KMSAN: uninit-value in __skb_checksum

KMSAN: uninit-value in __skb_checksum_complete (5)
Status: upstream: reported C repro on 2020/08/14 15:09
Reported-by: syzbot+b024befb3ca7990fea37@syzkaller.appspotmail.com
First crash: 250d, last: 22h31m

similar bugs (4):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in __skb_checksum_complete (3)		7	730d	896d	0/22	auto-closed as invalid on 2019/10/19 05:22
upstream	KMSAN: uninit-value in __skb_checksum_complete (2)		2	1022d	1023d	0/22	closed as invalid on 2018/09/05 16:20
upstream	KMSAN: uninit-value in __skb_checksum_complete (4)	C	420	272d	514d	0/22	closed as invalid on 2020/07/22 16:42
upstream	KMSAN: uninit-value in __skb_checksum_complete	C	5	1094d	1095d	0/22	closed as invalid on 2018/04/22 15:44

Sample crash report:

=====================================================
BUG: KMSAN: uninit-value in __skb_checksum_complete+0x421/0x630 net/core/skbuff.c:2846
CPU: 0 PID: 497 Comm: kworker/u4:11 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
 __skb_checksum_complete+0x421/0x630 net/core/skbuff.c:2846
 __skb_checksum_validate_complete include/linux/skbuff.h:4014 [inline]
 icmp_rcv+0x94b/0x1d70 net/ipv4/icmp.c:1081
 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core net/core/dev.c:5315 [inline]
 __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429
 process_backlog+0x523/0xc10 net/core/dev.c:6319
 napi_poll+0x420/0x1010 net/core/dev.c:6763
 net_rx_action+0x35c/0xd40 net/core/dev.c:6833
 __do_softirq+0x1a9/0x6fa kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:343 [inline]
 __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
 __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173
 batadv_send_skb_packet+0x622/0x970 net/batman-adv/send.c:108
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:394 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb3a/0xf00 net/batman-adv/bat_iv_ogm.c:1712
 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272
 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418
 kthread+0x51c/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289
 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:246
 __msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110
 csum_partial_copy_nocheck include/net/checksum.h:51 [inline]
 skb_copy_and_csum_bits+0x23e/0x13e0 net/core/skbuff.c:2733
 icmp_glue_bits+0x155/0x400 net/ipv4/icmp.c:356
 __ip_append_data+0x4f8e/0x6210 net/ipv4/ip_output.c:1139
 ip_append_data+0x326/0x490 net/ipv4/ip_output.c:1323
 icmp_push_reply+0x1f8/0x810 net/ipv4/icmp.c:374
 __icmp_send+0x2a98/0x3a90 net/ipv4/icmp.c:762
 icmp_send include/net/icmp.h:43 [inline]
 __udp4_lib_rcv+0x421f/0x5880 net/ipv4/udp.c:2405
 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core net/core/dev.c:5315 [inline]
 __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429
 process_backlog+0x523/0xc10 net/core/dev.c:6319
 napi_poll+0x420/0x1010 net/core/dev.c:6763
 net_rx_action+0x35c/0xd40 net/core/dev.c:6833
 __do_softirq+0x1a9/0x6fa kernel/softirq.c:298

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289
 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:246
 __msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110
 pskb_expand_head+0x3eb/0x1df0 net/core/skbuff.c:1631
 __skb_cow include/linux/skbuff.h:3165 [inline]
 skb_cow_head include/linux/skbuff.h:3199 [inline]
 batadv_skb_head_push+0x2ce/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:394 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb3a/0xf00 net/batman-adv/bat_iv_ogm.c:1712
 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272
 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418
 kthread+0x51c/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:121
 kmsan_alloc_page+0xd3/0x1f0 mm/kmsan/kmsan_shadow.c:274
 __alloc_pages_nodemask+0x84e/0xfb0 mm/page_alloc.c:4989
 __alloc_pages include/linux/gfp.h:511 [inline]
 __alloc_pages_node include/linux/gfp.h:524 [inline]
 alloc_pages_node include/linux/gfp.h:538 [inline]
 __page_frag_cache_refill mm/page_alloc.c:5065 [inline]
 page_frag_alloc+0x35b/0x890 mm/page_alloc.c:5095
 __napi_alloc_skb+0x1c0/0xab0 net/core/skbuff.c:519
 napi_alloc_skb include/linux/skbuff.h:2870 [inline]
 page_to_skb+0x142/0x1640 drivers/net/virtio_net.c:389
 receive_mergeable+0xee6/0x5be0 drivers/net/virtio_net.c:949
 receive_buf+0x2db/0x2ba0 drivers/net/virtio_net.c:1059
 virtnet_receive drivers/net/virtio_net.c:1351 [inline]
 virtnet_poll+0xa51/0x1d10 drivers/net/virtio_net.c:1456
 napi_poll+0x420/0x1010 net/core/dev.c:6763
 net_rx_action+0x35c/0xd40 net/core/dev.c:6833
 __do_softirq+0x1a9/0x6fa kernel/softirq.c:298
=====================================================

