bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter modeinterpreter.kmsan

syzbot reported uninit memory usages during map_{lookup,delete}_elem.
It is due to the "void *key" passed to the helper. bpf allows uninit
stack memory access for bpf prog with the right privileges. This patch
uses kmsan_unpoison_memory() to mark the stack as initialized.

Reported-by: syzbot+603bcd9b0bf1d94dbb9b@syzkaller.appspotmail.com
Reported-by: syzbot+eb02dc7f03dce0ef39f3@syzkaller.appspotmail.com
Reported-by: syzbot+1a3cf6f08d68868f9db3@syzkaller.appspotmail.com
Reported-by: syzbot+b4e65ca24fd4d0c734c3@syzkaller.appspotmail.com
Reported-by: syzbot+d2b113dc9fea5e1d2848@syzkaller.appspotmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>

1 files changed, 2 insertions, 0 deletions

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 5aacb1d3c4cc7..ab400cdd7d7ae 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2218,6 +2218,7 @@ static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn
 	u64 stack[stack_size / sizeof(u64)]; \
 	u64 regs[MAX_BPF_EXT_REG] = {}; \
 \
+	kmsan_unpoison_memory(stack, sizeof(stack)); \
 	FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
 	ARG1 = (u64) (unsigned long) ctx; \
 	return ___bpf_prog_run(regs, insn); \
@@ -2231,6 +2232,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
 	u64 stack[stack_size / sizeof(u64)]; \
 	u64 regs[MAX_BPF_EXT_REG]; \
 \
+	kmsan_unpoison_memory(stack, sizeof(stack)); \
 	FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
 	BPF_R1 = r1; \
 	BPF_R2 = r2; \