syzbot


KMSAN: uninit-value in ieee80211_skb_resize

Status: fixed on 2020/11/16 12:12
Subsystems: wireless
[Documentation on labels]
Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com
Fix commit: 14f46c1e5108 mac80211: fix use of skb payload instead of header
First crash: 1539d, last: 1514d
Discussions (14)
Title Replies (including bot) Last reply
[PATCH 5.9 000/255] 5.9.9-rc1 review 264 (264) 2020/11/19 12:14
[PATCH 4.19 000/101] 4.19.158-rc1 review 109 (109) 2020/11/18 22:17
[PATCH 5.4 000/151] 5.4.78-rc1 review 155 (155) 2020/11/18 15:24
[PATCH 4.14 00/85] 4.14.207-rc1 review 88 (88) 2020/11/18 15:22
[PATCH 4.9 00/78] 4.9.244-rc1 review 82 (82) 2020/11/18 15:22
[PATCH 4.4 00/64] 4.4.244-rc1 review 68 (68) 2020/11/18 15:22
[PATCH AUTOSEL 4.19 01/21] usb: gadget: goku_udc: fix potential crashes in probe 23 (23) 2020/11/14 22:58
[PATCH AUTOSEL 5.9 01/55] ASoC: mediatek: mt8183-da7219: fix DAPM paths for rt1015 61 (61) 2020/11/13 22:40
[PATCH AUTOSEL 4.4 01/10] usb: gadget: goku_udc: fix potential crashes in probe 10 (10) 2020/11/10 03:56
[PATCH AUTOSEL 4.9 01/12] usb: gadget: goku_udc: fix potential crashes in probe 12 (12) 2020/11/10 03:56
[PATCH AUTOSEL 4.14 01/14] usb: gadget: goku_udc: fix potential crashes in probe 14 (14) 2020/11/10 03:56
[PATCH AUTOSEL 5.4 01/42] ASoC: qcom: sdm845: set driver name correctly 42 (42) 2020/11/10 03:54
[PATCH] mac80211: fix use of skb payload instead of header 1 (2) 2020/10/09 12:37
KMSAN: uninit-value in ieee80211_skb_resize 0 (1) 2020/09/24 09:26
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/10/09 11:25 21m johannes@sipsolutions.net patch https://github.com/google/kmsan.git master OK

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in ieee80211_skb_resize+0x8c0/0x980 net/mac80211/tx.c:1955
CPU: 0 PID: 8552 Comm: syz-executor941 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
 ieee80211_skb_resize+0x8c0/0x980 net/mac80211/tx.c:1955
 ieee80211_build_hdr+0x2939/0x41f0 net/mac80211/tx.c:2825
 __ieee80211_subif_start_xmit+0x172a/0x7300 net/mac80211/tx.c:3999
 ieee80211_subif_start_xmit+0x14b/0x19a0 net/mac80211/tx.c:4144
 __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
 netdev_start_xmit include/linux/netdevice.h:4648 [inline]
 xmit_one+0x3cf/0x750 net/core/dev.c:3561
 dev_hard_start_xmit+0x196/0x420 net/core/dev.c:3577
 sch_direct_xmit+0x5d3/0x1a50 net/sched/sch_generic.c:314
 qdisc_restart net/sched/sch_generic.c:377 [inline]
 __qdisc_run+0x35b/0x490 net/sched/sch_generic.c:385
 qdisc_run include/net/pkt_sched.h:134 [inline]
 __dev_xmit_skb net/core/dev.c:3752 [inline]
 __dev_queue_xmit+0x2cfa/0x4470 net/core/dev.c:4105
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4169
 packet_snd net/packet/af_packet.c:2989 [inline]
 packet_sendmsg+0x8542/0x9a80 net/packet/af_packet.c:3014
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 __sys_sendto+0x9dc/0xc80 net/socket.c:1992
 __do_sys_sendto net/socket.c:2004 [inline]
 __se_sys_sendto+0x107/0x130 net/socket.c:2000
 __x64_sys_sendto+0x6e/0x90 net/socket.c:2000
 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441ea9
Code: e8 bc 00 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe8f9eef78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441ea9
RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004800 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000000000 R14: 000000000000000c R15: 0000000000000004

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
 slab_alloc_node mm/slub.c:2907 [inline]
 __kmalloc_node_track_caller+0x9aa/0x12f0 mm/slub.c:4511
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x35f/0xb30 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1094 [inline]
 alloc_skb_with_frags+0x1f2/0xc10 net/core/skbuff.c:5771
 sock_alloc_send_pskb+0xc83/0xe50 net/core/sock.c:2348
 packet_alloc_skb net/packet/af_packet.c:2837 [inline]
 packet_snd net/packet/af_packet.c:2932 [inline]
 packet_sendmsg+0x6abb/0x9a80 net/packet/af_packet.c:3014
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 __sys_sendto+0x9dc/0xc80 net/socket.c:1992
 __do_sys_sendto net/socket.c:2004 [inline]
 __se_sys_sendto+0x107/0x130 net/socket.c:2000
 __x64_sys_sendto+0x6e/0x90 net/socket.c:2000
 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
=====================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/27 22:45 https://github.com/google/kmsan.git master c5a13b33ec11 5dd8aee8 .config console log report syz C ci-upstream-kmsan-gce
2020/09/23 07:16 https://github.com/google/kmsan.git master c5a13b33ec11 3e8f6c27 .config console log report syz C ci-upstream-kmsan-gce
2020/10/11 20:52 https://github.com/google/kmsan.git master e67f4ba870c2 4a77ae0b .config console log report info ci-upstream-kmsan-gce
2020/09/23 06:08 https://github.com/google/kmsan.git master c5a13b33ec11 3e8f6c27 .config console log report info ci-upstream-kmsan-gce
2020/10/18 20:37 https://github.com/google/kmsan.git master e67f4ba870c2 fea47c01 .config console log report info ci-upstream-kmsan-gce-386
* Struck through repros no longer work on HEAD.