[Bug 281402] zfs: kmsan reports Uninitialized UMA memory from zio_data_buf_alloc

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281402

Rob Norris <robn@despairlabs.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |robn@despairlabs.com

--- Comment #3 from Rob Norris <robn@despairlabs.com> ---
I know its just one example, but I'm a little confused by the trace, and if you
can help me understand it, that might shed some light on what's happening.

It came through zio_flush(), which is a data-less op (io_abd == NULL). That
ultimately lands in zfs_vop_fsync(), and from there to VOP_FSYNC(), which
doesn't take any data.

Hmm, though now I think about it, if VOP_FSYNC() is just forcing out
previously-submitted writes, then could it be that the write op returned, the
underlying system (VFS? UFS?) has just held the iovec and not actually
processed it yet, ZFS frees the ABD and now that thing is holding a stale ref?

vdev_file_io_strategy() for write() is:

    buf = abd_borrow_buf_copy(zio->io_abd, zio->io_size);
    err = zfs_file_pwrite(vf->vf_file, buf, size, off, &resid);
    abd_return_buf(zio->io_abd, buf, size);

That calles zfs_file_write_impl(buf), which submits a single iovec, with
iov_base = buf:

    aiov.iov_base = (void *)(uintptr_t)buf;
    aiov.iov_len = count;
    auio.uio_iov = &aiov;
    auio.uio_iovcnt = 1;
    ...
    rc = fo_write(fp, &auio, td->td_ucred, FOF_OFFSET, td);

So is ZFS holding fo_write() wrong? Should it be copying the buffer and/or
setting some kind of completion callback to do the free in?

-- 
You are receiving this mail because:
You are the assignee for the bug.