google / kmsan Goto Github PK

KernelMemorySanitizer, a detector of uses of uninitialized memory in the Linux kernel

License: Other

Makefile 0.20% C 98.30% Assembly 0.79% C++ 0.03% Shell 0.35% Perl 0.10% Awk 0.01% Python 0.18% Yacc 0.01% Lex 0.01% UnrealScript 0.01% Gherkin 0.01% XS 0.01% Roff 0.02% Clojure 0.01% M4 0.01% sed 0.01% SmPL 0.01% Raku 0.01% MATLAB 0.01%

kmsan's Introduction

KMSAN (KernelMemorySanitizer)

KMSAN is a dynamic tool for detecting uninitialized memory accesses in the Linux kernel. It was integrated into the Linux kernel in version 6.1. KMSAN works by instrumenting the kernel code at compile time and checking for accesses to uninitialized memory at run time.

Contact: @ramosian-glider

Code

Linux 6.1+ contains a fully-working KMSAN implementation which can be used out of the box.
Forked kernel branches with KMSAN patches are available at https://github.com/google/kmsan. These will be kept around for posterity. Branches after 6.1 are still used for development.

How to build

export WORLD=`pwd`

In order to build a kernel with KMSAN you'll need a fresh Clang. Please refer to https://clang.llvm.org/get_started.html and https://llvm.org/docs/CMake.html for the instructions on how to build Clang. Otherwise, consider using prebuilt compiler binaries from the Chromium project:

cd $WORLD
# Instruction taken from http://llvm.org/docs/LibFuzzer.html
mkdir TMP_CLANG
cd TMP_CLANG
git clone https://chromium.googlesource.com/chromium/src/tools/clang
cd ..
TMP_CLANG/clang/scripts/update.py
cd $WORLD
export KMSAN_CLANG_PATH=`pwd`/third_party/llvm-build/Release+Asserts/bin/

Configure and build the kernel

cd $WORLD
git clone https://github.com/google/kmsan.git kmsan
cd kmsan
# Now configure the kernel. You basically need to enable CONFIG_KMSAN and CONFIG_KCOV,
# plus maybe some 9P options to interact with QEMU.
cp .config.example .config
make CC=$KMSAN_CLANG_PATH -j64 -k 2>&1 | tee build.log

Run the kernel

You can refer to https://github.com/ramosian-glider/clang-kernel-build for the instructions on running the freshly built kernel in a QEMU VM. Also consider running a KMSAN-instrumented kernel under syzkaller.

Trophies

There is an outdated list of trophies at https://github.com/google/kmsan/wiki/KMSAN-Trophies. Most of the bugs found with KMSAN can be seen at https://syzkaller.appspot.com/upstream/fixed (search for KMSAN).

How does it work?

Please refer to the Documentation in the upstream Linux kernel.

In a talk at FaMAF-UNC, I attempted to provide a comprehensive overview of the implementation details of KMSAN in 2021. The kernel part starts at 19:30, listen at 1.25x to save time).

kmsan's People

Stargazers

Watchers

kmsan's Issues

Compile kmsan with clang-9 with -O2 ERROR

While I use clang-9 to compile Variable parameter function(such as f(char * fmt,...)) with -O2, I found error as below:
parser at end of file
Per-module optimization passes
Running pass 'Function Pass Manager' on module 'kernel/linux-4.14/init/do_mounts.c'.
Running pass 'Combine redundant instructions' on function '@f'

I try -O0, it is OK.
Why?
If I still want to compile it with -O2, how to deal with it?
Thanks

Compile kmsan with clang version 9.0.0 ERROR

clang-9: /home/debian/research/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp:3236: void (anonymous namespace)::MemorySanitizerVisitor::visitCallSite(llvm::CallSite): Assertion `(CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"' failed.
Stack dump:
0. Program arguments: /home/debian/research/llvm/llvm_cmake_build/bin/clang-9 -cc1 -triple x86_64-unknown-linux-gnu -S -disable-free -main-file-name main.c -mrelocation-model static -mthread-model posix -fno-delete-null-pointer-checks -mllvm -warn-stack-size=2048 -mdisable-fp-elim -relaxed-aliasing -mdisable-tail-calls -fmath-errno -masm-verbose -no-integrated-as -mconstructor-aliases -fuse-init-array -mcode-model kernel -target-cpu core2 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse -target-feature -mmx -target-feature -sse2 -target-feature -3dnow -target-feature -avx -target-feature -x87 -target-feature +retpoline-external-thunk -disable-red-zone -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -momit-leaf-frame-pointer -coverage-notes-file /home/debian/research/kmsan/init/main.gcno -nostdsysteminc -nobuiltininc -resource-dir /home/debian/research/llvm/llvm_cmake_build/lib/clang/9.0.0 -dependency-file init/.main.o.d -MT init/main.o -sys-header-deps -isystem /home/debian/research/llvm/llvm_cmake_build/lib/clang/9.0.0/include -include ./include/linux/kconfig.h -include ./include/linux/compiler_types.h -I ./arch/x86/include -I ./arch/x86/include/generated -I ./include -I ./arch/x86/include/uapi -I ./arch/x86/include/generated/uapi -I ./include/uapi -I ./include/generated/uapi -D KERNEL -D CONFIG_X86_X32_ABI -D CONFIG_AS_CFI=1 -D CONFIG_AS_CFI_SIGNAL_FRAME=1 -D CONFIG_AS_CFI_SECTIONS=1 -D CONFIG_AS_SSSE3=1 -D CONFIG_AS_AVX=1 -D CONFIG_AS_AVX2=1 -D CONFIG_AS_AVX512=1 -D CONFIG_AS_SHA1_NI=1 -D CONFIG_AS_SHA256_NI=1 -D KBUILD_BASENAME="main" -D KBUILD_MODNAME="main" -O2 -Wall -Wundef -Werror=strict-prototypes -Wno-trigraphs -Werror=implicit-function-declaration -Werror=implicit-int -Wno-format-security -Wno-sign-compare -Wno-address-of-packed-member -Wno-format-invalid-specifier -Wno-gnu -Wno-tautological-compare -Wno-unused-const-variable -Wdeclaration-after-statement -Wvla -Wno-pointer-sign -Werror=date-time -Werror=incompatible-pointer-types -Wno-initializer-overrides -Wno-unused-value -Wno-format -Wno-sign-compare -Wno-format-zero-length -Wno-uninitialized -std=gnu89 -fno-dwarf-directory-asm -fdebug-compilation-dir /home/debian/research/kmsan -ferror-limit 19 -fmessage-length 0 -fsanitize-coverage-type=3 -fsanitize-coverage-trace-pc -fsanitize=kernel-memory -fwrapv -stack-protector 2 -ftrivial-auto-var-init=pattern -mstack-alignment=8 -fwchar-type=short -fno-signed-wchar -fobjc-runtime=gcc -fno-common -fdiagnostics-show-option -vectorize-loops -vectorize-slp -o /tmp/main-1dc36d.s -x c init/main.c

parser at end of file
Per-module optimization passes
Running pass 'Function Pass Manager' on module 'init/main.c'.
Running pass 'MemorySanitizerLegacyPass' on function '@do_one_initcall'
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm3sys15PrintStackTraceERNS_11raw_ostreamE+0x39)[0x7587879]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x7587a29]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm3sys17RunSignalHandlersEv+0x76)[0x7586316]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x758808b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x110e0)[0x7f64fb1390e0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcf)[0x7f64f9ee8fff]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f64f9eea42a]
/lib/x86_64-linux-gnu/libc.so.6(+0x2be67)[0x7f64f9ee1e67]
/lib/x86_64-linux-gnu/libc.so.6(+0x2bf12)[0x7f64f9ee1f12]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f28ec]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f3e90]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f0af8]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f03c3]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f0251]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78f01e2]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78efa22]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78e502d]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78e3a59]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78e4a11]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm13FPPassManager13runOnFunctionERNS_8FunctionE+0x2ac)[0x6c10cdc]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm13FPPassManager11runOnModuleERNS_6ModuleE+0xb2)[0x6c11132]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x6c118b1]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm6legacy15PassManagerImpl3runERNS_6ModuleE+0x128)[0x6c113d8]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN4llvm6legacy11PassManager3runERNS_6ModuleE+0x21)[0x6c11e31]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x78be4b6]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang17EmitBackendOutputERNS_17DiagnosticsEngineERKNS_19HeaderSearchOptionsERKNS_14CodeGenOptionsERKNS_13TargetOptionsERKNS_11LangOptionsERKN4llvm10DataLayoutEPNSE_6ModuleENS_13BackendActionESt10unique_ptrINSE_17raw_pwrite_streamESt14default_deleteISM_EE+0x4fb)[0x78ba63b]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x834d8c8]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang8ParseASTERNS_4SemaEbb+0x3a5)[0xa247b65]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang17ASTFrontendAction13ExecuteActionEv+0x13c)[0x81b57ac]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang13CodeGenAction13ExecuteActionEv+0x4ba)[0x834b01a]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang14FrontendAction7ExecuteEv+0x70)[0x81b51e0]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang16CompilerInstance13ExecuteActionERNS_14FrontendActionE+0x5bc)[0x80e833c]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_ZN5clang25ExecuteCompilerInvocationEPNS_16CompilerInstanceE+0x817)[0x83367f7]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_Z8cc1_mainN4llvm8ArrayRefIPKcEES2_Pv+0x4c7)[0x4a94517]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9[0x4a88467]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(main+0x524)[0x4a877f4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f64f9ed62e1]
/home/debian/research/llvm/llvm_cmake_build/bin/clang-9(_start+0x2a)[0x4a8702a]
clang-9: error: unable to execute command: Aborted

When to trigger the check of KMSAN?

There is an MSAN example, the code is like this:
#include <stdio.h>
int main() {
int a = 1;
int b;
int c = a + b;
printf("c:%d\n", c);
}
use clang to compile the code:
clang -fsanitize=memory -fPIE -pie -fno-omit-frame-pointer -g test.c -o test
but, the result is like this, No MSAN Report
c:1200630145
So, why? Why is there no trigger the check?

check that console contents are initialized

Example report below. We only detect the uninit when we read out console output from /dev/kmsg. If we don't read it out, we don't detect it. Even if we do, we detect it too late and attribute all such info leaks to do_syslog. We should detect them right in printk and attribute to the function that prints uninits.

