KMSAN: uninit-value in skb_release

KMSAN: uninit-value in skb_release_data (2)
Status: auto-closed as invalid on 2019/08/03 03:17
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 631d, last: 631d

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in skb_release_data (3)	C			1	48d	47d	0/17	upstream: reported C repro on 2020/09/09 09:58
upstream	KMSAN: uninit-value in skb_release_data				1	853d	853d	0/17	closed as invalid on 2018/09/05 11:10

Sample crash report:

==================================================================
BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:198 [inline]
BUG: KMSAN: uninit-value in compound_head include/linux/page-flags.h:143 [inline]
BUG: KMSAN: uninit-value in put_page include/linux/mm.h:981 [inline]
BUG: KMSAN: uninit-value in __skb_frag_unref include/linux/skbuff.h:2838 [inline]
BUG: KMSAN: uninit-value in skb_release_data+0x386/0x8c0 net/core/skbuff.c:567
CPU: 0 PID: 15026 Comm: syz-executor1 Not tainted 5.0.0-rc1+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
 __read_once_size include/linux/compiler.h:198 [inline]
 compound_head include/linux/page-flags.h:143 [inline]
 put_page include/linux/mm.h:981 [inline]
 __skb_frag_unref include/linux/skbuff.h:2838 [inline]
 skb_release_data+0x386/0x8c0 net/core/skbuff.c:567
 skb_release_all net/core/skbuff.c:627 [inline]
 __kfree_skb+0x8a/0x210 net/core/skbuff.c:641
 consume_skb+0x320/0x370 net/core/skbuff.c:701
 icmp_rcv+0x11d2/0x1950 net/ipv4/icmp.c:1068
 ip_protocol_deliver_rcu+0x584/0xba0 net/ipv4/ip_input.c:208
 ip_local_deliver_finish net/ipv4/ip_input.c:234 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_local_deliver+0x624/0x7b0 net/ipv4/ip_input.c:255
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_rcv+0x6b6/0x740 net/ipv4/ip_input.c:523
 __netif_receive_skb_one_core net/core/dev.c:4973 [inline]
 __netif_receive_skb net/core/dev.c:5083 [inline]
 netif_receive_skb_internal+0x5cd/0x9a0 net/core/dev.c:5186
 netif_receive_skb+0x256/0x480 net/core/dev.c:5261
 tun_rx_batched include/linux/skbuff.h:4099 [inline]
 tun_get_user+0x6d2d/0x7190 drivers/net/tun.c:1989
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2017
 do_iter_readv_writev+0x985/0xba0 include/linux/fs.h:1856
 do_iter_write+0x304/0xdc0 fs/read_write.c:956
 vfs_writev fs/read_write.c:1001 [inline]
 do_writev+0x397/0x840 fs/read_write.c:1036
 __do_sys_writev fs/read_write.c:1109 [inline]
 __se_sys_writev+0x9b/0xb0 fs/read_write.c:1106
 __x64_sys_writev+0x4a/0x70 fs/read_write.c:1106
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457cf1
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b9 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f6fdd9aeba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000006a RCX: 0000000000457cf1
RDX: 0000000000000001 RSI: 00007f6fdd9aebf0 RDI: 00000000000000f0
RBP: 00000000200000c0 R08: 00000000000000f0 R09: 0000000000000000
R10: 00007f6fdd9af9d0 R11: 0000000000000293 R12: 00007f6fdd9af6d4
R13: 00000000004c6404 R14: 00000000004db768 R15: 00000000ffffffff

Uninit was created at:
 kmsan_save_stack_with_flags+0x7a/0x130 mm/kmsan/kmsan.c:205
 kmsan_internal_alloc_meta_for_pages+0x113/0x580 mm/kmsan/kmsan_hooks.c:98
 kmsan_alloc_page+0x7e/0x100 mm/kmsan/kmsan_hooks.c:396
 __alloc_pages_nodemask+0x137b/0x5e30 mm/page_alloc.c:4572
 alloc_pages_current+0x69d/0x9b0 mm/mempolicy.c:2106
 alloc_pages include/linux/gfp.h:511 [inline]
 skb_page_frag_refill+0x3b5/0x5b0 net/core/sock.c:2221
 tun_build_skb drivers/net/tun.c:1682 [inline]
 tun_get_user+0x1d42/0x7190 drivers/net/tun.c:1825
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2017
 do_iter_readv_writev+0x985/0xba0 include/linux/fs.h:1856
 do_iter_write+0x304/0xdc0 fs/read_write.c:956
 vfs_writev fs/read_write.c:1001 [inline]
 do_writev+0x397/0x840 fs/read_write.c:1036
 __do_sys_writev fs/read_write.c:1109 [inline]
 __se_sys_writev+0x9b/0xb0 fs/read_write.c:1106
 __x64_sys_writev+0x4a/0x70 fs/read_write.c:1106
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
==================================================================

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-kmsan-gce	2019/02/04 02:59	https://github.com/google/kmsan.git master	fa1981be	c198d5dd	.config	log	report				davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org