syzbot

 sign-in | mailing list | source | docs
🐞 Open [994] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12516] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in trie_lookup_elem

Status: upstream: reported C repro on 2024/03/21 15:11
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+d2b113dc9fea5e1d2848@syzkaller.appspotmail.com
Fix commit: bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode
Patched on: [ci-upstream-bpf-next-kasan-gce ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-net-next-test-gce ci2-upstream-usb]
First crash: 40d, last: 18d
Discussions (2)
Title Replies (including bot) Last reply
[PATCH bpf-next] bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode 2 (2) 2024/03/29 02:10
[syzbot] [bpf?] KMSAN: uninit-value in trie_lookup_elem 0 (1) 2024/03/21 15:11

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in trie_lookup_elem+0x4b9/0x510 kernel/bpf/lpm_trie.c:234
 trie_lookup_elem+0x4b9/0x510 kernel/bpf/lpm_trie.c:234
 ____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]
 bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run32+0xb2/0xe0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420
 __bpf_trace_skb_copy_datagram_iovec+0x2c/0x40 include/trace/events/skb.h:73
 trace_skb_copy_datagram_iovec include/trace/events/skb.h:73 [inline]
 skb_copy_datagram_iter+0x15e/0x200 net/core/datagram.c:545
 skb_copy_datagram_msg include/linux/skbuff.h:4045 [inline]
 tcp_recvmsg_locked+0xcf6/0x3680 net/ipv4/tcp.c:2500
 tcp_recvmsg+0x279/0xad0 net/ipv4/tcp.c:2578
 inet_recvmsg+0x167/0x6a0 net/ipv4/af_inet.c:883
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x235/0x340 net/socket.c:1068
 sock_read_iter+0x333/0x3c0 net/socket.c:1138
 call_read_iter include/linux/fs.h:2102 [inline]
 new_sync_read fs/read_write.c:395 [inline]
 vfs_read+0xda3/0xef0 fs/read_write.c:476
 ksys_read+0x20f/0x4c0 fs/read_write.c:619
 __do_sys_read fs/read_write.c:629 [inline]
 __se_sys_read fs/read_write.c:627 [inline]
 __x64_sys_read+0x93/0xe0 fs/read_write.c:627
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Local variable stack created at:
 __bpf_prog_run32+0x43/0xe0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420

CPU: 0 PID: 5010 Comm: sshd Not tainted 6.8.0-syzkaller-11339-g741e9d668aa5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/17 16:10 upstream 741e9d668aa5 d615901c .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/04/08 13:38 upstream fec50db7033e ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/04/07 03:33 upstream f2f80ac80987 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/04/04 00:45 upstream 3e92c1e6cd87 fed899ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/04/01 02:15 upstream 18737353cca0 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/03/31 09:18 upstream 712e14250dd2 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/03/31 06:04 upstream 712e14250dd2 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/03/31 05:57 upstream 712e14250dd2 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/03/17 15:06 upstream 741e9d668aa5 d615901c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in trie_lookup_elem
2024/04/07 08:26 upstream f2f80ac80987 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in trie_lookup_elem
2024/04/03 21:03 upstream 3e92c1e6cd87 fed899ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in trie_lookup_elem
2024/04/01 08:25 upstream 39cd87c4eb2b 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in trie_lookup_elem
* Struck through repros no longer work on HEAD.