syzbot

 sign-in | mailing list | source | docs
🐞 Open [1005] Subsystems 🐞 Fixed [5246] 🐞 Invalid [12543] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in xt_check_entry_offsets

Status: internal: reported on 2024/04/09 03:26
Subsystems: netfilter
[Documentation on labels]
Fix commit: 65acf6e0501a netfilter: complete validation of user input
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-net-next-test-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 21d, last: 21d

Sample crash report:
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'.
=====================================================
BUG: KMSAN: uninit-value in xt_check_entry_offsets+0x1ba/0x810 net/netfilter/x_tables.c:929
 xt_check_entry_offsets+0x1ba/0x810 net/netfilter/x_tables.c:929
 check_entry_size_and_hooks net/ipv4/netfilter/ip_tables.c:610 [inline]
 translate_table+0x4f4/0x3300 net/ipv4/netfilter/ip_tables.c:684
 do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline]
 do_ipt_set_ctl+0x1855/0x1c70 net/ipv4/netfilter/ip_tables.c:1631
 nf_setsockopt+0x497/0x4f0 net/netfilter/nf_sockopt.c:101
 ip_setsockopt+0x1f1/0x210 net/ipv4/ip_sockglue.c:1424
 udp_setsockopt+0x123/0x150 net/ipv4/udp.c:2790
 sock_common_setsockopt+0xf9/0x140 net/core/sock.c:3727
 do_sock_setsockopt+0x4bb/0x7d0 net/socket.c:2311
 __sys_setsockopt+0x33a/0x4b0 net/socket.c:2334
 __do_sys_setsockopt net/socket.c:2343 [inline]
 __se_sys_setsockopt net/socket.c:2340 [inline]
 __x64_sys_setsockopt+0xe8/0x170 net/socket.c:2340
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x72/0x7a

Uninit was stored to memory at:
 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
 do_replace net/ipv4/netfilter/ip_tables.c:1129 [inline]
 do_ipt_set_ctl+0x1308/0x1c70 net/ipv4/netfilter/ip_tables.c:1631
 nf_setsockopt+0x497/0x4f0 net/netfilter/nf_sockopt.c:101
 ip_setsockopt+0x1f1/0x210 net/ipv4/ip_sockglue.c:1424
 udp_setsockopt+0x123/0x150 net/ipv4/udp.c:2790
 sock_common_setsockopt+0xf9/0x140 net/core/sock.c:3727
 do_sock_setsockopt+0x4bb/0x7d0 net/socket.c:2311
 __sys_setsockopt+0x33a/0x4b0 net/socket.c:2334
 __do_sys_setsockopt net/socket.c:2343 [inline]
 __se_sys_setsockopt net/socket.c:2340 [inline]
 __x64_sys_setsockopt+0xe8/0x170 net/socket.c:2340
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x72/0x7a

Uninit was created at:
 __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0x2de/0x1400 mm/slub.c:2391
 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525
 __slab_alloc mm/slub.c:3610 [inline]
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 kmalloc_trace+0x69e/0xba0 mm/slub.c:3992
 kmalloc include/linux/slab.h:628 [inline]
 __hw_addr_create net/core/dev_addr_lists.c:60 [inline]
 __hw_addr_add_ex+0x2e5/0xad0 net/core/dev_addr_lists.c:118
 __dev_mc_add net/core/dev_addr_lists.c:867 [inline]
 dev_mc_add+0x9a/0x140 net/core/dev_addr_lists.c:885
 igmp6_group_added+0x25c/0x800 net/ipv6/mcast.c:680
 __ipv6_dev_mc_inc+0xd50/0x15b0 net/ipv6/mcast.c:949
 ipv6_dev_mc_inc+0x37/0x50 net/ipv6/mcast.c:957
 ipv6_add_dev+0x1aa0/0x1c30 net/ipv6/addrconf.c:470
 addrconf_notify+0x7c9/0x1c40 net/ipv6/addrconf.c:3650
 notifier_call_chain kernel/notifier.c:93 [inline]
 raw_notifier_call_chain+0xe8/0x440 kernel/notifier.c:461
 call_netdevice_notifiers_info+0x1be/0x2b0 net/core/dev.c:1950
 call_netdevice_notifiers_extack net/core/dev.c:1988 [inline]
 call_netdevice_notifiers net/core/dev.c:2002 [inline]
 register_netdevice+0x2031/0x2200 net/core/dev.c:10310
 cfg80211_register_netdevice+0x1b3/0x400 net/wireless/core.c:1437
 ieee80211_if_add+0x1432/0x25e0 net/mac80211/iface.c:2211
 ieee80211_register_hw+0x528c/0x5650 net/mac80211/main.c:1575
 mac80211_hwsim_new_radio+0x3cf1/0x6200 drivers/net/wireless/virtual/mac80211_hwsim.c:5454
 hwsim_new_radio_nl+0x1632/0x2f20 drivers/net/wireless/virtual/mac80211_hwsim.c:6135
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1113 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1193 [inline]
 genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1208
 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1217
 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
 netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:745
 __sys_sendto+0x685/0x830 net/socket.c:2191
 __do_sys_sendto net/socket.c:2203 [inline]
 __se_sys_sendto net/socket.c:2199 [inline]
 __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x72/0x7a

CPU: 1 PID: 9276 Comm: syz-executor.3 Tainted: G        W          6.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/09 03:25 upstream fec50db7033e 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in xt_check_entry_offsets
* Struck through repros no longer work on HEAD.