syzbot


KMSAN: uninit-value in __request_module

Status: fixed on 2019/10/15 23:40
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+618aacd49e8c8b8486bd@syzkaller.appspotmail.com
Fix commit: 62794fc4fbf5 net_sched: add max len check for TCA_KIND
First crash: 1849d, last: 1825d
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 5.2 000/313] 5.2.19-stable review 324 (324) 2020/06/23 22:07
[PATCH 4.19 000/211] 4.19.77-stable review 227 (227) 2019/11/12 00:25
[PATCH 5.3 000/344] 5.3.4-stable review 360 (360) 2019/11/11 06:01
[PATCH AUTOSEL 5.3 01/71] drivers: thermal: qcom: tsens: Fix memory leak from qfprom read 74 (74) 2019/10/09 03:45
[PATCH 4.14 000/185] 4.14.147-stable review 191 (191) 2019/10/05 00:10
[Patch net] net_sched: add max len check for TCA_KIND 9 (9) 2019/10/04 23:47
[PATCH AUTOSEL 4.14 01/29] ima: always return negative code for error 29 (29) 2019/10/01 16:44
[PATCH AUTOSEL 4.19 01/43] ima: always return negative code for error 43 (43) 2019/10/01 16:43
[PATCH AUTOSEL 5.2 01/63] drivers: thermal: qcom: tsens: Fix memory leak from qfprom read 63 (63) 2019/10/01 16:41
KMSAN: uninit-value in __request_module 0 (1) 2019/09/16 10:19
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in __request_module (4) kernel 3 1540d 1555d 0/28 auto-closed as invalid on 2020/11/13 14:58
upstream KMSAN: uninit-value in __request_module (3) kernel C 58 1690d 1718d 15/28 fixed on 2020/02/18 14:31
upstream KMSAN: uninit-value in __request_module (2) kernel 3 1750d 1762d 15/28 fixed on 2020/01/08 01:07
Last patch testing requests (3)
Created Duration User Patch Repo Result
2019/09/18 22:26 19m xiyou.wangcong@gmail.com patch https://github.com/google/kmsan.git master OK
2019/09/18 21:53 13m xiyou.wangcong@gmail.com patch https://github.com/google/kmsan.git master report log
2019/09/17 04:55 19m xiyou.wangcong@gmail.com patch https://github.com/google/kmsan.git master OK

Sample crash report:
netlink: 76 bytes leftover after parsing attributes in process `syz-executor501'.
==================================================================
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:606 [inline]
BUG: KMSAN: uninit-value in string+0x4be/0x600 lib/vsprintf.c:668
CPU: 1 PID: 12341 Comm: syz-executor501 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
 string_nocheck lib/vsprintf.c:606 [inline]
 string+0x4be/0x600 lib/vsprintf.c:668
 vsnprintf+0x218f/0x3210 lib/vsprintf.c:2503
 __request_module+0x2b1/0x11c0 kernel/kmod.c:143
 tcf_proto_lookup_ops+0x3e7/0x700 net/sched/cls_api.c:80
 tcf_proto_is_unlocked net/sched/cls_api.c:168 [inline]
 tc_new_tfilter+0xfe0/0x4ce0 net/sched/cls_api.c:2041
 rtnetlink_rcv_msg+0xcb6/0x1580 net/core/rtnetlink.c:5214
 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg net/socket.c:657 [inline]
 ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
 __sys_sendmsg net/socket.c:2356 [inline]
 __do_sys_sendmsg net/socket.c:2365 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2363
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2363
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4401e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc3690c568 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401e9
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a70
R13: 0000000000401b00 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:189 [inline]
 kmsan_internal_poison_shadow+0x58/0xb0 mm/kmsan/kmsan.c:148
 kmsan_slab_alloc+0xaa/0x120 mm/kmsan/kmsan_hooks.c:175
 slab_alloc_node mm/slub.c:2790 [inline]
 __kmalloc_node_track_caller+0xb55/0x1320 mm/slub.c:4388
 __kmalloc_reserve net/core/skbuff.c:141 [inline]
 __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1056 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
 netlink_sendmsg+0x783/0x1330 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg net/socket.c:657 [inline]
 ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
 __sys_sendmsg net/socket.c:2356 [inline]
 __do_sys_sendmsg net/socket.c:2365 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2363
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2363
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
==================================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/12 08:42 https://github.com/google/kmsan.git master 014077b5cd62 f4e53c10 .config console log report syz C ci-upstream-kmsan-gce
2019/10/06 06:36 https://github.com/google/kmsan.git master 1e76a3e537c3 f3f7d9c8 .config console log report ci-upstream-kmsan-gce
2019/10/05 23:41 https://github.com/google/kmsan.git master 1e76a3e537c3 f3f7d9c8 .config console log report ci-upstream-kmsan-gce
2019/10/05 16:18 https://github.com/google/kmsan.git master 1e76a3e537c3 f3f7d9c8 .config console log report ci-upstream-kmsan-gce
2019/10/05 10:57 https://github.com/google/kmsan.git master 1e76a3e537c3 f3f7d9c8 .config console log report ci-upstream-kmsan-gce
2019/10/02 07:43 https://github.com/google/kmsan.git master f5f9d3ce4686 b7a87a83 .config console log report ci-upstream-kmsan-gce
2019/09/30 21:38 https://github.com/google/kmsan.git master f5f9d3ce4686 c7a4fb99 .config console log report ci-upstream-kmsan-gce
2019/09/30 08:31 https://github.com/google/kmsan.git master 124037e07586 c1ad5441 .config console log report ci-upstream-kmsan-gce
2019/09/29 21:53 https://github.com/google/kmsan.git master 124037e07586 c1ad5441 .config console log report ci-upstream-kmsan-gce
2019/09/29 03:28 https://github.com/google/kmsan.git master 124037e07586 eb6b9855 .config console log report ci-upstream-kmsan-gce
2019/09/28 23:25 https://github.com/google/kmsan.git master 124037e07586 eb6b9855 .config console log report ci-upstream-kmsan-gce
2019/09/20 06:44 https://github.com/google/kmsan.git master cebbfdbcf2b7 4d3ae0b7 .config console log report ci-upstream-kmsan-gce
2019/09/11 23:10 https://github.com/google/kmsan.git master 014077b5cd62 f4e53c10 .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.