KMSAN: uninit-value in nf_ip6

KMSAN: uninit-value in nf_ip6_checksum
Status: auto-closed as invalid on 2021/02/03 14:57
Reported-by: syzbot+266e61dcc3259a67d5ec@syzkaller.appspotmail.com
First crash: 436d, last: 292d

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in nf_ip6_checksum+0x63a/0x670 net/netfilter/utils.c:74
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:201
 nf_ip6_checksum+0x63a/0x670 net/netfilter/utils.c:74
 nf_nat_icmpv6_reply_translation+0x312/0x1360 net/netfilter/nf_nat_proto.c:800
 nf_nat_ipv6_fn+0x3c4/0x570 net/netfilter/nf_nat_proto.c:873
 nf_nat_ipv6_in+0x129/0x440 net/netfilter/nf_nat_proto.c:892
 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline]
 nf_hook_slow+0x17b/0x460 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:256 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ipv6_rcv+0x29f/0x460 net/ipv6/ip6_input.c:307
 __netif_receive_skb_one_core net/core/dev.c:5286 [inline]
 __netif_receive_skb+0x265/0x670 net/core/dev.c:5400
 process_backlog+0x50d/0xba0 net/core/dev.c:6242
 napi_poll+0x443/0x1100 net/core/dev.c:6688
 net_rx_action+0x35c/0xd40 net/core/dev.c:6758
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:656
 smpboot_thread_fn+0x5f5/0xa90 kernel/smpboot.c:165
 kthread+0x551/0x590 kernel/kthread.c:293
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 __msan_chain_origin+0x50/0x90 mm/kmsan/kmsan_instr.c:151
 __skb_checksum_complete+0x58e/0x630 net/core/skbuff.c:2860
 nf_ip6_checksum+0x565/0x670 net/netfilter/utils.c:91
 nf_nat_icmpv6_reply_translation+0x312/0x1360 net/netfilter/nf_nat_proto.c:800
 nf_nat_ipv6_fn+0x3c4/0x570 net/netfilter/nf_nat_proto.c:873
 nf_nat_ipv6_local_fn+0xaa/0x800 net/netfilter/nf_nat_proto.c:946
 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline]
 nf_hook_slow+0x17b/0x460 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:256 [inline]
 __ip6_local_out+0x696/0x7c0 net/ipv6/output_core.c:167
 ip6_local_out+0xa1/0x1e0 net/ipv6/output_core.c:177
 ip6_send_skb net/ipv6/ip6_output.c:1867 [inline]
 ip6_push_pending_frames+0x252/0x5b0 net/ipv6/ip6_output.c:1887
 icmpv6_push_pending_frames+0x6d1/0x710 net/ipv6/icmp.c:304
 icmp6_send+0x3958/0x40d0 net/ipv6/icmp.c:617
 icmpv6_send include/linux/icmpv6.h:24 [inline]
 ip6_link_failure+0x79/0x620 net/ipv6/route.c:2669
 dst_link_failure include/net/dst.h:426 [inline]
 ndisc_error_report+0x120/0x1c0 net/ipv6/ndisc.c:710
 neigh_invalidate+0x353/0x8e0 net/core/neighbour.c:993
 neigh_timer_handler+0x1135/0x17b0 net/core/neighbour.c:1080
 call_timer_fn+0x226/0x550 kernel/time/timer.c:1413
 expire_timers+0x4fc/0x780 kernel/time/timer.c:1458
 __run_timers+0x624/0x9e0 kernel/time/timer.c:1755
 run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1768
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:248
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:268
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:114
 csum_partial_copy_nocheck+0xae/0x100 lib/checksum.c:154
 skb_copy_and_csum_bits+0x261/0x1360 net/core/skbuff.c:2739
 icmpv6_getfrag+0x148/0x3b0 net/ipv6/icmp.c:319
 __ip6_append_data+0x5a33/0x71b0 net/ipv6/ip6_output.c:1625
 ip6_append_data+0x44b/0x6e0 net/ipv6/ip6_output.c:1759
 icmp6_send+0x36fc/0x40d0 net/ipv6/icmp.c:609
 icmpv6_send include/linux/icmpv6.h:24 [inline]
 ip6_link_failure+0x79/0x620 net/ipv6/route.c:2669
 dst_link_failure include/net/dst.h:426 [inline]
 ndisc_error_report+0x120/0x1c0 net/ipv6/ndisc.c:710
 neigh_invalidate+0x353/0x8e0 net/core/neighbour.c:993
 neigh_timer_handler+0x1135/0x17b0 net/core/neighbour.c:1080
 call_timer_fn+0x226/0x550 kernel/time/timer.c:1413
 expire_timers+0x4fc/0x780 kernel/time/timer.c:1458
