syzbot


KMSAN: uninit-value in inet_ehash_insert

Status: fixed on 2019/10/15 23:40
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 6af1799aaf3f net-backports: ipv6: drop incoming packets having a v4mapped source address
First crash: 1105d, last: 1092d

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
=====================================================
BUG: KMSAN: uninit-value in spin_lock include/linux/spinlock.h:338 [inline]
BUG: KMSAN: uninit-value in inet_ehash_insert+0x56c/0xc80 net/ipv4/inet_hashtables.c:488
CPU: 1 PID: 12798 Comm: syz-executor845 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
 arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
 do_raw_spin_lock include/linux/spinlock.h:181 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x56/0x90 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:338 [inline]
 inet_ehash_insert+0x56c/0xc80 net/ipv4/inet_hashtables.c:488
 reqsk_queue_hash_req net/ipv4/inet_connection_sock.c:757 [inline]
 inet_csk_reqsk_queue_hash_add+0x11a/0x1d0 net/ipv4/inet_connection_sock.c:768
 tcp_conn_request+0x44cc/0x4fb0 net/ipv4/tcp_input.c:6592
 tcp_v6_conn_request+0x242/0x2d0 net/ipv6/tcp_ipv6.c:1074
 tcp_rcv_state_process+0x28f/0x6f80 net/ipv4/tcp_input.c:6103
 tcp_v6_do_rcv+0x1001/0x1ce0 net/ipv6/tcp_ipv6.c:1381
 tcp_v6_rcv+0x60b7/0x6a30 net/ipv6/tcp_ipv6.c:1576
 ip6_protocol_deliver_rcu+0x1433/0x22f0 net/ipv6/ip6_input.c:397
 ip6_input_finish net/ipv6/ip6_input.c:438 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ip6_input+0x2af/0x340 net/ipv6/ip6_input.c:447
 dst_input include/net/dst.h:442 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core net/core/dev.c:5004 [inline]
 __netif_receive_skb net/core/dev.c:5118 [inline]
 netif_receive_skb_internal+0x4e3/0xc20 net/core/dev.c:5208
 napi_frags_finish net/core/dev.c:5759 [inline]
 napi_gro_frags+0x1643/0x2860 net/core/dev.c:5833
 tun_get_user+0x56d8/0x6fe0 drivers/net/tun.c:1974
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2020
 do_iter_readv_writev+0xa16/0xc30 include/linux/fs.h:1864
 do_iter_write+0x304/0xdc0 fs/read_write.c:970
 vfs_writev fs/read_write.c:1015 [inline]
 do_writev+0x435/0x900 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev+0x9b/0xb0 fs/read_write.c:1128
 __x64_sys_writev+0x4a/0x70 fs/read_write.c:1128
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4419b0
Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 61 96 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 7a 2b 00 00
RSP: 002b:00007ffdb76bd3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007ffdb76bd460 RCX: 00000000004419b0
RDX: 0000000000000001 RSI: 00007ffdb76bd3c0 RDI: 00000000000000f0
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000555500008236
R10: 0000555500008236 R11: 0000000000000246 R12: 00007ffdb76bd458
R13: 00007ffdb76bd450 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags+0x3a/0x80 mm/kmsan/kmsan.c:150
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:346 [inline]
 kmsan_alloc_page+0x151/0x360 mm/kmsan/kmsan_shadow.c:382
 __alloc_pages_nodemask+0x142d/0x5fa0 mm/page_alloc.c:4757
 alloc_pages_current+0x68d/0x9a0 mm/mempolicy.c:2153
 alloc_pages include/linux/gfp.h:511 [inline]
 alloc_slab_page+0x10e/0x12c0 mm/slub.c:1535
 allocate_slab mm/slub.c:1680 [inline]
 new_slab+0x2ca/0x1a00 mm/slub.c:1747
 new_slab_objects mm/slub.c:2496 [inline]
 ___slab_alloc+0x1423/0x1fb0 mm/slub.c:2647
 __slab_alloc mm/slub.c:2687 [inline]
 slab_alloc_node mm/slub.c:2750 [inline]
 slab_alloc mm/slub.c:2799 [inline]
 kmem_cache_alloc+0xade/0xd10 mm/slub.c:2804
 reqsk_alloc include/net/request_sock.h:84 [inline]
 inet_reqsk_alloc net/ipv4/tcp_input.c:6402 [inline]
 tcp_conn_request+0x989/0x4fb0 net/ipv4/tcp_input.c:6500
 tcp_v6_conn_request+0x242/0x2d0 net/ipv6/tcp_ipv6.c:1074
 tcp_rcv_state_process+0x28f/0x6f80 net/ipv4/tcp_input.c:6103
 tcp_v6_do_rcv+0x1001/0x1ce0 net/ipv6/tcp_ipv6.c:1381
 tcp_v6_rcv+0x60b7/0x6a30 net/ipv6/tcp_ipv6.c:1576
 ip6_protocol_deliver_rcu+0x1433/0x22f0 net/ipv6/ip6_input.c:397
 ip6_input_finish net/ipv6/ip6_input.c:438 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ip6_input+0x2af/0x340 net/ipv6/ip6_input.c:447
 dst_input include/net/dst.h:442 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core net/core/dev.c:5004 [inline]
 __netif_receive_skb net/core/dev.c:5118 [inline]
 netif_receive_skb_internal+0x4e3/0xc20 net/core/dev.c:5208
 napi_frags_finish net/core/dev.c:5759 [inline]
 napi_gro_frags+0x1643/0x2860 net/core/dev.c:5833
 tun_get_user+0x56d8/0x6fe0 drivers/net/tun.c:1974
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2020
 do_iter_readv_writev+0xa16/0xc30 include/linux/fs.h:1864
 do_iter_write+0x304/0xdc0 fs/read_write.c:970
 vfs_writev fs/read_write.c:1015 [inline]
 do_writev+0x435/0x900 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev+0x9b/0xb0 fs/read_write.c:1128
 __x64_sys_writev+0x4a/0x70 fs/read_write.c:1128
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
=====================================================

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kmsan-gce 2019/09/30 06:45 https://github.com/google/kmsan.git master 124037e07586 c1ad5441 .config log report syz C
ci-upstream-kmsan-gce 2019/10/07 07:42 https://github.com/google/kmsan.git master 1e76a3e537c3 f3f7d9c8 .config log report
ci-upstream-kmsan-gce 2019/10/02 12:36 https://github.com/google/kmsan.git master 1e76a3e537c3 2e29b534 .config log report
ci-upstream-kmsan-gce 2019/09/30 05:15 https://github.com/google/kmsan.git master 124037e07586 c1ad5441 .config log report
ci-upstream-kmsan-gce 2019/09/29 06:02 https://github.com/google/kmsan.git master 124037e07586 eb6b9855 .config log report
ci-upstream-kmsan-gce 2019/09/28 17:10 https://github.com/google/kmsan.git master 124037e07586 eb6b9855 .config log report
ci-upstream-kmsan-gce 2019/09/24 19:08 https://github.com/google/kmsan.git master cebbfdbcf2b7 0942eab8 .config log report
* Struck through repros no longer work on HEAD.