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10710 Comm: rsyslogd Not tainted 5.0.0+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
 kmsan_internal_check_memory+0x5c6/0xbb0 mm/kmsan/kmsan.c:701
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 copy_to_user include/linux/uaccess.h:174 [inline]
 syslog_print kernel/printk/printk.c:1362 [inline]
 do_syslog+0x3c22/0x3ef0 kernel/printk/printk.c:1487
 kmsg_read+0x142/0x1a0 fs/proc/kmsg.c:40
 proc_reg_read+0x2a2/0x3d0 fs/proc/inode.c:229
 __vfs_read+0x1e5/0xbf0 fs/read_write.c:416
 vfs_read+0x359/0x6f0 fs/read_write.c:452
 ksys_read fs/read_write.c:578 [inline]
 __do_sys_read fs/read_write.c:588 [inline]
 __se_sys_read+0x17a/0x370 fs/read_write.c:586
 __x64_sys_read+0x4a/0x70 fs/read_write.c:586
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x7fd84c4b71fd
Code: d1 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e fa ff ff 48 89 04 24 b8 00 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 a7 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fd849a56e30 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000000000160cce0 RCX: 00007fd84c4b71fd
RDX: 0000000000000fff RSI: 00007fd84b28b5a0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00000000015f8260 R09: 0000000004000001
R10: 0000000000000001 R11: 0000000000000293 R12: 000000000065e420
R13: 00007fd849a579c0 R14: 00007fd84cafc040 R15: 0000000000000003

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
 kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
 msg_print_text+0x5bc/0x770 kernel/printk/printk.c:1294
 syslog_print kernel/printk/printk.c:1343 [inline]
 do_syslog+0x37fc/0x3ef0 kernel/printk/printk.c:1487
 kmsg_read+0x142/0x1a0 fs/proc/kmsg.c:40
 proc_reg_read+0x2a2/0x3d0 fs/proc/inode.c:229
 __vfs_read+0x1e5/0xbf0 fs/read_write.c:416
 vfs_read+0x359/0x6f0 fs/read_write.c:452
 ksys_read fs/read_write.c:578 [inline]
 __do_sys_read fs/read_write.c:588 [inline]
 __se_sys_read+0x17a/0x370 fs/read_write.c:586
 __x64_sys_read+0x4a/0x70 fs/read_write.c:586
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
 kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
 log_store+0xdea/0x1370 kernel/printk/printk.c:625
 log_output kernel/printk/printk.c:1848 [inline]
 vprintk_store+0x9d2/0xed0 kernel/printk/printk.c:1901
 vprintk_emit+0x2c6/0x840 kernel/printk/printk.c:1925
 vprintk_default+0x90/0xa0 kernel/printk/printk.c:1970
 vprintk_func+0x635/0x820 kernel/printk/printk_safe.c:398
 printk+0x186/0x1d0 kernel/printk/printk.c:2003
 tipc_enable_bearer net/tipc/bearer.c:339 [inline]
 __tipc_nl_bearer_enable+0x106f/0x1d50 net/tipc/bearer.c:899
 tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:907
 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
 genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg net/socket.c:632 [inline]
 ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
 __sys_sendmsg net/socket.c:2153 [inline]
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
 __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
 string+0x276/0x340 lib/vsprintf.c:609
 vsnprintf+0x1181/0x30e0 lib/vsprintf.c:2396
 vscnprintf+0xc2/0x180 lib/vsprintf.c:2499
 vprintk_store+0xef/0xed0 kernel/printk/printk.c:1865
 vprintk_emit+0x2c6/0x840 kernel/printk/printk.c:1925
 vprintk_default+0x90/0xa0 kernel/printk/printk.c:1970
 vprintk_func+0x635/0x820 kernel/printk/printk_safe.c:398
 printk+0x186/0x1d0 kernel/printk/printk.c:2003
 tipc_enable_bearer net/tipc/bearer.c:339 [inline]
 __tipc_nl_bearer_enable+0x106f/0x1d50 net/tipc/bearer.c:899
 tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:907
 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
 genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg net/socket.c:632 [inline]
 ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
 __sys_sendmsg net/socket.c:2153 [inline]
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:173
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:182
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2773 [inline]
 __kmalloc_node_track_caller+0xe9e/0xff0 mm/slub.c:4398
 __kmalloc_reserve net/core/skbuff.c:140 [inline]
 __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
 alloc_skb include/linux/skbuff.h:1012 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg net/socket.c:632 [inline]
 ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
 __sys_sendmsg net/socket.c:2153 [inline]
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Bytes 50-51 of 87 are uninitialized
Memory access of size 87 starts at ffff888043bfac00
Data copied to user address 00007fd84b28b617

What needs to be done to enable KMSAN to support arm?

Right now the instrumentation pass supports x86_64 only.
What needs to be done to enable KMSAN to support arm?
llvm version : 8.0.7

CONFIG_EFI_STUB doesn't work with KMSAN

As reported by @vegard (and confirmed by myself), KMSAN-enable kernel doesn't link if built with CONFIG_EFI_STUB:

efi-stub-helper.c:(.text+0x1494): undefined reference to `__memcpy'
ld: drivers/firmware/efi/libstub/tpm.o: in function `efi_retrieve_tpm2_eventlog':
tpm.c:(.text+0x19c): undefined reference to `__memcpy'
ld: tpm.c:(.text+0x34e): undefined reference to `__memcpy'
ld: tpm.c:(.text+0x3c5): undefined reference to `__memset'
ld: tpm.c:(.text+0x3f3): undefined reference to `__memcpy'

off-by-one PCs in reports

This report:

syzbot hit the following crash on e2ab7e8abba47a2f2698216258e5d8727ae58717
https://github.com/google/kmsan.git master
compiler: clang version 7.0.0 (trunk 329391)

==================================================================
BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:197 [inline]
BUG: KMSAN: uninit-value in deliver_ptype_list_skb net/core/dev.c:1908 [inline]
BUG: KMSAN: uninit-value in __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545
CPU: 0 PID: 5999 Comm: syz-executor3 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 __read_once_size include/linux/compiler.h:197 [inline]
 deliver_ptype_list_skb net/core/dev.c:1908 [inline]
 __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040
 </IRQ>
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
 __dev_queue_xmit+0x2a31/0x2b60 net/core/dev.c:3584
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455259
RSP: 002b:00007fb53ede8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007fb53ede96d4 RCX: 0000000000455259
RDX: 0000000000000001 RSI: 00000000200010c0 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006cd R14: 00000000006fd3d8 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597
 __netif_receive_skb_core+0x70a/0x4a80 net/core/dev.c:4460
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==================================================================

It says chained origin was created at:

 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597

597:	if (eth_proto_is_802_3(proto)) {
598:		skb->protocol = proto;

But it seems to be 598 as the uninit is skb->protocol.

Then, use it at:

 deliver_ptype_list_skb net/core/dev.c:1908 [inline]

1908:	list_for_each_entry_rcu(ptype, ptype_list, list) {
1909:		if (ptype->type != type)

But it seems to be 1909 (type use, which came from skb->protocol).

The current report looks completely bogus because no lines actually point to skb->protocol:
chain is at if (eth_proto_is_802_3(proto)) and then use at list_for_each_entry_rcu(ptype, ptype_list, list). I am actually second-guessing that it's skb->protocol because then the report starts making sense.

new line is missing before "Uninit was created at:"

subj

KMSAN is incompatible with CONFIG_LOCK_DEBUGGING_SUPPORT

I compiled latest kmsan/master ( e88bfb8) using tip-of-tree clang (LLVM r370475, clang r370461, compiler-rt r370390).

When CONFIG_KMSAN=n, it boots. When CONFIG_KMSAN=y, it doesn't boot.

There's no output from the kernel in the unbootable case, so I can't easily debug it.

Here's the kconfig I used: kconfig.txt

Enforce correct use of dummy shadow

We need to make dummy_{shadow,origin}_load_page read-only and dummy_{shadow,origin}_store_page write-only to make sure they are used correctly.

duplicate stack origin PC

KMSAN report on df33513:

