->d_name, ".") == 0 \|\| strcmp(ent->d_name, "..") == 0)
	continue;
	char abort[300];
	snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
	ent->d_name);
	int fd = open(abort, O_WRONLY);
	if (fd == -1) {
	continue;
	}
	if (write(fd, abort, 1) < 0) {
	}
	close(fd);
	}
	closedir(dir);
	} else {
	}
	while (waitpid(-1, status, __WALL) != pid) {
	}
	}

	static void setup_test() {
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	setpgrp();
	write_file("/proc/self/oom_score_adj", "1000");
	}

	static void execute_one(void);

	#define WAIT_FLAGS __WALL

	static void loop(void) {
	int iter = 0;
	for (;; iter++) {
	int pid = fork();
	if (pid < 0) exit(1);
	if (pid == 0) {
	setup_test();
	execute_one();
	exit(0);
	}
	int status = 0;
	uint64_t start = current_time_ms();
	for (;;) {
	if (waitpid(-1, &status, WNOHANG \| WAIT_FLAGS) == pid) break;
	sleep_ms(1);
	if (current_time_ms() - start < 5000) continue;
	kill_and_wait(pid, &status);
	break;
	}
	}
	}

	uint64_t r[3] = {0xffffffffffffffff, 0x0, 0x0};

	void execute_one(void) {
	intptr_t res = 0;
	(uint32_t)0x200001c4 = 0;
	(uint32_t)0x200001c8 = 0x10100;
	(uint32_t)0x200001cc = 0;
	(uint32_t)0x200001d0 = 0;
	(uint32_t)0x200001d8 = -1;
	memset((void*)0x200001dc, 0, 12);
	res = -1;
	res = syz_io_uring_setup(/entries=/0x24f7, /params=/0x200001c0,
	/ring_ptr=/0x20000040, /sqes_ptr=/0x20000100);
	if (res != -1) {
	r[0] = res;
	r[1] = (uint64_t)0x20000040;
	r[2] = (uint64_t)0x20000100;
	}
	(uint8_t)0x20000740 = 2;
	(uint8_t)0x20000741 = 0x10;
	(uint16_t)0x20000742 = 0;
	(uint32_t)0x20000744 = 0;
	(uint64_t)0x20000748 = 0;
	(uint64_t)0x20000750 = 0;
	(uint32_t)0x20000758 = 0xfffffe08;
	(uint32_t)0x2000075c = 0;
	(uint64_t)0x20000760 = 0;
	(uint16_t)0x20000768 = 0;
	(uint16_t)0x2000076a = 0;
	memset((void*)0x2000076c, 0, 20);
	syz_io_uring_submit(/ring_ptr=/r[1], /sqes_ptr=/r[2], /sqe=/0x20000740);
	syscall(__NR_io_uring_enter, /fd=/r[0], /to_submit=/0x2d3e,
	/min_complete=/0, /flags=/0ul, /sigmask=/0ul, /size=/0ul);
	}
	int main(void) {
	syscall(__NR_mmap, /addr=/0x1ffff000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x20000000ul, /len=/0x1000000ul, /prot=/7ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x21000000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	loop();
	return 0;
	}
	r0 = syz_io_uring_setup(0x24f7, &(0x7f00000001c0)={0x0, 0x0, 0x10100}, &(0x7f0000000040)=<r1=>0x0, &(0x7f0000000100)=<r2=>0x0)
	syz_io_uring_submit(r1, r2, &(0x7f0000000740)=@IORING_OP_WRITEV={0x2, 0x10, 0x0, @fd_index, 0x0, 0x0, 0xfffffffffffffe08})
	io_uring_enter(r0, 0x2d3e, 0x0, 0x0, 0x0, 0x0)