syzbot


KMSAN: uninit-value in can_receive

Status: fixed on 2020/02/18 14:31
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com
Fix commit: e7153bf70c34 can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
First crash: 1841d, last: 1751d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 5.4 00/78] 5.4.12-stable review 107 (107) 2020/02/11 15:01
[PATCH 4.19 00/46] 4.19.96-stable review 51 (51) 2020/01/15 02:09
[PATCH 4.14 00/39] 4.14.165-stable review 44 (44) 2020/01/15 02:08
[PATCH 4.9 00/31] 4.9.210-stable review 36 (36) 2020/01/15 02:08
[PATCH 4.4 00/28] 4.4.210-stable review 33 (33) 2020/01/15 02:08
[PATCH 6/9] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs 1 (1) 2020/01/02 16:09
[PATCH] can: ensure an initialized headroom in outgoing CAN sk_buffs 4 (4) 2019/12/09 16:07
KMSAN: uninit-value in can_receive 15 (17) 2019/12/03 10:40
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net C 138977 646d 998d 22/28 fixed on 2023/02/24 13:50
upstream KMSAN: uninit-value in can_receive (2) can C 2060 1480d 1575d 15/28 fixed on 2020/11/16 12:12

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in can_receive+0x23c/0x5e0 net/can/af_can.c:650
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
 __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
 can_receive+0x23c/0x5e0 net/can/af_can.c:650
 canfd_rcv+0x188/0x3a0 net/can/af_can.c:703
 __netif_receive_skb_one_core net/core/dev.c:4929 [inline]
 __netif_receive_skb net/core/dev.c:5043 [inline]
 process_backlog+0x12a6/0x13c0 net/core/dev.c:5874
 napi_poll net/core/dev.c:6311 [inline]
 net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
 __do_softirq+0x4a1/0x83a kernel/softirq.c:293
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:607
 smpboot_thread_fn+0x4a3/0x990 kernel/smpboot.c:165
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:353

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
 kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
 kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
 slab_alloc_node mm/slub.c:2773 [inline]
 __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
 __kmalloc_reserve net/core/skbuff.c:141 [inline]
 __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
 sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
 packet_alloc_skb net/packet/af_packet.c:2807 [inline]
 packet_snd net/packet/af_packet.c:2902 [inline]
 packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg net/socket.c:657 [inline]
 ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
 __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
=====================================================

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/03 09:39 https://github.com/google/kmsan.git master 940694c19feb ab342da3 .config console log report syz C ci-upstream-kmsan-gce
2019/11/26 08:59 https://github.com/google/kmsan.git master 4a1d41e39c62 f746151a .config console log report syz C ci-upstream-kmsan-gce
2020/02/15 13:32 https://github.com/google/kmsan.git master 686a4f77cb0c 5d7b90f1 .config console log report ci-upstream-kmsan-gce
2020/02/14 00:27 https://github.com/google/kmsan.git master 686a4f77cb0c c5ed587f .config console log report ci-upstream-kmsan-gce
2020/02/10 09:10 https://github.com/google/kmsan.git master 686a4f77cb0c 35f5e45e .config console log report ci-upstream-kmsan-gce
2020/01/27 13:25 https://github.com/google/kmsan.git master 686a4f77cb0c dd56146d .config console log report ci-upstream-kmsan-gce
2020/01/16 19:13 https://github.com/google/kmsan.git master 686a4f77cb0c 3de7aabb .config console log report ci-upstream-kmsan-gce
2020/01/16 04:04 https://github.com/google/kmsan.git master 686a4f77cb0c f9b69507 .config console log report ci-upstream-kmsan-gce
2020/01/15 22:58 https://github.com/google/kmsan.git master 686a4f77cb0c f9b69507 .config console log report ci-upstream-kmsan-gce
2019/12/30 20:34 https://github.com/google/kmsan.git master 997a8b55bc92 af6b8ef8 .config console log report ci-upstream-kmsan-gce
2019/12/30 11:03 https://github.com/google/kmsan.git master 997a8b55bc92 af6b8ef8 .config console log report ci-upstream-kmsan-gce
2019/12/08 10:36 https://github.com/google/kmsan.git master f8f75f037ea5 1508f453 .config console log report ci-upstream-kmsan-gce
2019/11/26 08:00 https://github.com/google/kmsan.git master 4a1d41e39c62 f746151a .config console log report ci-upstream-kmsan-gce
2019/11/16 23:11 https://github.com/google/kmsan.git master 9c6a71628ab9 d5696d51 .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.