[ 1784.019981][    C0] =====================================================
[ 1784.022223][    C0] BUG: KMSAN: uninit-value in nf_ip_checksum+0x758/0x770
[ 1784.022223][    C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.4.0-rc8-syzkaller #0
[ 1784.022223][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1784.022223][    C0] Call Trace:
[ 1784.022223][    C0]  dump_stack+0x1c9/0x220
[ 1784.022223][    C0]  kmsan_report+0x128/0x220
[ 1784.022223][    C0]  __msan_warning+0x64/0xc0
[ 1784.022223][    C0]  nf_ip_checksum+0x758/0x770
[ 1784.022223][    C0]  nf_nat_icmp_reply_translation+0x2ba/0x970
[ 1784.022223][    C0]  ? kmsan_get_shadow_origin_ptr+0x1e8/0x4d0
[ 1784.022223][    C0]  ? nf_nat_ipv4_in+0x23b/0x580
[ 1784.022223][    C0]  nf_nat_ipv4_in+0x2a7/0x580
[ 1784.022223][    C0]  ? sctp_csum_combine+0xa0/0xa0
[ 1784.022223][    C0]  nf_hook_slow+0x18b/0x3f0
[ 1784.022223][    C0]  ip_rcv+0x259/0x740
[ 1784.022223][    C0]  ? ip_rcv_core+0x11d0/0x11d0
[ 1784.022223][    C0]  ? ip_local_deliver_finish+0x350/0x350
[ 1784.022223][    C0]  process_backlog+0xece/0x13c0
[ 1784.022223][    C0]  ? ip_local_deliver_finish+0x350/0x350
[ 1784.022223][    C0]  ? rps_trigger_softirq+0x2e0/0x2e0
[ 1784.022223][    C0]  net_rx_action+0x7a6/0x1aa0
[ 1784.022223][    C0]  ? net_tx_action+0xc40/0xc40
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  ? ksoftirqd_should_run+0x30/0x30
[ 1784.022223][    C0]  ? takeover_tasklets+0x900/0x900
[ 1784.022223][    C0]  run_ksoftirqd+0x25/0x40
[ 1784.022223][    C0]  smpboot_thread_fn+0x4a3/0x990
[ 1784.022223][    C0]  kthread+0x4b5/0x4f0
[ 1784.022223][    C0]  ? cpu_report_death+0x190/0x190
[ 1784.022223][    C0]  ? kthread_blkcg+0xf0/0xf0
[ 1784.022223][    C0]  ret_from_fork+0x35/0x40
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  __msan_chain_origin+0x5c/0xc0
[ 1784.022223][    C0]  __skb_checksum_complete+0x419/0x530
[ 1784.022223][    C0]  nf_ip_checksum+0x567/0x770
[ 1784.022223][    C0]  nf_nat_icmp_reply_translation+0x2ba/0x970
[ 1784.022223][    C0]  nf_nat_ipv4_local_fn+0x215/0x840
[ 1784.022223][    C0]  nf_hook_slow+0x18b/0x3f0
[ 1784.022223][    C0]  __ip_local_out+0x69b/0x800
[ 1784.022223][    C0]  ip_push_pending_frames+0x16f/0x460
[ 1784.022223][    C0]  icmp_push_reply+0x692/0x750
[ 1784.022223][    C0]  __icmp_send+0x2313/0x3080
[ 1784.022223][    C0]  ipv4_link_failure+0x73c/0xaf0
[ 1784.022223][    C0]  arp_error_report+0x106/0x1a0
[ 1784.022223][    C0]  neigh_invalidate+0x362/0x8f0
[ 1784.022223][    C0]  neigh_timer_handler+0xda4/0x1450
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  metadata_is_contiguous+0xa/0x270
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x6e/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_store_4+0x13/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1dec/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  csum_partial_copy+0xae/0x100
[ 1784.022223][    C0]  skb_copy_and_csum_bits+0x205/0x10b0
[ 1784.022223][    C0]  icmp_glue_bits+0x16b/0x380
[ 1784.022223][    C0]  __ip_append_data+0x435f/0x5290
[ 1784.022223][    C0]  ip_append_data+0x328/0x480
[ 1784.022223][    C0]  icmp_push_reply+0x210/0x750
[ 1784.022223][    C0]  __icmp_send+0x2313/0x3080
[ 1784.022223][    C0]  ipv4_link_failure+0x73c/0xaf0
[ 1784.022223][    C0]  arp_error_report+0x106/0x1a0
[ 1784.022223][    C0]  neigh_invalidate+0x362/0x8f0
[ 1784.022223][    C0]  neigh_timer_handler+0xda4/0x1450
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  metadata_is_contiguous+0xa/0x270
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x6e/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_store_4+0x13/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1dec/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_packet_transmit+0x1d9e/0x4250
[ 1784.022223][    C0]  sctp_outq_flush+0x1823/0x5d80
[ 1784.022223][    C0]  sctp_outq_uncork+0xd0/0xf0
[ 1784.022223][    C0]  sctp_do_sm+0x8fe1/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_make_heartbeat+0x612/0x9e0
[ 1784.022223][    C0]  sctp_sf_sendbeat_8_3+0x18d/0xb10
[ 1784.022223][    C0]  sctp_do_sm+0x2b2/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_make_heartbeat+0x3e9/0x9e0
[ 1784.022223][    C0]  sctp_sf_sendbeat_8_3+0x18d/0xb10
[ 1784.022223][    C0]  sctp_do_sm+0x2b2/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_transport_new+0x248/0xa00
[ 1784.022223][    C0]  sctp_assoc_add_peer+0x5ba/0x2030
[ 1784.022223][    C0]  sctp_process_init+0x162b/0x3e30
[ 1784.022223][    C0]  sctp_do_sm+0x1b8b/0x9720
[ 1784.022223][    C0]  sctp_assoc_bh_rcv+0x65a/0xd80
[ 1784.022223][    C0]  sctp_inq_push+0x300/0x420
[ 1784.022223][    C0]  sctp_backlog_rcv+0x2d7/0x11a0
[ 1784.022223][    C0]  __release_sock+0x448/0x640
[ 1784.022223][    C0]  release_sock+0x99/0x2a0
[ 1784.022223][    C0]  sctp_wait_for_connect+0x3d7/0x840
[ 1784.022223][    C0]  __sctp_connect+0x1e9d/0x1f20
[ 1784.022223][    C0]  sctp_setsockopt+0x960d/0x19090
[ 1784.022223][    C0]  sock_common_setsockopt+0x13b/0x170
[ 1784.022223][    C0]  __sys_setsockopt+0x7c3/0xa30
[ 1784.022223][    C0]  __se_sys_setsockopt+0xdd/0x100
[ 1784.022223][    C0]  __x64_sys_setsockopt+0x62/0x80
[ 1784.022223][    C0]  do_syscall_64+0xb6/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Local variable description: ----addr.i@sctp_process_init
[ 1784.022223][    C0] Variable was created at:
[ 1784.022223][    C0]  sctp_process_init+0x603/0x3e30
[ 1784.022223][    C0]  sctp_process_init+0x603/0x3e30
[ 1784.022223][    C0] =====================================================

The origin stack has 2 duplicate PCs.
As far as I remember we aimed at memorizing caller PC and grand-caller PC. Do we falsely memorize one of them twice and drop the other one?

unbootable kernel

I use cp .config.example instead of .config. and compile sucessfuly, but use syz-manager run the bzImage, the kernel also 0ops, and log is as below,

[   28.962520] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[   29.021618] 8021q: adding VLAN 0 to HW filter on device eth0
[   29.024422] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   29.070438] ip (3686) used greatest stack depth: 54136 bytes left
[   29.229868] ==================================================================
[   29.232076] BUG: KMSAN: uninit-value in eth_type_trans+0x356/0xa90
[   29.233936] CPU: 1 PID: 3599 Comm: systemd-udevd Not tainted 5.3.0-rc6+ #3
[   29.235989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   29.238783] Call Trace:
[   29.239546]  <IRQ>
[   29.240186]  dump_stack+0x196/0x1f0
[   29.241301]  kmsan_report+0x162/0x2d0
[   29.242426]  __msan_warning+0x75/0xe0
[   29.243551]  eth_type_trans+0x356/0xa90
[   29.244752]  e1000_clean_rx_irq+0x182a/0x21f0
[   29.246198]  e1000_clean+0x1a49/0x5e20
[   29.247362]  ? e1000_alloc_jumbo_rx_buffers+0xd10/0xd10
[   29.248966]  ? kmsan_get_shadow_origin_ptr+0x230/0x3a0
[   29.250573]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.252148]  ? e1000_shutdown+0x160/0x160
[   29.253396]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.254937]  ? e1000_shutdown+0x160/0x160
[   29.256154]  ? e1000_shutdown+0x160/0x160
[   29.257395]  net_rx_action+0x73b/0x1930
[   29.258597]  ? net_tx_action+0xbc0/0xbc0
[   29.259798]  __do_softirq+0x311/0x83d
[   29.260959]  irq_exit+0x230/0x280
[   29.262005]  do_IRQ+0x20d/0x3a0
[   29.263013]  common_interrupt+0x2e/0x2e
[   29.264186]  </IRQ>
[   29.264877] RIP: 0010:__msan_chain_origin+0x8c/0xe0
[   29.266368] Code: 4a 44 89 f7 e8 95 e9 ff ff 89 c3 65 ff 0d a0 ff ff 7d 65 8b 05 99 ff ff 7d 85 c0 75 30 e8 9c e3 38 ff 4c 89 7d d0 ff 75 d0 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 e0 75 0d 89 d8 48 83 c4 18 5b
[   29.271841] RSP: 0018:ffff8880451cf9d0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
[   29.274078] RAX: 0000000000000000 RBX: 00000000f70000ca RCX: 3acde965b1fdf800
[   29.276188] RDX: 0000000000000a20 RSI: 00000000000836e3 RDI: 00000000d99ad567
[   29.278305] RBP: ffff8880451cfa00 R08: 0000000000000003 R09: ffff8880451cf78c
[   29.280411] R10: 0000000000000003 R11: ffffffff81819f30 R12: ffffc90000916040
[   29.282529] R13: 0000000000000000 R14: 00000000f5c000ca R15: 0000000000000246
[   29.284648]  ? stack_trace_save+0x1b0/0x1b0
[   29.285949]  ___bpf_prog_run+0x68e4/0x9400
[   29.287221]  ? kmsan_get_metadata_or_null+0x208/0x290
[   29.288770]  __bpf_prog_run32+0x101/0x170
[   29.290008]  ? kmem_cache_free+0x18c4/0x2a20
[   29.291347]  ? kmsan_get_shadow_origin_ptr+0x6e/0x3a0
[   29.292902]  ? ___bpf_prog_run+0x9400/0x9400
[   29.294147]  __seccomp_filter+0x587/0x2640
[   29.295440]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[   29.297046]  ? blkcg_maybe_throttle_current+0x184/0x1380
[   29.298658]  ? kmsan_set_origin+0x25d/0x340
[   29.299949]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.301522]  ? __secure_computing+0x96/0x380
[   29.302816]  __secure_computing+0x1fa/0x380
[   29.304104]  syscall_trace_enter+0x6ed/0xf60
[   29.305467]  do_syscall_64+0x51/0xf0
[   29.306550]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.308066] RIP: 0033:0x7fa53cc340ba
[   29.309168] Code: 48 8b 0d e1 bd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 0b 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ae bd 2b 00 f7 d8 64 89 01 48
[   29.314666] RSP: 002b:00007ffe8e610f38 EFLAGS: 00000206 ORIG_RAX: 000000000000010b
[   29.316888] RAX: ffffffffffffffda RBX: 000055783a011ba0 RCX: 00007fa53cc340ba
[   29.318998] RDX: 000055783a011ba0 RSI: 00007ffe8e610fc0 RDI: 00000000ffffff9c
[   29.321129] RBP: 0000000000000064 R08: 00005578392a0670 R09: 0000000000000070
[   29.323229] R10: 0000000000000063 R11: 0000000000000206 R12: 00007ffe8e610fc0
[   29.325359] R13: 00000000ffffff9c R14: 00007ffe8e610f90 R15: 0000000000000063
[   29.327513] 
[   29.328004] Uninit was created at:
[   29.329081]  kmsan_save_stack_with_flags+0x37/0x70
[   29.330543]  kmsan_internal_alloc_meta_for_pages+0x10f/0x500
[   29.332244]  kmsan_alloc_page+0x7a/0xf0
[   29.333429]  __alloc_pages_nodemask+0x581e/0x5f20
[   29.334849]  page_frag_alloc+0x35b/0x890
[   29.336047]  netdev_alloc_frag+0x1ab/0x1e0
[   29.337304]  e1000_alloc_rx_buffers+0x417/0x1830
[   29.338696]  e1000_configure+0x150f/0x1670
[   29.339931]  e1000_open+0x3c0/0x10a0
[   29.341032]  __dev_open+0x621/0x880
[   29.342103]  __dev_change_flags+0x386/0xb70
[   29.343348]  dev_change_flags+0xf1/0x260
[   29.344532]  do_setlink+0x15c0/0x5ec0
[   29.345647]  rtnl_newlink+0x2eab/0x3990
[   29.346802]  rtnetlink_rcv_msg+0x1158/0x1580
[   29.348073]  netlink_rcv_skb+0x401/0x5f0
[   29.349272]  rtnetlink_rcv+0x50/0x60
[   29.350363]  netlink_unicast+0xf08/0xfe0
[   29.351556]  netlink_sendmsg+0x110d/0x1320
[   29.352794]  ___sys_sendmsg+0x14ef/0x1580
[   29.353968]  __se_sys_sendmsg+0x305/0x460
[   29.355173]  __x64_sys_sendmsg+0x4a/0x70
[   29.356276]  do_syscall_64+0xbc/0xf0
[   29.357305]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.358756] ==================================================================
[   29.360885] Disabling lock debugging due to kernel taint
[   29.362467] Kernel panic - not syncing: panic_on_warn set ...
[   29.364198] CPU: 1 PID: 3599 Comm: systemd-udevd Tainted: G    B             5.3.0-rc6+ #3
[   29.366653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   29.369482] Call Trace:
[   29.370254]  <IRQ>
[   29.370905]  dump_stack+0x196/0x1f0
[   29.371959]  panic+0x3cb/0xc2e
[   29.372969]  kmsan_report+0x2ca/0x2d0
[   29.374103]  __msan_warning+0x75/0xe0
[   29.375235]  eth_type_trans+0x356/0xa90
[   29.376446]  e1000_clean_rx_irq+0x182a/0x21f0
[   29.377877]  e1000_clean+0x1a49/0x5e20
[   29.379034]  ? e1000_alloc_jumbo_rx_buffers+0xd10/0xd10
[   29.380621]  ? kmsan_get_shadow_origin_ptr+0x230/0x3a0
[   29.382252]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.383806]  ? e1000_shutdown+0x160/0x160
[   29.385028]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.386599]  ? e1000_shutdown+0x160/0x160
[   29.387832]  ? e1000_shutdown+0x160/0x160
[   29.389078]  net_rx_action+0x73b/0x1930
[   29.390317]  ? net_tx_action+0xbc0/0xbc0
[   29.391539]  __do_softirq+0x311/0x83d
[   29.392684]  irq_exit+0x230/0x280
[   29.393725]  do_IRQ+0x20d/0x3a0
[   29.394717]  common_interrupt+0x2e/0x2e
[   29.395859]  </IRQ>
[   29.396534] RIP: 0010:__msan_chain_origin+0x8c/0xe0
[   29.398006] Code: 4a 44 89 f7 e8 95 e9 ff ff 89 c3 65 ff 0d a0 ff ff 7d 65 8b 05 99 ff ff 7d 85 c0 75 30 e8 9c e3 38 ff 4c 89 7d d0 ff 75 d0 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 e0 75 0d 89 d8 48 83 c4 18 5b
[   29.403501] RSP: 0018:ffff8880451cf9d0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
[   29.405770] RAX: 0000000000000000 RBX: 00000000f70000ca RCX: 3acde965b1fdf800
[   29.407877] RDX: 0000000000000a20 RSI: 00000000000836e3 RDI: 00000000d99ad567
[   29.410023] RBP: ffff8880451cfa00 R08: 0000000000000003 R09: ffff8880451cf78c
[   29.412138] R10: 0000000000000003 R11: ffffffff81819f30 R12: ffffc90000916040
[   29.425441] R13: 0000000000000000 R14: 00000000f5c000ca R15: 0000000000000246
[   29.427432]  ? stack_trace_save+0x1b0/0x1b0
[   29.428747]  ___bpf_prog_run+0x68e4/0x9400
[   29.431772]  ? kmsan_get_metadata_or_null+0x208/0x290
[   29.433333]  __bpf_prog_run32+0x101/0x170
[   29.434552]  ? kmem_cache_free+0x18c4/0x2a20
[   29.435865]  ? kmsan_get_shadow_origin_ptr+0x6e/0x3a0
[   29.437785]  ? ___bpf_prog_run+0x9400/0x9400
[   29.439075]  __seccomp_filter+0x587/0x2640
[   29.440288]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[   29.441888]  ? blkcg_maybe_throttle_current+0x184/0x1380
[   29.443503]  ? kmsan_set_origin+0x25d/0x340
[   29.444784]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.446317]  ? __secure_computing+0x96/0x380
[   29.447608]  __secure_computing+0x1fa/0x380
[   29.449128]  syscall_trace_enter+0x6ed/0xf60
[   29.450473]  do_syscall_64+0x51/0xf0
[   29.451603]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.453208] RIP: 0033:0x7fa53cc340ba
[   29.454304] Code: 48 8b 0d e1 bd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 0b 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ae bd 2b 00 f7 d8 64 89 01 48
[   29.459704] RSP: 002b:00007ffe8e610f38 EFLAGS: 00000206 ORIG_RAX: 000000000000010b
[   29.461971] RAX: ffffffffffffffda RBX: 000055783a011ba0 RCX: 00007fa53cc340ba
[   29.464067] RDX: 000055783a011ba0 RSI: 00007ffe8e610fc0 RDI: 00000000ffffff9c
[   29.466168] RBP: 0000000000000064 R08: 00005578392a0670 R09: 0000000000000070
[   29.468264] R10: 0000000000000063 R11: 0000000000000206 R12: 00007ffe8e610fc0
[   29.470370] R13: 00000000ffffff9c R14: 00007ffe8e610f90 R15: 0000000000000063
[   29.472786] Dumping ftrace buffer:
[   29.473672]    (ftrace buffer empty)
[   29.474496] Kernel Offset: disabled
[   29.475300] Rebooting in 1 seconds..
^CSIGINT: shutting down...

