KMSAN: uninit-value in _copy_to

KMSAN: uninit-value in _copy_to_iter (3)
Status: upstream: reported C repro on 2020/07/22 06:03
Reported-by: syzbot+81908a97abeec4f4f02d@syzkaller.appspotmail.com
First crash: 467d, last: 462d

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in _copy_to_iter	C			32	1285d	1300d	0/22	closed as invalid on 2018/04/22 15:44
upstream	KMSAN: uninit-value in _copy_to_iter (2)	C			226	1238d	1283d	9/22	fixed on 2018/07/09 18:05

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/25 18:12	18m	anant.thazhemadam@gmail.com	patch	https://github.com/google/kmsan.git master	OK
2020/09/20 16:41	12m	anant.thazhemadam@gmail.com		https://github.com/google/kmsan.git master	report log
2020/08/27 06:51	12m	foxhlchen@gmail.com		https://github.com/google/kmsan.git master	report log

Sample crash report:

=====================================================
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428
CPU: 0 PID: 8682 Comm: syz-executor281 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1df/0x240 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428
 instrument_copy_to_user include/linux/instrumented.h:91 [inline]
 copyout lib/iov_iter.c:142 [inline]
 _copy_to_iter+0x3d4/0x26e0 lib/iov_iter.c:631
 copy_to_iter include/linux/uio.h:138 [inline]
 memcpy_to_msg include/linux/skbuff.h:3571 [inline]
 bcm_recvmsg+0x25a/0x740 net/can/bcm.c:1612
 sock_recvmsg_nosec net/socket.c:886 [inline]
 sock_recvmsg net/socket.c:904 [inline]
 __sys_recvfrom+0xacd/0xae0 net/socket.c:2052
 __do_sys_recvfrom net/socket.c:2070 [inline]
 __se_sys_recvfrom+0x111/0x130 net/socket.c:2066
 __x64_sys_recvfrom+0x6e/0x90 net/socket.c:2066
 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x448cd9
Code: Bad RIP value.
RSP: 002b:00007f5fbb95fd88 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000448cd9
RDX: 0000000000000032 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000006dec60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec6c
R13: ffffff7f00000001 R14: 0000000000000000 R15: 000000306e616376

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
 skb_put_data include/linux/skbuff.h:2260 [inline]
 bcm_send_to_user+0x250/0x820 net/can/bcm.c:327
 bcm_tx_timeout_handler+0x5d0/0x620 net/can/bcm.c:413
 __run_hrtimer kernel/time/hrtimer.c:1520 [inline]
 __hrtimer_run_queues+0xa61/0x1340 kernel/time/hrtimer.c:1584
 hrtimer_run_softirq+0x1b2/0x2b0 kernel/time/hrtimer.c:1601
 __do_softirq+0x311/0x83d kernel/softirq.c:293

Local variable ----msg_head@bcm_tx_timeout_handler created at:
 bcm_tx_timeout_handler+0x4f/0x620 net/can/bcm.c:398
 bcm_tx_timeout_handler+0x4f/0x620 net/can/bcm.c:398

Bytes 12-15 of 50 are uninitialized
Memory access of size 50 starts at ffff88b629809600
=====================================================

Crashes (155):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kmsan-gce	2020/07/19 14:33	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/07/19 13:03	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report	syz	C
ci-upstream-kmsan-gce-386	2020/07/20 08:23	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/07/22 14:20	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce	2020/07/22 11:00	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce	2020/07/22 08:51	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce	2020/07/22 06:12	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce	2020/07/22 04:56	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce	2020/07/22 04:10	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 18:11	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 15:02	https://github.com/google/kmsan.git master	91e18444d6b0	d88894e6	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 14:40	https://github.com/google/kmsan.git master	91e18444d6b0	d88894e6	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 12:02	https://github.com/google/kmsan.git master	91e18444d6b0	d88894e6	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 09:08	https://github.com/google/kmsan.git master	91e18444d6b0	d88894e6	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 05:59	https://github.com/google/kmsan.git master	91e18444d6b0	d88894e6	.config	log	report
ci-upstream-kmsan-gce	2020/07/21 00:33	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce	2020/07/20 21:51	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce	2020/07/20 20:34	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce	2020/07/20 15:55	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce	2020/07/20 07:16	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/20 01:49	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/19 21:55	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/19 16:48	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/19 15:37	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/19 07:50	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/19 02:56	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 20:48	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 20:24	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 20:20	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 20:03	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 20:02	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 19:22	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/18 05:28	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce	2020/07/17 23:13	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/22 15:33	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/22 12:00	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/22 09:59	https://github.com/google/kmsan.git master	91e18444d6b0	128cd85f	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 22:44	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 21:16	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 19:55	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 03:06	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/20 18:31	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 12:36	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 11:32	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 10:17	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 06:33	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 04:17	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/19 01:24	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/18 20:35	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/18 19:15	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report