KMSAN: uninit-value in IP6_ECN

KMSAN: uninit-value in IP6_ECN_decapsulate
Status: upstream: reported C repro on 2018/09/20 20:54
Reported-by: syzbot+bf7e6250c7ce248f3ec9@syzkaller.appspotmail.com
First crash: 1134d, last: 163d

Sample crash report:

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:189 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x421/0x970 include/net/inet_ecn.h:234
CPU: 0 PID: 4515 Comm: syz-executor162 Not tainted 4.17.0+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1122
 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
 INET_ECN_decapsulate include/net/inet_ecn.h:189 [inline]
 IP6_ECN_decapsulate+0x421/0x970 include/net/inet_ecn.h:234
 ip6ip6_dscp_ecn_decapsulate+0x1e0/0x250 net/ipv6/ip6_tunnel.c:719
 __ip6_tnl_rcv+0xff9/0x1a10 net/ipv6/ip6_tunnel.c:829
 ip6_tnl_rcv+0xe6/0x110 net/ipv6/ip6_tunnel.c:868
 gre_rcv+0x1661/0x1a90 net/ipv6/ip6_gre.c:534
 ip6_input_finish+0x1353/0x2260 net/ipv6/ip6_input.c:284
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip6_input+0x294/0x320 net/ipv6/ip6_input.c:327
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x498/0x6e0 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ipv6_rcv+0x1d6b/0x2360 net/ipv6/ip6_input.c:208
 __netif_receive_skb_core+0x47f3/0x4aa0 net/core/dev.c:4592
 __netif_receive_skb net/core/dev.c:4657 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5337
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x766/0x1a80 net/core/dev.c:5801
 __do_softirq+0x592/0x979 kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
 </IRQ>
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
 ip6_finish_output2+0x1ce8/0x2100 net/ipv6/ip6_output.c:121
 ip6_finish_output+0xaf0/0xbb0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip6_output+0x597/0x6c0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
 ip6_send_skb net/ipv6/ip6_output.c:1703 [inline]
 ip6_push_pending_frames+0x218/0x4d0 net/ipv6/ip6_output.c:1723
 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
 rawv6_sendmsg+0x4254/0x4fc0 net/ipv6/raw.c:935
 inet_sendmsg+0x3fc/0x760 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 sock_write_iter+0x3bc/0x470 net/socket.c:908
 call_write_iter include/linux/fs.h:1784 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x808/0x9f0 fs/read_write.c:487
 vfs_write+0x467/0x8c0 fs/read_write.c:549
 ksys_write fs/read_write.c:598 [inline]
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x1bf/0x3e0 fs/read_write.c:607
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441199
RSP: 002b:00007fff83b55688 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441199
RDX: 0000000000000004 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004020a0
R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 __ip6_append_data+0x364d/0x4fb0 net/ipv6/ip6_output.c:1434
 ip6_append_data+0x40e/0x6b0 net/ipv6/ip6_output.c:1597
 rawv6_sendmsg+0x2756/0x4fc0 net/ipv6/raw.c:928
 inet_sendmsg+0x3fc/0x760 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 sock_write_iter+0x3bc/0x470 net/socket.c:908
 call_write_iter include/linux/fs.h:1784 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x808/0x9f0 fs/read_write.c:487
 vfs_write+0x467/0x8c0 fs/read_write.c:549
 ksys_write fs/read_write.c:598 [inline]
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x1bf/0x3e0 fs/read_write.c:607
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================