Crashes (33):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2020/12/02 12:10	https://github.com/google/kmsan.git master	73d62e81	c42a35e9	.config	log	report	syz	C
ci-upstream-kmsan-gce	2021/02/01 10:33	https://github.com/google/kmsan.git master	73d62e81	fc9fd31e	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce-386	2021/04/20 09:42	https://github.com/google/kmsan.git master	4ebaab5f	4285c989	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce-386	2021/04/18 09:09	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce-386	2021/03/17 14:02	https://github.com/google/kmsan.git master	29ad81a1	fdb2bb2c	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce-386	2021/02/05 03:03	https://github.com/google/kmsan.git master	73d62e81	23a562df	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce-386	2021/01/24 17:45	https://github.com/google/kmsan.git master	73d62e81	52e37319	.config	log	report			info	KMSAN: uninit-value in __skb_checksum_complete
ci-upstream-kmsan-gce	2021/01/13 14:17	https://github.com/google/kmsan.git master	73d62e81	a945f0a3	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/31 23:27	https://github.com/google/kmsan.git master	73d62e81	79264ae3	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/21 11:29	https://github.com/google/kmsan.git master	73d62e81	04201c06	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/18 20:29	https://github.com/google/kmsan.git master	73d62e81	04201c06	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/11 11:30	https://github.com/google/kmsan.git master	73d62e81	f900b48c	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/05 10:16	https://github.com/google/kmsan.git master	73d62e81	20366b87	.config	log	report			info
ci-upstream-kmsan-gce	2020/12/02 05:28	https://github.com/google/kmsan.git master	73d62e81	c42a35e9	.config	log	report			info
ci-upstream-kmsan-gce	2020/11/19 15:42	https://github.com/google/kmsan.git master	73d62e81	0767f13f	.config	log	report			info
ci-upstream-kmsan-gce	2020/11/17 15:40	https://github.com/google/kmsan.git master	73d62e81	bd2a760b	.config	log	report			info
ci-upstream-kmsan-gce	2020/10/14 02:29	https://github.com/google/kmsan.git master	e67f4ba8	fc7735a2	.config	log	report			info
ci-upstream-kmsan-gce	2020/09/22 02:18	https://github.com/google/kmsan.git master	c5a13b33	9e1fa68e	.config	log	report			info
ci-upstream-kmsan-gce	2020/09/11 18:52	https://github.com/google/kmsan.git master	3b3ea602	adfb8b4e	.config	log	report
ci-upstream-kmsan-gce	2020/09/07 06:36	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce	2020/08/19 21:39	https://github.com/google/kmsan.git master	ce8056d1	94b45706	.config	log	report
ci-upstream-kmsan-gce	2020/08/17 02:05	https://github.com/google/kmsan.git master	ce8056d1	424dd8e7	.config	log	report
ci-upstream-kmsan-gce	2020/08/14 06:17	https://github.com/google/kmsan.git master	ce8056d1	54ce1ed6	.config	log	report
ci-upstream-kmsan-gce-386	2021/01/12 18:45	https://github.com/google/kmsan.git master	73d62e81	0cdd6185	.config	log	report			info
ci-upstream-kmsan-gce-386	2021/01/06 03:09	https://github.com/google/kmsan.git master	73d62e81	b1c228e1	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/12/23 08:37	https://github.com/google/kmsan.git master	73d62e81	04201c06	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/12/15 02:02	https://github.com/google/kmsan.git master	73d62e81	97183ed7	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/12/13 09:33	https://github.com/google/kmsan.git master	73d62e81	bca53db9	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/12/02 15:27	https://github.com/google/kmsan.git master	73d62e81	8c9190ef	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/11/26 07:11	https://github.com/google/kmsan.git master	73d62e81	2f1cec62	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/10/26 05:24	https://github.com/google/kmsan.git master	e1617422	a1839e81	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/09/23 04:33	https://github.com/google/kmsan.git master	c5a13b33	3e8f6c27	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/08/21 09:28	https://github.com/google/kmsan.git master	ce8056d1	1d75fe45	.config	log	report