clang version:clang-10, kernel: 5.3.6-rc7,
the error is caused by CONFIG_KMASN?

wrong origin for stack variable

On kernel commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617.
Compiler: clang version 7.0.0 (trunk 329391)
Report:

==================================================================
BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: uninit-value in put_cmsg+0x600/0x870 net/core/scm.c:242
CPU: 0 PID: 4459 Comm: syz-executor582 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copy_to_user include/linux/uaccess.h:184 [inline]
 put_cmsg+0x600/0x870 net/core/scm.c:242
 rds_cmsg_recv net/rds/recv.c:570 [inline]
 rds_recvmsg+0x2db5/0x3170 net/rds/recv.c:657
 sock_recvmsg_nosec net/socket.c:803 [inline]
 sock_recvmsg+0x1d0/0x230 net/socket.c:810
 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205
 __sys_recvmsg net/socket.c:2250 [inline]
 SYSC_recvmsg+0x298/0x3c0 net/socket.c:2262
 SyS_recvmsg+0x54/0x80 net/socket.c:2257
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445889
RSP: 002b:00007f7fd7e8fdb8 EFLAGS: 00000297 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445889
RDX: 0000000000000000 RSI: 0000000020000780 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000000
R13: 00007fff8847ca8f R14: 00007f7fd7e909c0 R15: 0000000000000006

Local variable description: ----__wq_entry@rds_recvmsg
Variable was created at:
 rds_recvmsg+0x118/0x3170 net/rds/recv.c:582
 sock_recvmsg_nosec net/socket.c:803 [inline]
 sock_recvmsg+0x1d0/0x230 net/socket.c:810

Bytes 4-7 of 32 are uninitialized
==================================================================

Looking at the code the uninit very clearly comes from struct rds_cmsg_rx_trace t in rds_cmsg_recv.
But the report points to __wq_entry somewhere in wait_event_interruptible_timeout.

Locals sharing a stack slot cause garbled reports

When two variables share a stack slot, KMSAN generates calls to __msan_poison_alloca() in the prologue that may poison the same memory:

ffffffff8156d30a:       48 8d 7d a0             lea    -0x60(%rbp),%rdi
ffffffff8156d30e:       be 08 00 00 00          mov    $0x8,%esi
ffffffff8156d313:       48 c7 c2 d0 00 e9 8b    mov    $0xffffffff8be900d0,%rdx
ffffffff8156d31a:       e8 d1 6e a6 00          callq  ffffffff81fd41f0 <__msan_poison_alloca>
ffffffff8156d31f:       48 8d 7d a0             lea    -0x60(%rbp),%rdi
ffffffff8156d323:       be 10 00 00 00          mov    $0x10,%esi
ffffffff8156d328:       48 c7 c2 f0 00 e9 8b    mov    $0xffffffff8be900f0,%rdx
ffffffff8156d32f:       e8 bc 6e a6 00          callq  ffffffff81fd41f0 <__msan_poison_alloca>

As a result, it's hard to tell where the uninitialized memory belongs to.
As noted in google/sanitizers#590, we should probably poison variables once they go into scope (i.e. on llvm.lifetime.start).

wrong variable name for vla

It seems that the variable called vla come from:

static int crypto_xcbc_digest_setkey(struct crypto_shash *parent,
				     const u8 *inkey, unsigned int keylen)
{
....
	u8 key1[bs];

Need to say key1.

==================================================================
BUG: KMSAN: uninit-value in __arch_swab64 arch/x86/include/uapi/asm/swab.h:31 [inline]
BUG: KMSAN: uninit-value in __fswab64 include/uapi/linux/swab.h:68 [inline]
BUG: KMSAN: uninit-value in __swab64p include/uapi/linux/swab.h:192 [inline]
BUG: KMSAN: uninit-value in __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline]
BUG: KMSAN: uninit-value in get_unaligned_be64 include/linux/unaligned/access_ok.h:35 [inline]
BUG: KMSAN: uninit-value in camellia_setup128 arch/x86/crypto/camellia_glue.c:1006 [inline]
BUG: KMSAN: uninit-value in __camellia_setkey+0x150b/0x1880 arch/x86/crypto/camellia_glue.c:1261
CPU: 0 PID: 10172 Comm: syz-executor4 Not tainted 4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 __arch_swab64 arch/x86/include/uapi/asm/swab.h:31 [inline]
 __fswab64 include/uapi/linux/swab.h:68 [inline]
 __swab64p include/uapi/linux/swab.h:192 [inline]
 __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline]
 get_unaligned_be64 include/linux/unaligned/access_ok.h:35 [inline]
 camellia_setup128 arch/x86/crypto/camellia_glue.c:1006 [inline]
 __camellia_setkey+0x150b/0x1880 arch/x86/crypto/camellia_glue.c:1261
 camellia_setkey+0x9a/0xb0 arch/x86/crypto/camellia_aesni_avx2_glue.c:200
 setkey+0x50f/0x5a0 crypto/cipher.c:60
 crypto_cipher_setkey include/linux/crypto.h:1552 [inline]
 crypto_xcbc_digest_setkey+0x4b7/0x570 crypto/xcbc.c:77
 crypto_shash_setkey crypto/shash.c:66 [inline]
 shash_async_setkey+0x337/0x4c0 crypto/shash.c:218
 crypto_ahash_setkey+0x31a/0x470 crypto/ahash.c:201
 hash_setkey+0x8b/0xa0 crypto/algif_hash.c:420
 alg_setkey crypto/af_alg.c:223 [inline]
 alg_setsockopt+0x6c5/0x740 crypto/af_alg.c:256
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455259
RSP: 002b:00007f9d7bdd1c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f9d7bdd26d4 RCX: 0000000000455259
RDX: 0000000000000001 RSI: 0000000000000117 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000510 R14: 00000000006faa20 R15: 0000000000000000

Local variable description: ----vla@crypto_xcbc_digest_setkey
Variable was created at:
 crypto_xcbc_digest_setkey+0x12e/0x570 crypto/xcbc.c:68
 crypto_shash_setkey crypto/shash.c:66 [inline]
 shash_async_setkey+0x337/0x4c0 crypto/shash.c:218
==================================================================

duplicate frame for local var origin

From a recent report:
https://syzkaller.appspot.com/bug?extid=af962bf9e7e27bccd025

[  137.433919][T11659] Local variable ----offset@snapshot_compat_ioctl created at:
[  137.441372][T11659]  snapshot_compat_ioctl+0x324/0x650
[  137.446733][T11659]  snapshot_compat_ioctl+0x324/0x650

symbolized as:

Local variable ----offset@snapshot_compat_ioctl created at:
 get_current arch/x86/include/asm/current.h:15 [inline]
 snapshot_compat_ioctl+0x324/0x650 kernel/power/user.c:418
 get_current arch/x86/include/asm/current.h:15 [inline]
 snapshot_compat_ioctl+0x324/0x650 kernel/power/user.c:418

Why do we have 2 of the same frame? We should have frame and caller frame.

rebase

@ramosian-glider, please rebase to upstream HEAD on your earliest convenience.
That will pull in 20 KMSAN bug fixes and also close lots of fix-pending bugs on syzbot.

