syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in _ion_heap_freelist_drain

Status: closed as invalid on 2020/03/04 15:04
Subsystems: staging
[Documentation on labels]
First crash: 1843d, last: 1843d

Sample crash report:
1965979 pages RAM
0 pages HighMem/MovableOnly
285200 pages reserved
0 pages cma reserved
==================================================================
BUG: KMSAN: uninit-value in _ion_heap_freelist_drain+0x7ce/0x840 drivers/staging/android/ion/ion_heap.c:190
CPU: 0 PID: 10744 Comm: syz-executor968 Not tainted 5.1.0-rc2+ #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:624
 __msan_warning+0x7a/0xf0 mm/kmsan/kmsan_instr.c:310
 _ion_heap_freelist_drain+0x7ce/0x840 drivers/staging/android/ion/ion_heap.c:190
 ion_heap_freelist_shrink drivers/staging/android/ion/ion_heap.c:216 [inline]
 ion_heap_shrink_scan+0x13e/0x350 drivers/staging/android/ion/ion_heap.c:294
 do_shrink_slab+0xb63/0x1240 mm/vmscan.c:551
 shrink_slab+0x307/0xe30 mm/vmscan.c:700
 shrink_node+0x87c/0x2140 mm/vmscan.c:2724
 shrink_zones mm/vmscan.c:2953 [inline]
 do_try_to_free_pages+0x55e/0x20b0 mm/vmscan.c:3015
 try_to_free_pages+0xc58/0x1720 mm/vmscan.c:3231
 __perform_reclaim mm/page_alloc.c:4004 [inline]
 __alloc_pages_direct_reclaim mm/page_alloc.c:4026 [inline]
 __alloc_pages_slowpath mm/page_alloc.c:4419 [inline]
 __alloc_pages_nodemask+0x2ff8/0x5e90 mm/page_alloc.c:4633
 alloc_pages_current+0x6a4/0x9c0 mm/mempolicy.c:2106
 alloc_pages include/linux/gfp.h:511 [inline]
 ion_page_pool_alloc_pages drivers/staging/android/ion/ion_page_pool.c:16 [inline]
 ion_page_pool_alloc+0x7d2/0x8d0 drivers/staging/android/ion/ion_page_pool.c:75
 alloc_buffer_page drivers/staging/android/ion/ion_system_heap.c:53 [inline]
 alloc_largest_available drivers/staging/android/ion/ion_system_heap.c:87 [inline]
 ion_system_heap_allocate+0x47f/0x1400 drivers/staging/android/ion/ion_system_heap.c:118
 ion_buffer_create drivers/staging/android/ion/ion.c:76 [inline]
 ion_alloc drivers/staging/android/ion/ion.c:417 [inline]
 ion_ioctl+0x796/0x2270 drivers/staging/android/ion/ion.c:543
 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x44bc39
Code: e8 fc e5 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b ca fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f93fde33ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006f0028 RCX: 000000000044bc39
RDX: 0000000020000000 RSI: 00000000c0184900 RDI: 0000000000000008
RBP: 00000000006f0020 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006f002c
R13: 00000000007ffcdf R14: 00007f93fde349c0 R15: 20c49ba5e353f7cf

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
 __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
 __write_once_size include/linux/compiler.h:229 [inline]
 __list_add include/linux/list.h:66 [inline]
 list_add include/linux/list.h:79 [inline]
 ion_heap_freelist_add+0x3ac/0x3c0 drivers/staging/android/ion/ion_heap.c:160
 _ion_buffer_destroy drivers/staging/android/ion/ion.c:141 [inline]
 ion_dma_buf_release+0x18b/0x1e0 drivers/staging/android/ion/ion.c:308
 dma_buf_release+0x194/0x820 drivers/dma-buf/dma-buf.c:70
 __fput+0x4d2/0xbb0 fs/file_table.c:278
 ____fput+0x37/0x40 fs/file_table.c:309
 task_work_run+0x22e/0x2a0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x109e/0x3bb0 kernel/exit.c:878
 do_group_exit+0x185/0x320 kernel/exit.c:982
 get_signal+0x9a4/0x2ea0 kernel/signal.c:2577
 do_signal+0x1d5/0x2cc0 arch/x86/kernel/signal.c:816
 exit_to_usermode_loop arch/x86/entry/common.c:162 [inline]
 prepare_exit_to_usermode+0x245/0x420 arch/x86/entry/common.c:197
 syscall_return_slowpath+0xb2/0x650 arch/x86/entry/common.c:268
 do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
 kmsan_kmalloc+0xa9/0x130 mm/kmsan/kmsan_hooks.c:173
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:182
 slab_post_alloc_hook mm/slab.h:441 [inline]
 slab_alloc_node mm/slub.c:2771 [inline]
 __kmalloc_node_track_caller+0xead/0x1000 mm/slub.c:4396
 __kmalloc_reserve net/core/skbuff.c:140 [inline]
 __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
 alloc_skb include/linux/skbuff.h:1059 [inline]
 nlmsg_new include/net/netlink.h:658 [inline]
 netlink_ack+0x58e/0x1190 net/netlink/af_netlink.c:2419
 netlink_rcv_skb+0x316/0x620 net/netlink/af_netlink.c:2491
 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1925
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg net/socket.c:632 [inline]
 ___sys_sendmsg+0xdb3/0x1220 net/socket.c:2137
 __sys_sendmsg net/socket.c:2175 [inline]
 __do_sys_sendmsg net/socket.c:2184 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2182
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2182
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/04/03 03:09 https://github.com/google/kmsan.git master 088c01ea0855 dfd3394d .config console log report syz C ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.