Crashes (286):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2018/06/17 13:07	https://github.com/google/kmsan.git master	88e0e95b30f1	27c5f59f	.config	log	report	syz	C
ci-upstream-kmsan-gce	2018/06/16 08:29	https://github.com/google/kmsan.git master	88e0e95b30f1	27c5f59f	.config	log	report	syz
ci-upstream-kmsan-gce	2021/02/11 04:10	https://github.com/google/kmsan.git master	73d62e81b476	a52ee10a	.config	log	report			info	KMSAN: uninit-value in IP6_ECN_decapsulate
ci-upstream-kmsan-gce	2021/01/14 05:26	https://github.com/google/kmsan.git master	73d62e81b476	269d24e8	.config	log	report			info
ci-upstream-kmsan-gce	2021/01/10 07:44	https://github.com/google/kmsan.git master	73d62e81b476	2c1f2513	.config	log	report			info
ci-upstream-kmsan-gce	2020/09/20 17:58	https://github.com/google/kmsan.git master	c5a13b33ec11	9564d2e9	.config	log	report			info
ci-upstream-kmsan-gce	2020/09/11 16:19	https://github.com/google/kmsan.git master	3b3ea6028136	adfb8b4e	.config	log	report
ci-upstream-kmsan-gce	2020/09/10 17:52	https://github.com/google/kmsan.git master	3b3ea6028136	409809d8	.config	log	report
ci-upstream-kmsan-gce	2020/09/03 01:54	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce	2020/08/23 16:54	https://github.com/google/kmsan.git master	ce8056d1f79e	cef5ae68	.config	log	report
ci-upstream-kmsan-gce	2020/08/23 03:41	https://github.com/google/kmsan.git master	ce8056d1f79e	1da71ab0	.config	log	report
ci-upstream-kmsan-gce	2020/08/22 17:47	https://github.com/google/kmsan.git master	ce8056d1f79e	6436ce4b	.config	log	report
ci-upstream-kmsan-gce	2020/08/22 13:33	https://github.com/google/kmsan.git master	ce8056d1f79e	6436ce4b	.config	log	report
ci-upstream-kmsan-gce	2020/08/21 02:31	https://github.com/google/kmsan.git master	ce8056d1f79e	1d75fe45	.config	log	report
ci-upstream-kmsan-gce	2020/08/19 10:35	https://github.com/google/kmsan.git master	ce8056d1f79e	e1c29030	.config	log	report
ci-upstream-kmsan-gce	2020/08/17 07:28	https://github.com/google/kmsan.git master	ce8056d1f79e	424dd8e7	.config	log	report
ci-upstream-kmsan-gce	2020/08/17 02:54	https://github.com/google/kmsan.git master	ce8056d1f79e	424dd8e7	.config	log	report
ci-upstream-kmsan-gce	2020/08/17 02:24	https://github.com/google/kmsan.git master	ce8056d1f79e	424dd8e7	.config	log	report
ci-upstream-kmsan-gce	2020/08/14 19:57	https://github.com/google/kmsan.git master	ce8056d1f79e	424dd8e7	.config	log	report
ci-upstream-kmsan-gce	2020/08/13 17:32	https://github.com/google/kmsan.git master	ce8056d1f79e	bc15f7db	.config	log	report
ci-upstream-kmsan-gce	2020/06/08 00:52	https://github.com/google/kmsan.git master	f0d5ec902b23	2c2b926c	.config	log	report
ci-upstream-kmsan-gce	2020/05/23 00:20	https://github.com/google/kmsan.git master	8b97c6271626	9682898d	.config	log	report
ci-upstream-kmsan-gce	2020/05/19 06:24	https://github.com/google/kmsan.git master	8b97c6271626	684d3606	.config	log	report
ci-upstream-kmsan-gce	2020/05/17 17:55	https://github.com/google/kmsan.git master	8b97c6271626	37bccd4e	.config	log	report
ci-upstream-kmsan-gce	2020/05/13 19:02	https://github.com/google/kmsan.git master	8b97c6271626	9a6d42fb	.config	log	report
ci-upstream-kmsan-gce	2020/05/13 05:10	https://github.com/google/kmsan.git master	34598697f9d0	a44eb8f7	.config	log	report
ci-upstream-kmsan-gce	2020/05/11 23:13	https://github.com/google/kmsan.git master	14bcee29ad06	9eb09c40	.config	log	report
ci-upstream-kmsan-gce	2020/05/11 04:24	https://github.com/google/kmsan.git master	14bcee29ad06	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/11 01:43	https://github.com/google/kmsan.git master	14bcee29ad06	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/06 18:45	https://github.com/google/kmsan.git master	21c44613a2fe	4618eb2d	.config	log	report
ci-upstream-kmsan-gce	2020/05/05 14:16	https://github.com/google/kmsan.git master	21c44613a2fe	4b76dd25	.config	log	report
ci-upstream-kmsan-gce	2020/05/04 22:55	https://github.com/google/kmsan.git master	21c44613a2fe	9941337c	.config	log	report
ci-upstream-kmsan-gce	2018/06/16 04:24	https://github.com/google/kmsan.git master	88e0e95b30f1	27c5f59f	.config	log	report
ci-upstream-kmsan-gce-386	2021/01/17 03:13	https://github.com/google/kmsan.git master	73d62e81b476	65a7a854	.config	log	report			info
ci-upstream-kmsan-gce-386	2021/01/10 08:45	https://github.com/google/kmsan.git master	73d62e81b476	2c1f2513	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/09/09 08:42	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce-386	2020/09/09 06:42	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce-386	2020/09/07 05:21	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce-386	2020/09/05 04:11	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce-386	2020/09/04 09:05	https://github.com/google/kmsan.git master	3b3ea6028136	abf9ba4f	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/28 02:48	https://github.com/google/kmsan.git master	ce8056d1f79e	816e0689	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/26 07:22	https://github.com/google/kmsan.git master	ce8056d1f79e	344da168	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/26 04:13	https://github.com/google/kmsan.git master	ce8056d1f79e	344da168	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/26 04:02	https://github.com/google/kmsan.git master	ce8056d1f79e	344da168	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/24 23:40	https://github.com/google/kmsan.git master	ce8056d1f79e	67b599d1	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/12 21:11	https://github.com/google/kmsan.git master	ce8056d1f79e	bc15f7db	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/12 18:35	https://github.com/google/kmsan.git master	ce8056d1f79e	bc15f7db	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/13 05:58	https://github.com/google/kmsan.git master	34598697f9d0	a44eb8f7	.config	log	report