LLVM patch doesn't apply

The LLVM patch is apparently supposed to apply to r319647, but it tries to patch a file named "test/Instrumentation/MemorySanitizer/msan_userspace_basic.ll" which doesn't exist in that revision:

e@zzz ~/src/llvm $ patch -p0 -i kmsan-llvm.patch 
patching file include/llvm/Transforms/Instrumentation.h
patching file lib/Transforms/Instrumentation/MemorySanitizer.cpp
patching file test/Instrumentation/MemorySanitizer/alloca.ll
patching file test/Instrumentation/MemorySanitizer/array_types.ll
patching file test/Instrumentation/MemorySanitizer/atomics.ll
patching file test/Instrumentation/MemorySanitizer/byval-alignment.ll
patching file test/Instrumentation/MemorySanitizer/msan_basic.ll
patching file test/Instrumentation/MemorySanitizer/msan_common_basic.ll
patching file test/Instrumentation/MemorySanitizer/msan_kernel_basic.ll
can't find file to patch at input line 3620
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|Index: test/Instrumentation/MemorySanitizer/msan_userspace_basic.ll
|===================================================================
|--- test/Instrumentation/MemorySanitizer/msan_userspace_basic.ll	(revision 319647)
|+++ test/Instrumentation/MemorySanitizer/msan_userspace_basic.ll	(working copy)
--------------------------
File to patch:

Also the README needs to be updated; it still says r298239 and r313704, and it shows to apply the clang patch from the llvm/ directory which is wrong (it should be from llvm/tools/clang/).

D32915.diff can not be found now

Could you provide a valid url?

Potential deadlock in stack_depot_save()

When calling stack_depot_save() from within rmqueue() in mm/page_alloc.c (e.g. via __msan_poison_alloca()) it is possible to take a lock twice, which will lead to a deadlock.
We already have __no_sanitize_memory for rmqueue(), but it may still poison locals transitively.

Possible solutions:

preallocate a stack depot page somewhere before rmqueue()
call stack_depot_save(..., lock_is_taken() ? GFP_KERNEL : GFP_ATOMIC)

make it clear that UAFs are UAFs in reports

Currently for UAFs we produce a normal uninit-value report with an origin in kfree. This is somewhat confusing. It can make sense to explicitly say in such reports that this is a UAF.
We discussed that this can be done by marking such origin with a dedicated bit (we seem to have spare bits in origins). Then we could check that the initial origin has this bit set to detect UAFs.
Also, the bit check is cheap, so we potentially could check it right in the loads and produce UAF reports earlier.

Uninitialized bitfields create long origin chaings

Starting from Linux v.4.20-rc2 there're seven 1-bit fields in struct mmu_gather packed into an unsigned int value. One of those fields is updated in a tight loop. On each update, the remaining 25 uninitialized bits receive a new origin generated from the previous one:

u32 values;
for (i = 0; ... ; i++) {
  values |= FIELD_MASK;
  // u32 *origin = get_origin_ptr(&values);
  // *origin = __msan_chain_origin(*origin);
}

This generates a lot of unnecessary origin chains, which may quickly fill the stack depot and start reporting warnings.

compile KMSAN error

I compile KMASN, get some error, compile log is as below:

adlab@adlab-box:~/Desktop/world/kmsan$ make CC=/home/adlab/Desktop/world/third_party/llvm-build/Release+Asserts/bin/clang -j32
  DESCEND objtool
  CC      scripts/mod/empty.o
  CC      scripts/mod/devicetable-offsets.s
clang: error: invalid argument '-fsanitize=kernel-memory' not allowed with '-fsanitize=thread'
make[1]: *** [scripts/Makefile.build:277: scripts/mod/empty.o] Error 1
make[1]: *** Waiting for unfinished jobs....
clang: error: invalid argument '-fsanitize=kernel-memory' not allowed with '-fsanitize=thread'
make[1]: *** [scripts/Makefile.build:121: scripts/mod/devicetable-offsets.s] Error 1
make: *** [Makefile:1219: prepare0] Error 2
make: *** Waiting for unfinished jobs....

Maybe the clang is wrong?
clang version:

clang version 14.0.0 (https://github.com/llvm/llvm-project/ abb2a91b89722da671d17606fb65d462f9882cc0)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/adlab/Desktop/world/third_party/llvm-build/Release+Asserts/bin

the cpu type is amd

thanks.

KMSAN must use contiguous shadow for physical pages

Right now it is often possible that for two contiguous pages p1 and p2 (i.e. page_address(p1) + PAGE_SIZE == page_address(p2)) their shadow and origin pages aren't contiguous.
This is already so for .data and .bss sections, for which the metadata pages are allocated with order 0. There also are situations in which the kernel treats two contiguous pages returned by different alloc_pages() calls as a single allocation, which may not be correct in theory, but is very popular in practice.

To bear with this, KMSAN runtime has a lot of places where functions handling address ranges have to stop at page boundaries and recalculate the metadata pointers to avoid accidentally overwriting a data page that follows a metadata page. It is not clear whether all such cases are handled.

A better approach would be to have a mapping of all shadow pages for the physical memory mapped at 0xffff888000000000, that assigns contiguous addresses of shadow pages for contiguous physical pages.

Such a mapping is somewhat similar to what vmap() does, and can be placed into the vmalloc area (which we already shrink to hold the vmalloc metadata).

say what bytes in heap blocks are uninitialized

This come up during analysis of several reports. It would be useful to output what bytes of heap blocks are uninitialized, similar to what we do for stack objects (or, maybe print shadow dump similar to KASAN). It may be useful to see if just 1 int is uninitialized, or just 1 bit in this int, or whole block.
Is it theoretically possible to fit offset from the beginning of a heap block into origins too? If offset is rounded to 8 bits, it may be useful already. Or we could granularize offset to fit more.

Does KMSAN support for ARM?

Where is the clang_wrapper.py

Hi,
I'm a newbie of kmsan.
Could anyone told me where is the clang_wrapper.py so I can build the kernel.
Thanks

Should we override gfp_flags when allocating metadata pages?

Intuitively, when calling alloc_pages() from a KMSAN hook for alloc_pages(), we could be using the same gfp_flags, as in the original allocation.

This is however not the case. If we don't set the flags to GFP_ATOMIC:

diff --git a/mm/kmsan/kmsan_shadow.c b/mm/kmsan/kmsan_shadow.c
index 69785ef74d93..3422a47e6f3c 100644
--- a/mm/kmsan/kmsan_shadow.c
+++ b/mm/kmsan/kmsan_shadow.c
@@ -330,7 +330,7 @@ static int kmsan_internal_alloc_meta_for_pages(struct page *page,
        }
 
        /* TODO(glider): must we override the flags? */
-       flags = GFP_ATOMIC;
+       //flags = GFP_ATOMIC;
        if (initialized)
                flags |= __GFP_ZERO;
        shadow = alloc_pages_node(node, flags | __GFP_NO_KMSAN_SHADOW, order);

, we immediately get a bunch of UAF reports:

