KMSAN: uninit-value in __skb_checksum

KMSAN: uninit-value in __skb_checksum_complete (5)
Status: upstream: reported on 2020/08/14 15:09
Reported-by: syzbot+b024befb3ca7990fea37@syzkaller.appspotmail.com
First crash: 45d, last: 6d00h

similar bugs (4):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in __skb_checksum_complete (3)		7	526d	692d	0/17	auto-closed as invalid on 2019/10/19 05:22
upstream	KMSAN: uninit-value in __skb_checksum_complete (2)		2	818d	819d	0/17	closed as invalid on 2018/09/05 16:20
upstream	KMSAN: uninit-value in __skb_checksum_complete (4)	C	420	68d	310d	0/17	closed as invalid on 2020/07/22 16:42
upstream	KMSAN: uninit-value in __skb_checksum_complete	C	5	890d	891d	0/17	closed as invalid on 2018/04/22 15:44

Sample crash report:

=====================================================
BUG: KMSAN: uninit-value in __skb_checksum_complete+0x425/0x630 net/core/skbuff.c:2852
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
 __skb_checksum_complete+0x425/0x630 net/core/skbuff.c:2852
 nf_ip_checksum+0x688/0x7e0 net/netfilter/utils.c:36
 nf_nat_icmp_reply_translation+0x3a4/0xb50 net/netfilter/nf_nat_proto.c:578
 nf_nat_ipv4_fn net/netfilter/nf_nat_proto.c:637 [inline]
 nf_nat_ipv4_local_fn+0x26f/0x9d0 net/netfilter/nf_nat_proto.c:708
 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline]
 nf_hook_slow+0x17b/0x460 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:256 [inline]
 __ip_local_out+0x71a/0x840 net/ipv4/ip_output.c:114
 ip_local_out net/ipv4/ip_output.c:123 [inline]
 ip_send_skb net/ipv4/ip_output.c:1566 [inline]
 ip_push_pending_frames+0x165/0x4c0 net/ipv4/ip_output.c:1586
 icmp_push_reply+0x6ec/0x7a0 net/ipv4/icmp.c:390
 __icmp_send+0x258b/0x3830 net/ipv4/icmp.c:740
 icmp_send include/net/icmp.h:43 [inline]
 __udp4_lib_rcv+0x42f4/0x58f0 net/ipv4/udp.c:2405
 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x727/0x8d0 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0x795/0x810 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core net/core/dev.c:5286 [inline]
 __netif_receive_skb+0x265/0x670 net/core/dev.c:5400
 process_backlog+0x50d/0xba0 net/core/dev.c:6242
 napi_poll+0x443/0x1100 net/core/dev.c:6688
 net_rx_action+0x35c/0xd40 net/core/dev.c:6758
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:656
 smpboot_thread_fn+0x5f5/0xa90 kernel/smpboot.c:165
 kthread+0x551/0x590 kernel/kthread.c:293
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:248
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:268
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:120
 csum_partial_copy_nocheck+0xae/0x100 lib/checksum.c:154
 skb_copy_and_csum_bits+0x261/0x1360 net/core/skbuff.c:2739
 icmp_glue_bits+0x160/0x410 net/ipv4/icmp.c:353
 __ip_append_data+0x520d/0x6100 net/ipv4/ip_output.c:1137
 ip_append_data+0x326/0x490 net/ipv4/ip_output.c:1321
 icmp_push_reply+0x208/0x7a0 net/ipv4/icmp.c:371
 __icmp_send+0x258b/0x3830 net/ipv4/icmp.c:740
 icmp_send include/net/icmp.h:43 [inline]
 __udp4_lib_rcv+0x42f4/0x58f0 net/ipv4/udp.c:2405
 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x727/0x8d0 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0x795/0x810 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core net/core/dev.c:5286 [inline]
 __netif_receive_skb+0x265/0x670 net/core/dev.c:5400
 process_backlog+0x50d/0xba0 net/core/dev.c:6242
 napi_poll+0x443/0x1100 net/core/dev.c:6688
 net_rx_action+0x35c/0xd40 net/core/dev.c:6758
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:248
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:268
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:120
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1638
 __skb_cow include/linux/skbuff.h:3160 [inline]
 skb_cow_head include/linux/skbuff.h:3194 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1711
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:293
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:143
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:268 [inline]
 kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:292
 __alloc_pages_nodemask+0xf34/0x1120 mm/page_alloc.c:4927
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 alloc_pages_node include/linux/gfp.h:536 [inline]
 __page_frag_cache_refill mm/page_alloc.c:5002 [inline]
 page_frag_alloc+0x35b/0x880 mm/page_alloc.c:5032
 __napi_alloc_skb+0x1cf/0xb10 net/core/skbuff.c:519
 napi_alloc_skb include/linux/skbuff.h:2865 [inline]
 page_to_skb+0x135/0x1730 drivers/net/virtio_net.c:384
 receive_mergeable+0x107f/0x5ed0 drivers/net/virtio_net.c:944
 receive_buf+0x2f0/0x2c70 drivers/net/virtio_net.c:1054
 virtnet_receive drivers/net/virtio_net.c:1346 [inline]
 virtnet_poll+0xa51/0x1d10 drivers/net/virtio_net.c:1451
 napi_poll+0x443/0x1100 net/core/dev.c:6688
 net_rx_action+0x35c/0xd40 net/core/dev.c:6758
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299
=====================================================

Crashes (8):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Maintainers
ci-upstream-kmsan-gce	2020/09/22 02:18	https://github.com/google/kmsan.git master	c5a13b33	9e1fa68e	.config	log	report	info	coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce	2020/09/11 18:52	https://github.com/google/kmsan.git master	3b3ea602	adfb8b4e	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce	2020/09/07 06:36	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce	2020/08/19 21:39	https://github.com/google/kmsan.git master	ce8056d1	94b45706	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce	2020/08/17 02:05	https://github.com/google/kmsan.git master	ce8056d1	424dd8e7	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce	2020/08/14 06:17	https://github.com/google/kmsan.git master	ce8056d1	54ce1ed6	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce-386	2020/09/23 04:33	https://github.com/google/kmsan.git master	c5a13b33	3e8f6c27	.config	log	report	info	coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org
ci-upstream-kmsan-gce-386	2020/08/21 09:28	https://github.com/google/kmsan.git master	ce8056d1	1d75fe45	.config	log	report		coreteam@netfilter.org, davem@davemloft.net, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org