KMSAN: uninit-value in sock

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in sock_rfree (2) bluetooth				1	1947d	1947d	0/28	closed as invalid on 2019/10/08 12:18
audit: type=1326 audit(1529707028.727:385): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15774 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x455a99 code=0x0
==================================================================
BUG: KMSAN: uninit-value in sk_mem_uncharge include/net/sock.h:1416 [inline]
BUG: KMSAN: uninit-value in sock_rfree+0x21e/0x2a0 net/core/sock.c:1897
CPU: 0 PID: 4514 Comm: syz-fuzzer Not tainted 4.17.0+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
 sk_mem_uncharge include/net/sock.h:1416 [inline]
 sock_rfree+0x21e/0x2a0 net/core/sock.c:1897
 skb_release_head_state+0x2f1/0x520 net/core/skbuff.c:613
 skb_release_all net/core/skbuff.c:626 [inline]
 __kfree_skb+0x57/0x280 net/core/skbuff.c:642
 sk_eat_skb include/net/sock.h:2300 [inline]
 tcp_recvmsg+0x2b50/0x40b0 net/ipv4/tcp.c:1987
 inet_recvmsg+0x4e3/0x610 net/ipv4/af_inet.c:830
 sock_recvmsg_nosec net/socket.c:802 [inline]
 sock_recvmsg net/socket.c:809 [inline]
 sock_read_iter+0x40a/0x480 net/socket.c:886
 call_read_iter include/linux/fs.h:1778 [inline]
 new_sync_read fs/read_write.c:406 [inline]
 __vfs_read+0x775/0x9d0 fs/read_write.c:418
 vfs_read+0x36c/0x6b0 fs/read_write.c:452
 ksys_read fs/read_write.c:578 [inline]
 __do_sys_read fs/read_write.c:588 [inline]
 __se_sys_read fs/read_write.c:586 [inline]
 __x64_sys_read+0x1bf/0x3e0 fs/read_write.c:586
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x47fc44
RSP: 002b:000000c4201bb998 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000000c420028700 RCX: 000000000047fc44
RDX: 0000000000001000 RSI: 000000c4200b5000 RDI: 0000000000000003
RBP: 000000c4201bb9e8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000020 R14: 0000000000000013 R15: 000000c43a3e9960

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 __sk_mem_reclaim+0x127/0x140 net/core/sock.c:2518
 sk_mem_reclaim include/net/sock.h:1385 [inline]
 tcp_event_data_recv+0x1410/0x17b0 net/ipv4/tcp_input.c:685
 tcp_data_queue+0x169d/0xa3c0 net/ipv4/tcp_input.c:4611
 tcp_rcv_established+0x196e/0x2bb0 net/ipv4/tcp_input.c:5460
 tcp_v4_do_rcv+0x6d2/0xd90 net/ipv4/tcp_ipv4.c:1477
 tcp_v4_rcv+0x676e/0x6cd0 net/ipv4/tcp_ipv4.c:1765
 ip_local_deliver_finish+0x887/0xed0 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0xa1b/0x1d10 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x1168/0x16a0 net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x47f3/0x4aa0 net/core/dev.c:4592
 __netif_receive_skb net/core/dev.c:4657 [inline]
 netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4731
 napi_skb_finish net/core/dev.c:5093 [inline]
 napi_gro_receive+0x6a7/0xb60 net/core/dev.c:5124
 receive_buf+0x4c96/0x6ae0 drivers/net/virtio_net.c:945
 virtnet_receive drivers/net/virtio_net.c:1200 [inline]
 virtnet_poll+0x8ff/0x1420 drivers/net/virtio_net.c:1282
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x766/0x1a80 net/core/dev.c:5801
 __do_softirq+0x592/0x979 kernel/softirq.c:285

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 sk_mem_charge include/net/sock.h:1400 [inline]
 skb_set_owner_r include/net/sock.h:2037 [inline]
 tcp_queue_rcv+0xfe1/0x1200 net/ipv4/tcp_input.c:4521
 tcp_data_queue+0x1510/0xa3c0 net/ipv4/tcp_input.c:4608
 tcp_rcv_established+0x196e/0x2bb0 net/ipv4/tcp_input.c:5460
 tcp_v4_do_rcv+0x6d2/0xd90 net/ipv4/tcp_ipv4.c:1477
 tcp_v4_rcv+0x676e/0x6cd0 net/ipv4/tcp_ipv4.c:1765
 ip_local_deliver_finish+0x887/0xed0 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0xa1b/0x1d10 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x1168/0x16a0 net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x47f3/0x4aa0 net/core/dev.c:4592
 __netif_receive_skb net/core/dev.c:4657 [inline]
 netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4731
 napi_skb_finish net/core/dev.c:5093 [inline]
 napi_gro_receive+0x6a7/0xb60 net/core/dev.c:5124
 receive_buf+0x4c96/0x6ae0 drivers/net/virtio_net.c:945
 virtnet_receive drivers/net/virtio_net.c:1200 [inline]
 virtnet_poll+0x8ff/0x1420 drivers/net/virtio_net.c:1282
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x766/0x1a80 net/core/dev.c:5801
 __do_softirq+0x592/0x979 kernel/softirq.c:285

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 sk_forced_mem_schedule+0x1de/0x2d0 net/ipv4/tcp_output.c:3037
 tcp_data_queue+0x13f6/0xa3c0 net/ipv4/tcp_input.c:4604
 tcp_rcv_established+0x196e/0x2bb0 net/ipv4/tcp_input.c:5460
 tcp_v4_do_rcv+0x6d2/0xd90 net/ipv4/tcp_ipv4.c:1477
 tcp_v4_rcv+0x676e/0x6cd0 net/ipv4/tcp_ipv4.c:1765
 ip_local_deliver_finish+0x887/0xed0 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0xa1b/0x1d10 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x1168/0x16a0 net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x47f3/0x4aa0 net/core/dev.c:4592
 __netif_receive_skb net/core/dev.c:4657 [inline]
 netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4731
 napi_skb_finish net/core/dev.c:5093 [inline]
 napi_gro_receive+0x6a7/0xb60 net/core/dev.c:5124
 receive_buf+0x4c96/0x6ae0 drivers/net/virtio_net.c:945
 virtnet_receive drivers/net/virtio_net.c:1200 [inline]
 virtnet_poll+0x8ff/0x1420 drivers/net/virtio_net.c:1282
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x766/0x1a80 net/core/dev.c:5801
 __do_softirq+0x592/0x979 kernel/softirq.c:285

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:192
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:318
 kmem_cache_alloc+0xa97/0xb70 mm/slub.c:2772
 __build_skb net/core/skbuff.c:282 [inline]
 __napi_alloc_skb+0x27c/0xa10 net/core/skbuff.c:483
 napi_alloc_skb include/linux/skbuff.h:2655 [inline]
 page_to_skb+0x141/0x1190 drivers/net/virtio_net.c:349
 receive_mergeable drivers/net/virtio_net.c:812 [inline]
 receive_buf+0xc98/0x6ae0 drivers/net/virtio_net.c:917
 virtnet_receive drivers/net/virtio_net.c:1200 [inline]
 virtnet_poll+0x8ff/0x1420 drivers/net/virtio_net.c:1282
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x766/0x1a80 net/core/dev.c:5801
 __do_softirq+0x592/0x979 kernel/softirq.c:285
==================================================================