=====================================================
BUG: KMSAN: use-after-free in dma_direct_sync_single_for_cpu kernel/dma/direct.c:307
BUG: KMSAN: use-after-free in dma_direct_unmap_page kernel/dma/direct.c:340
BUG: KMSAN: use-after-free in dma_direct_unmap_sg+0x41a/0x4c0 kernel/dma/direct.c:354
CPU: 0 PID: 129 Comm: mountkernfs.sh Not tainted 5.5.0-rc1+ #3771
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77
 dump_stack+0x1ce/0x230 lib/dump_stack.c:118
 kmsan_report+0x127/0x220 mm/kmsan/kmsan_report.c:108
 __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
 dma_direct_sync_single_for_cpu kernel/dma/direct.c:307
 dma_direct_unmap_page kernel/dma/direct.c:340
 dma_direct_unmap_sg+0x41a/0x4c0 kernel/dma/direct.c:354
 ? kmsan_get_shadow_origin_ptr+0x91/0x4f0 mm/kmsan/kmsan_shadow.c:180
 dma_unmap_sg_attrs ./include/linux/dma-mapping.h:335
 ata_sg_clean drivers/ata/libata-core.c:5031
 __ata_qc_complete+0x569/0xba0 drivers/ata/libata-core.c:5172
 ata_qc_complete+0xc3b/0x1330 drivers/ata/libata-core.c:5318
 ata_hsm_qc_complete+0x3a6/0x430 drivers/ata/libata-sff.c:958
 ata_sff_hsm_move+0x2611/0x2dd0 drivers/ata/libata-sff.c:1197
 ? vmalloc_meta mm/kmsan/kmsan_shadow.c:111
 ? kmsan_get_metadata+0x4f/0x290 mm/kmsan/kmsan_shadow.c:244
 ? kmsan_internal_check_memory+0xb1/0x430 mm/kmsan/kmsan.c:404
 ? iowrite8+0x147/0x2e0 lib/iomap.c:203
 ? ata_bmdma_port_start+0x230/0x230 drivers/ata/libata-sff.c:3069
 __ata_sff_port_intr+0x65c/0x730 drivers/ata/libata-sff.c:1504
 ata_bmdma_port_intr+0x13b/0x5c0 drivers/ata/libata-sff.c:2811
 __ata_sff_interrupt drivers/ata/libata-sff.c:1549
 ata_bmdma_interrupt+0x41f/0xb90 drivers/ata/libata-sff.c:2836
 ? ata_bmdma_port_intr+0x5c0/0x5c0 drivers/ata/libata-sff.c:2807
 __handle_irq_event_percpu+0x315/0xc80 kernel/irq/handle.c:149
 handle_irq_event+0x18c/0x3e0 kernel/irq/handle.c:206
 handle_edge_irq+0x3db/0x1240 kernel/irq/chip.c:830
 ? handle_fasteoi_nmi+0x580/0x580 kernel/irq/chip.c:766
 generic_handle_irq_desc ./include/linux/irqdesc.h:156
 do_IRQ+0xfd/0x350 arch/x86/kernel/irq.c:250
 ? kmsan_unpoison_pt_regs+0x29/0x30 mm/kmsan/kmsan_entry.c:116
 common_interrupt+0x2e/0x2e arch/x86/entry/entry_64.S:610
 </IRQ>
RIP: 0010:kmsan_alloc_page+0x2eb/0x320
Code: 00 00 48 83 c3 50 48 39 c1 7c e4 65 ff 0d b1 7b 6c 5f 65 8b 05 aa 7b 6c 5f 85 c0 75 21 e8 4d 22 54 ff 4c 89 75 b8 ff 75 b8 9d <44> 89 f8 48 83 c4 28 5b 4
1 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 65 8b
RSP: 0018:ffffa1908065f600 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffdd
RAX: 0000000000000000 RBX: ffffdf9e07ed96f0 RCX: 0000000000000001
RDX: ffffdf9e07ed9700 RSI: 0000000000000400 RDI: ffff969c15eb0000
RBP: ffffa1908065f650 R08: ccccccccccccd000 R09: ffffa1908065f42c
R10: 000000000000000f R11: ffffffffa03006b0 R12: ffffdf9e07ed9700
R13: ffffdf9e07ed9750 R14: 0000000000000246 R15: 0000000000000000
 ? stack_trace_save+0x1b0/0x1b0 kernel/stacktrace.c:117
 __alloc_pages_nodemask+0xc26/0xef0 mm/page_alloc.c:4799
 alloc_pages_current+0x554/0x960 mm/mempolicy.c:2207
 alloc_pages ./include/linux/gfp.h:534
 alloc_slab_page mm/slub.c:1511
 allocate_slab mm/slub.c:1656
 new_slab+0x31a/0x1320 mm/slub.c:1722
 new_slab_objects mm/slub.c:2473
 ___slab_alloc+0xc28/0x17b0 mm/slub.c:2624
 ? prepare_creds+0x60/0x800 kernel/cred.c:258
 __slab_alloc mm/slub.c:2664
 slab_alloc_node mm/slub.c:2738
 slab_alloc mm/slub.c:2783
 kmem_cache_alloc+0x924/0xb70 mm/slub.c:2788
 ? prepare_creds+0x60/0x800 kernel/cred.c:258
 prepare_creds+0x60/0x800 kernel/cred.c:258
 ? kmsan_get_shadow_origin_ptr+0x91/0x4f0 mm/kmsan/kmsan_shadow.c:180
 copy_creds+0x114/0xa80 kernel/cred.c:355
 copy_process+0x1bea/0x9060 kernel/fork.c:1946
 _do_fork+0x259/0xfa0 kernel/fork.c:2423
 __do_sys_clone kernel/fork.c:2578
 __se_sys_clone+0x35b/0x3a0 kernel/fork.c:2559
 __x64_sys_clone+0x62/0x80 kernel/fork.c:2559
 do_syscall_64+0xa5/0xf0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x44/0xa9 arch/x86/entry/entry_64.S:176
RIP: 0033:0x7fe7b67a5f46
Code: f7 d8 64 89 04 25 d4 02 00 00 64 4c 8b 14 25 10 00 00 00 31 d2 49 81 c2 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 3
1 01 00 00 85 c0 41 89 c4 0f 85 3b 01 00
RSP: 002b:00007ffc28c132f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffc28c132f0 RCX: 00007fe7b67a5f46
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffc28c13330 R08: 0000000000000081 R09: 0000000000000081
R10: 00007fe7b6c9d9d0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001cc6958

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149
 kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
 kmsan_slab_free+0x6d/0xb0 mm/kmsan/kmsan_hooks.c:107
 slab_free_freelist_hook mm/slub.c:1458
 slab_free mm/slub.c:3021
 kmem_cache_free+0x367/0x2b30 mm/slub.c:3037
 file_free_rcu+0x11a/0x130 fs/file_table.c:50
 __rcu_reclaim+0x408/0x440 kernel/rcu/rcu.h:222
 rcu_do_batch+0x78e/0x1720 kernel/rcu/tree.c:2183
 rcu_core+0x86e/0xe90 kernel/rcu/tree.c:2408
 rcu_core_si+0xe/0x10 kernel/rcu/tree.c:2417
 __do_softirq+0x313/0x809 kernel/softirq.c:293
=====================================================

Don't zero out origin of uninitialized bytes in kmsan_internal_set_shadow_origin()

The following test:

char buf[4];
kmsan_unpoison_shadow(buf, 1);
kmsan_check_memory(buf, 4);

doesn't report any errors.
This could be related to kmsan_unpoison_shadow() zeroing out the origin despite there still are uninitialized bytes.
We must only zero out an origin iff the shadow is also zeroed out.

instrument put_user

Need kmsan_check_memory check in put_user and friends (_nocheck/_ex variants).

bochs shadow buffer breaks KMSAN

5854059 breaks KMSAN, causing sporadic uninit reports in mm/ followed by OOMs, e.g.:

=====================================================
 BUG: KMSAN: uninit-value in[<     inline     >] balance_pgdat mm/vmscan.c:3739
 BUG: KMSAN: uninit-value in[<      none      >] kswapd+0x309f/0x3920 mm/vmscan.c:3956
 CPU: 0 PID: 2335 Comm: kswapd0 Not tainted 5.4.0-rc8+ #3427
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
 Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:77
 [<      none      >] dump_stack+0x1ce/0x230 lib/dump_stack.c:118
 [<      none      >] kmsan_report+0x127/0x220 mm/kmsan/kmsan_report.c:108
 [<      none      >] __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
 [<     inline     >] balance_pgdat mm/vmscan.c:3739
 [<      none      >] kswapd+0x309f/0x3920 mm/vmscan.c:3956
 [<      none      >] kthread+0x4b5/0x4f0 drivers/block/aoe/aoecmd.c:1303
  ?[<      none      >] kswapd_run+0x390/0x390 mm/vmscan.c:4092
  ?[<      none      >] kthread_blkcg+0xf0/0xf0 kernel/kthread.c:1239
 [<      none      >] ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:353

 Local variable description: ----wait.i@kswapd
 Variable was created at:
 [<     inline     >] kswapd_try_to_sleep mm/vmscan.c:3802
 [<      none      >] kswapd+0x354/0x3920 mm/vmscan.c:3926
 [<     inline     >] kswapd_try_to_sleep mm/vmscan.c:3802
 [<      none      >] kswapd+0x354/0x3920 mm/vmscan.c:3926
 =====================================================
 Disabling lock debugging due to kernel taint
 BUG: Bad page state in process kcompactd0  pfn:147dc7
 page:ffffe16806674e30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
 raw: 02fffc0000000000 dead000000000100 dead000000000122 0000000000000000
 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
 raw: 0000000000000000 0000000000000000
 page dumped because: nonzero _refcount
 Modules linked in:
 CPU: 0 PID: 1833 Comm: kcompactd0 Tainted: G    B             5.4.0-rc8+ #3427
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
 Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:77
 [<      none      >] dump_stack+0x1ce/0x230 lib/dump_stack.c:118
 [<      none      >] bad_page+0x52c/0x630 mm/page_alloc.c:651
 [<     inline     >] free_pages_check_bad mm/page_alloc.c:1059
 [<     inline     >] free_pages_check mm/page_alloc.c:1068
 [<     inline     >] bulkfree_pcp_prepare mm/page_alloc.c:1235
 [<      none      >] free_pcppages_bulk+0xcd4/0x1510 mm/page_alloc.c:1296
 [<      none      >] free_unref_page_commit+0x375/0x730 mm/page_alloc.c:3062
 [<     inline     >] free_unref_page mm/page_alloc.c:3078
 [<     inline     >] free_the_page mm/page_alloc.c:4832
 [<      none      >] __free_pages+0x1d8/0x230 mm/page_alloc.c:4840
 [<      none      >] kmsan_free_page+0x14c/0x1c0 mm/kmsan/kmsan_shadow.c:439
 [<     inline     >] free_pages_prepare mm/page_alloc.c:1138
 [<     inline     >] free_pcp_prepare mm/page_alloc.c:1230
 [<      none      >] free_unref_page_prepare+0x1dc/0x770 mm/page_alloc.c:3025
 [<      none      >] free_unref_page+0xaf/0x190 mm/page_alloc.c:3074
 [<     inline     >] __put_single_page mm/swap.c:81
 [<      none      >] __put_page+0xe6/0x210 mm/swap.c:115
 [<     inline     >] put_page ./include/linux/mm.h:1050
 [<     inline     >] unmap_and_move mm/migrate.c:1227
 [<      none      >] migrate_pages+0x34b7/0x3960 mm/migrate.c:1427
  ?[<      none      >] compact_zone+0x6580/0x6580 mm/compaction.c:2185
  ?[<      none      >] compaction_alloc+0x4030/0x4030 mm/compaction.c:1323
  ?[<      none      >] remove_migration_ptes+0x170/0x170 mm/migrate.c:300
 [<      none      >] compact_zone+0x3309/0x6580 mm/compaction.c:2206
 [<     inline     >] kcompactd_do_work mm/compaction.c:2567
 [<      none      >] kcompactd+0xd0d/0x1de0 mm/compaction.c:2660
 [<      none      >] kthread+0x4b5/0x4f0 drivers/block/aoe/aoecmd.c:1303
  ?[<      none      >] kcompactd_run+0x330/0x330 mm/compaction.c:2682
  ?[<      none      >] kthread_blkcg+0xf0/0xf0 kernel/kthread.c:1239
 [<      none      >] ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:353