 __run_timers+0x624/0x9e0 kernel/time/timer.c:1755
 run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1768
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:248
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:268
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:114
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1638
 __skb_cow include/linux/skbuff.h:3160 [inline]
 skb_cow_head include/linux/skbuff.h:3194 [inline]
 geneve_build_skb+0x575/0xf90 drivers/net/geneve.c:758
 geneve6_xmit_skb drivers/net/geneve.c:1019 [inline]
 geneve_xmit+0x2147/0x3c00 drivers/net/geneve.c:1052
 __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
 netdev_start_xmit include/linux/netdevice.h:4648 [inline]
 xmit_one+0x3cf/0x750 net/core/dev.c:3561
 dev_hard_start_xmit net/core/dev.c:3577 [inline]
 __dev_queue_xmit+0x3aad/0x4470 net/core/dev.c:4136
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4169
 batadv_send_skb_packet+0x622/0x970 net/batman-adv/send.c:108
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1711
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:293
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:311
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:248
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:268
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:114
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1638
 __skb_cow include/linux/skbuff.h:3160 [inline]
 skb_cow_head include/linux/skbuff.h:3194 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1711
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:293
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:143
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:268 [inline]
 kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:292
 __alloc_pages_nodemask+0xf34/0x1120 mm/page_alloc.c:4927
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 alloc_pages_node include/linux/gfp.h:536 [inline]
 __page_frag_cache_refill mm/page_alloc.c:5002 [inline]
 page_frag_alloc+0x35b/0x880 mm/page_alloc.c:5032
 __netdev_alloc_skb+0xc3d/0xc90 net/core/skbuff.c:456
 netdev_alloc_skb include/linux/skbuff.h:2821 [inline]
 dev_alloc_skb include/linux/skbuff.h:2834 [inline]
 __ieee80211_beacon_get+0x37e3/0x4df0 net/mac80211/tx.c:4819
 ieee80211_beacon_get_tim+0x109/0x800 net/mac80211/tx.c:4933
 ieee80211_beacon_get include/net/mac80211.h:4845 [inline]
 mac80211_hwsim_beacon_tx+0x1c3/0xb80 drivers/net/wireless/mac80211_hwsim.c:1676
 __iterate_interfaces net/mac80211/util.c:737 [inline]
 ieee80211_iterate_active_interfaces_atomic+0x40a/0x610 net/mac80211/util.c:773
 mac80211_hwsim_beacon+0x11d/0x2e0 drivers/net/wireless/mac80211_hwsim.c:1717
 __run_hrtimer+0x7cd/0xf00 kernel/time/hrtimer.c:1524
 __hrtimer_run_queues kernel/time/hrtimer.c:1588 [inline]
 hrtimer_run_softirq+0x3bf/0x690 kernel/time/hrtimer.c:1605
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:299
=====================================================
Crashes (5):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info
ci-upstream-kmsan-gce	2020/10/06 14:56	https://github.com/google/kmsan.git master	5edb1df295b9	1880b4a9	.config	log	report	info
ci-upstream-kmsan-gce	2020/06/14 22:46	https://github.com/google/kmsan.git master	f0d5ec902b23	2a22c77a	.config	log	report
ci-upstream-kmsan-gce	2020/05/15 01:24	https://github.com/google/kmsan.git master	8b97c6271626	2d572622	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 19:21	https://github.com/google/kmsan.git master	91e18444d6b0	21f1765e	.config	log	report
ci-upstream-kmsan-gce-386	2020/07/21 02:59	https://github.com/google/kmsan.git master	91e18444d6b0	4285ffa3	.config	log	report