A temporary workaround is 3104003

Cannot finish compilation due to undefined references to kmsan functions

When compiling (using clang revision 304977 that the patches apply to), the kernel successfully compiles the object files, and passes the "LD vmlinux.o" stage. But on the "MODPOST vmlinux.o" stage, it runs into many (tens of thousands?) of errors that look like these:

arch/x86/lib/usercopy_64.o: In function memcpy_flushcache': /home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:137: undefined reference to __kmsan_get_context_state'
arch/x86/lib/usercopy_64.o: In function clean_cache_range': /home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:90: undefined reference to __kmsan_load_shadow_origin_2'
arch/x86/lib/usercopy_64.o: In function memcpy_flushcache': /home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:142: undefined reference to __kmsan_warning_32'
arch/x86/lib/usercopy_64.o: In function clean_cache_range': /home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:95: undefined reference to __kmsan_warning_32'
arch/x86/lib/usercopy_64.o: In function clwb': /home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32'
/home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32' /home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32'
arch/x86/lib/usercopy_64.o:/home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:95: more undefined references to __kmsan_warning_32' follow arch/x86/lib/usercopy_64.o: In function clean_cache_range':
/home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:90: undefined reference to __kmsan_load_shadow_origin_2' arch/x86/lib/usercopy_64.o: In function clwb':
/home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32' /home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32'
/home/mdenton/linux-stable/./arch/x86/include/asm/special_insns.h:229: undefined reference to __kmsan_warning_32' arch/x86/lib/usercopy_64.o: In function clean_cache_range':
/home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:95: undefined reference to __kmsan_warning_32' arch/x86/lib/usercopy_64.o: In function memcpy_flushcache':
/home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:194: undefined reference to __kmsan_warning_32' arch/x86/lib/usercopy_64.o:/home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:95: more undefined references to __kmsan_warning_32' follow
arch/x86/lib/usercopy_64.o: In function memcpy_page_flushcache': /home/mdenton/linux-stable/arch/x86/lib/usercopy_64.c:203: undefined reference to __kmsan_get_context_state'
arch/x86/lib/usercopy_64.o: In function pagefault_disabled_inc': /home/mdenton/linux-stable/./include/linux/uaccess.h:201: undefined reference to __kmsan_load_shadow_origin_4'
/home/mdenton/linux-stable/./include/linux/uaccess.h:201: undefined reference to __kmsan_store_shadow_origin_4' arch/x86/lib/usercopy_64.o: In function pagefault_disabled_dec':
/home/mdenton/linux-stable/./include/linux/uaccess.h:206: undefined reference to __kmsan_load_shadow_origin_4' /home/mdenton/linux-stable/./include/linux/uaccess.h:206: undefined reference to __kmsan_store_shadow_origin_4'
Makefile:1001: recipe for target 'vmlinux' failed

And the compilation fails there. Do you know why this is happening?

trim aux frames from stacks

from one of recent reports:

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
 kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
 __alloc_pages_nodemask+0x5712/0x5e80 mm/page_alloc.c:4775
 alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2211
 alloc_pages include/linux/gfp.h:534 [inline]
 alloc_slab_page+0x111/0x12f0 mm/slub.c:1530
 allocate_slab mm/slub.c:1675 [inline]
 new_slab+0x2bc/0x1130 mm/slub.c:1741
 new_slab_objects mm/slub.c:2492 [inline]
 ___slab_alloc+0x1533/0x1f30 mm/slub.c:2643
 __slab_alloc mm/slub.c:2683 [inline]
 slab_alloc_node mm/slub.c:2757 [inline]
 slab_alloc mm/slub.c:2802 [inline]
 kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2807
 fat_alloc_inode+0x58/0x120 fs/fat/inode.c:748

We 15 frames which are not interesting for user and are internal implementation details.
I think we need trim these from reports (including use and stored to memory stacks).

The return value of 'sscanf()' should be checked

kmsan/drivers/char/tlclk.c

Line 333 in 02f2d5a

sscanf(buf, "%lX", &tmp);

Compiler lacks asm-goto support

I compile the kernel according to the web page(https://github.com/google/kmsan)
The version of clang is:

Android (dev based on r346389c) clang version 8.0.7 (https://android.googlesource.com/toolchain/clang b55f2d4ebfd35bf643d27dbca1bb228957008617) (https://android.googlesource.com/toolchain/llvm 3c393fe7a7e13b0fba4ac75a01aa683d7a5b11cd) (based on LLVM 8.0.7svn)
Target: x86_64-unknown-linux-gnu
Thread model: posix

However, when I compiled the kernel, this error occurred :
Compiler lacks asm-goto support.
arch/x86/Makefile:301: recipe for target 'checkbin' failed.

How to solve this problem?

undefined reference to __memcpy

clang compile linux kernel, and some error is as below:

drivers/firmware/efi/libstub/efi-stub-helper.o: In function `efi_relocate_kernel':
efi-stub-helper.c:(.text+0x15a4): undefined reference to `__memcpy'
drivers/firmware/efi/libstub/tpm.o: In function `efi_retrieve_tpm2_eventlog':
tpm.c:(.text+0x25e): undefined reference to `__memcpy'
tpm.c:(.text+0x3fe): undefined reference to `__memcpy'
tpm.c:(.text+0x46c): undefined reference to `__memset'
tpm.c:(.text+0x49a): undefined reference to `__memcpy'

clang version:clang-10, kernel: 5.3.6-rc7

Consider using direct shadow mapping for virtual memory

We've come up with a more-or-less viable scheme for direct mapping of shadow and origin memory to kernel memory.
Right now KMSAN stores pointers to shadow and origin pages in struct page for each page of physical memory. For virtual memory, we try to find the corresponding physical pages (this is possible for VM_ALLOC and VM_MAP mappings, but not for VM_IOREMAP ones) and operate on them. This approach has the following drawbacks:

the necessity to make non-uniform checks for different types of pointers (vmalloc_to_page() for vmalloc() and modules, virt_to_page for pages);
potential problems with accesses to virtual addresses crossing page boundaries (the underlying shadow pages may not be adjacent);
problems allocating metadata pages for kernel text and data (page_alloc can only allocate 2^n pages, which is inconvenient);
missing support for ioremap mappings.

The idea is to carve some space from vmalloc/ioremap area, which currently occupies 32 TB (could be also possible to use the KASAN shadow area, which is another 16TB), and use that to allocate shadow and origin pages for virtual memory ranges in the virtual memory itself.

We could also use virtual memory for physical pages, but they take 64 TB, so we'll probably have to reduce that area as well.

Return -ENOMEM from page_alloc() if there's not enough memory for shadow or origin.

Currently, if a shadow or origin allocation fails, we set the corresponding pointer to NULL, which leads to BUG()s raised by KMSAN later.
Instead, we should tell page_alloc() that it can't allocate memory anymore.

Trim KMSAN-specific frames from reports

As mentioned by @dvyukov:

I like how KCSAN trims all stacks of internal runtime frames. It would
be nice to do the same for KMSAN, currently we have 3-4 uninteresting
frames in the beginning of each stack. Besides taking space, it also
requires to manually visually search for the actual interesting frame
somewhere in the middle of the stack. E.g. all these frames are
pointing into kmsan runtime guts:

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:113
 kmsan_report+0x12d/0x290 mm/kmsan/kmsan.c:682
 __msan_warning+0x76/0xc0 mm/kmsan/kmsan_instr.c:316

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:247 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:262 [inline]
 kmsan_internal_chain_origin+0x162/0x260 mm/kmsan/kmsan.c:470
 __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:197

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:247 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:262 [inline]
 kmsan_internal_chain_origin+0x162/0x260 mm/kmsan/kmsan.c:470
 __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:197

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:247 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:262 [inline]
 kmsan_internal_chain_origin+0x162/0x260 mm/kmsan/kmsan.c:470
 kmsan_memcpy_memmove_metadata+0x1a9/0xf30 mm/kmsan/kmsan.c:345
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:363
 __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:148

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:247 [inline]
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:170
 kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:179
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:188
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2759 [inline]
 __kmalloc_node_track_caller+0xf06/0x1120 mm/slub.c:4383

Initialize TLS parameters for __msan_memset() and friends in the compiler

It may make sense to emit stores to param_tls and param_origin_tls directly in the compiler for calls to __msan_memset() for KMSAN, so that it's possible to e.g. propagate the state of uninitialized consant byte or report errors on uninitialized pointer/size arguments.

This cannot be done for MSan, because __msan_memset may be called from the userspace RTL.

KMSAN doesn't work with CONFIG_UNWINDER_ORC

$SUBJ
When built with UNWINDER_ORC, the kernel freezes after the line "Starting KernelMemorySanitizer".

__msan_warning_32 name is confusing

Just spent some time looking at a report assuming that 32 in __msan_warning_32 means uninit value size, similar to __asan_load1/2/4/8. But it did not make sense because the line number pointed to a comparison of a 64-bit value.
I think we need to rename __msan_warning_32 to __msan_warning_orig to remove any potential reference to variable sizes.

print involved address where possible

There is a request to print involved addresses in reports. We can't do this for instrumentation checks (?), but could do for memcmp, copy_to_user and other manual checks in kernel, which could be useful for debugging.

BUG: KMSAN: uninit-value in kmsan_handle_dma

While fuzzing latest KMSAN-build with HEALER(syscall fuzzer, not published yet), uninit-value is found in kmsan_handle_dma. It seems KMSAN found bugs in itself.

Caused by this call sequence syscalls.txt.
With this crash msg.txt.
THE latest KMSAN is used with this config config.txt.

BUG: NULL pointer dereference in wp_page_copy (kmsan specific)

When using Healer to fuzz the Linux kernel (kmsan repo), I found a null-ptr-deref bug in wp_page_copy, which only exists in kmsan repo but not shown in upstream.
This part of the code has been around for many years, so I'm guessing it was introduced by the modifications from kmsan.

commit: 4ebaab5
git tree: kmsan
full log: log
config: kmsan-config

=======================================
BUG: kernel NULL pointer dereference, address: 0000000000000040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 18f8e067 P4D 18f8e067 PUD 31878067 PMD 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 17514 Comm: executor Not tainted 5.12.0-rc6+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmsan_copy_page_meta+0x36/0x180 mm/kmsan/kmsan_shadow.c:231
Code: 80 3d 55 a9 ab 0a 00 74 14 49 89 f6 48 89 fb e8 20 d3 ff ff 83 b8 b0 0f 00 00 00 74 0d 48 83 c4 08 5b 41 5c 41 5e 41 5f 5d c3 <49> 83 7e 40 00 0f 84 f2 00 00 00 48 83 7b 40 00 74 e1 9c 8f 45 d8
RSP: 0000:ffffa15f833df960 EFLAGS: 00010246
RAX: ffff88f005463118 RBX: ffffc3f5411d2210 RCX: 0000000000000000
RDX: ffff88f005064140 RSI: 0000000000000000 RDI: ffffc3f5411d2210
RBP: ffffa15f833df988 R08: ffffc3f54000000f R09: ffff88f07ffd3000
R10: 00000000f8c73958 R11: ffffffffb0400782 R12: ffff88f005463128
R13: ffff88f005463118 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f7942afe700(0000) GS:ffff88f07fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000012ced006 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 wp_page_copy+0x74b/0x3330 mm/memory.c:2871
 do_wp_page+0x905/0x2530 mm/memory.c:3124
 handle_pte_fault mm/memory.c:4338 [inline]
 __handle_mm_fault mm/memory.c:4455 [inline]
 handle_mm_fault+0x5129/0x9e60 mm/memory.c:4553
 do_user_addr_fault+0x12b8/0x1f40 arch/x86/mm/fault.c:1403
 handle_page_fault arch/x86/mm/fault.c:1488 [inline]
 __exc_page_fault+0xd1/0x310 arch/x86/mm/fault.c:1544
 exc_page_fault+0x45/0x50 arch/x86/mm/fault.c:1500
 asm_exc_page_fault+0x1e/0x30 ./arch/x86/include/asm/idtentry.h:595
RIP: 0033:0x403150
Code: 10 f3 41 0f 6f 50 20 0f 11 50 20 f3 41 0f 6f 58 30 0f 11 58 30 8b 41 40 89 c6 23 b1 00 01 00 00 83 c0 01 48 8d 34 b1 89 14 3e <89> 41 40 31 c0 c3 66 2e 0f 1f 84 00 00 00 00 00 48 89 7c 24 f0 48
RSP: 002b:00007f7942afdc48 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000078c080 RCX: 00007f7942add000
RDX: 00000000000015e9 RSI: 00007f7942add000 RDI: 0000000000100140
RBP: 00000000004e0fbf R08: 0000000020000100 R09: 0000000000004000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c080
R13: 0000000000000000 R14: 000000000078c080 R15: 00007ffd2cfaa590
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 0000000000000040
---[ end trace 4c6fca03464cca91 ]---
RIP: 0010:kmsan_copy_page_meta+0x36/0x180 mm/kmsan/kmsan_shadow.c:231
Code: 80 3d 55 a9 ab 0a 00 74 14 49 89 f6 48 89 fb e8 20 d3 ff ff 83 b8 b0 0f 00 00 00 74 0d 48 83 c4 08 5b 41 5c 41 5e 41 5f 5d c3 <49> 83 7e 40 00 0f 84 f2 00 00 00 48 83 7b 40 00 74 e1 9c 8f 45 d8
RSP: 0000:ffffa15f833df960 EFLAGS: 00010246
RAX: ffff88f005463118 RBX: ffffc3f5411d2210 RCX: 0000000000000000
RDX: ffff88f005064140 RSI: 0000000000000000 RDI: ffffc3f5411d2210
RBP: ffffa15f833df988 R08: ffffc3f54000000f R09: ffff88f07ffd3000
R10: 00000000f8c73958 R11: ffffffffb0400782 R12: ffff88f005463128
R13: ffff88f005463118 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f7942afe700(0000) GS:ffff88f07fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000012ced006 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554

Following reproduction program (Syzlang format) can trigger the bug:

# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false}

r0 = syz_io_uring_setup(0x308a, &(0x7f0000000000)={0x0, 0xadaa, 0x8, 0x2, 0x221}, &(0x7f0000003000/0x4000)=nil, &(0x7f0000003000/0x5000)=nil, &(0x7f0000000080)=<r1=>0x0, &(0x7f00000000c0)=<r2=>0x0)
r3 = mmap$IORING_OFF_CQ_RING(&(0x7f00001bf000/0x1000)=nil, 0x1000, 0x204000002310040f, 0xdfa33665c8e08e92, r0, 0x8000000)
syz_io_uring_submit(r3, r2, &(0x7f0000000100)=@IORING_OP_POLL_ADD={0x6, 0x1, 0x0, @fd_index=0x1, 0x0, 0x0, 0x0, {0x140800002000808}, 0x0, {0x0, r1}}, 0x72adbe88a21255e9)

Using syz-execprog can run this reproduction program directly:

./syz-execprog -repeat 0 -procs 1 -slowdown 1 -enable tun -enable netdev -enable resetnet -enable cgroups -enable binfmt-misc -enable close_fds -enable devlinkpci -enable usb -enable vhci -enable wifi -enable ieee802154 -enable sysctl repro.prog

Cann't disable KMSAN

Why I disabled the CONFIG_KMSAN, but I still got KMSAN report by running the kernel with syzkaller

KMSAN is incompatible with CONFIG_FUNCTION_TRACER

Need to take a closer look, but right now enabling CONFIG_FUNCTION_TRACER=y causes KMSAN to deadlock in __msan_poison_alloca() called from ftrace.c

Internal bugs trying to vmap a buffer for a video driver

This syzkaller program:

r1 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000280)='/dev/video35\x00', 0x2, 0x0)
syz_emit_ethernet(0x1, &(0x7f0000000340)=ANY=[@ANYBLOB="fffbffff35c8d19a02bc27"], 0x0)
ioctl$VIDIOC_CREATE_BUFS(r1, 0xc100565c, &(0x7f0000000100)={0x0, 0xffffffff, 0x2, {0x2, @sliced={0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20]}}})
ioctl$VIDIOC_CREATE_BUFS(r1, 0xc058560f, &(0x7f0000000300)={0x0, 0x2, 0x4, {0x0, @pix={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x70e000}}})

triggers the following bug in KMSAN runtime:

------------
 WARNING: CPU: 0 PID: 8297 at mm/vmalloc.c:163[<     inline     >] vmap_pte_range mm/vmalloc.c:163
 WARNING: CPU: 0 PID: 8297 at mm/vmalloc.c:163[<     inline     >] vmap_pmd_range mm/vmalloc.c:182
 WARNING: CPU: 0 PID: 8297 at mm/vmalloc.c:163[<     inline     >] vmap_pud_range mm/vmalloc.c:199
 WARNING: CPU: 0 PID: 8297 at mm/vmalloc.c:163[<     inline     >] vmap_p4d_range mm/vmalloc.c:216
 WARNING: CPU: 0 PID: 8297 at mm/vmalloc.c:163[<      none      >] __vmap_page_range_noflush+0xe5d/0xf00 mm/vmalloc.c:244
...
 Call Trace:
 [<      none      >] kmsan_vmap_page_range_noflush+0x2b6/0x330 mm/kmsan/kmsan_shadow.c:528
 [<     inline     >] vmap_page_range_noflush mm/vmalloc.c:256
 [<     inline     >] vmap_page_range mm/vmalloc.c:265
 [<      none      >] vm_map_ram+0xe8e/0x1270 mm/vmalloc.c:1809
 [<      none      >] vb2_vmalloc_get_userptr+0x54b/0x940 drivers/media/common/videobuf2/videobuf2-vmalloc.c:110
 [<     inline     >] __prepare_userptr drivers/media/common/videobuf2/videobuf2-core.c:1062
 [<      none      >] __buf_prepare+0x1537/0x49b0 drivers/media/common/videobuf2/videobuf2-core.c:1302
 [<      none      >] vb2_core_qbuf+0x29d/0x21b0 drivers/media/common/videobuf2/videobuf2-core.c:1597
 [<      none      >] vb2_qbuf+0x2b7/0x380 drivers/media/common/videobuf2/videobuf2-v4l2.c:761
 [<      none      >] v4l2_m2m_qbuf+0x2fc/0x530 drivers/media/v4l2-core/v4l2-mem2mem.c:502
 [<      none      >] v4l2_m2m_ioctl_qbuf+0xb7/0xe0 drivers/media/v4l2-core/v4l2-mem2mem.c:1072
 [<      none      >] v4l_qbuf+0x175/0x1c0 drivers/media/v4l2-core/v4l2-ioctl.c:1956
 [<      none      >] __video_do_ioctl+0x141e/0x1a80 drivers/media/v4l2-core/v4l2-ioctl.c:2878
...
------------
 kernel BUG at mm/kmsan/kmsan_shadow.c:530!
...
 Call Trace:
 [<     inline     >] vmap_page_range_noflush mm/vmalloc.c:256
 [<     inline     >] vmap_page_range mm/vmalloc.c:265
 [<      none      >] vm_map_ram+0xe8e/0x1270 mm/vmalloc.c:1809
 [<      none      >] vb2_vmalloc_get_userptr+0x54b/0x940 drivers/media/common/videobuf2/videobuf2-vmalloc.c:110
 [<     inline     >] __prepare_userptr drivers/media/common/videobuf2/videobuf2-core.c:1062
 [<      none      >] __buf_prepare+0x1537/0x49b0 drivers/media/common/videobuf2/videobuf2-core.c:1302

recipe for target 'vmlinux' failed?

I'm attempting to build a latest kmsan kernel, but then halted when it got this message:

AR drivers/built-in.a
GEN .version
CHK include/generated/compile.h
UPD include/generated/compile.h
CC init/version.o
AR init/built-in.a
LD vmlinux.o
MODPOST vmlinux.o
MODINFO modules.builtin.modinfo
LD .tmp_vmlinux1
kernel/panic.o: In function __msan_memset': kmsan/./include/linux/string.h:362: undefined reference to __write_overflow'
Makefile:1078: recipe for target 'vmlinux' failed
make: *** [vmlinux] Error 1

clang --version

clang version 10.0.0 (https://github.com/llvm/llvm-project.git d052a578de58cbbb638cbe2dba05242d1ff443b9)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin

kmsan# git log
commit 1ab36d3
Author: Alexander Potapenko [email protected]
Date: Thu Dec 19 11:29:58 2019 +0100

kmsan: add doc comments to kmsan-checks.h

Any help?

Some crypto configs that use asm are not disabled

We make some crypto configs dependent on !KMSAN. But it does not seem to work in all cases.
When running make, I am getting these warnings:

WARNING: unmet direct dependencies detected for CRYPTO_POLY1305_X86_64
  Depends on [n]: CRYPTO [=y] && X86 [=y] && 64BIT [=y] && !KMSAN [=y]
  Selected by [y]:
  - WIREGUARD [=y] && NETDEVICES [=y] && NET_CORE [=y] && NET [=y] && INET [=y] && (IPV6 [=y] || !IPV6 [=y]) && X86 [=y] && 64BIT [=y]

WARNING: unmet direct dependencies detected for CRYPTO_BLAKE2S_X86
  Depends on [n]: CRYPTO [=y] && X86 [=y] && 64BIT [=y] && !KMSAN [=y]
  Selected by [y]:
  - WIREGUARD [=y] && NETDEVICES [=y] && NET_CORE [=y] && NET [=y] && INET [=y] && (IPV6 [=y] || !IPV6 [=y]) && X86 [=y] && 64BIT [=y]

And then these configs are still enabled in the resulting config:

💻 grep CRYPTO_BLAKE2S_X86 .config
CONFIG_CRYPTO_BLAKE2S_X86=y
💻 grep CRYPTO_POLY1305_X86_64 .config
CONFIG_CRYPTO_POLY1305_X86_64=y

This can lead to false positives. We need some other solution.