syzbot


KMSAN: uninit-value in __xfrm_decode_session (4)

Status: closed as invalid on 2023/12/14 11:46
Subsystems: net
[Documentation on labels]
First crash: 268d, last: 220d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in __xfrm_decode_session (2) net 6 1586d 1661d 0/26 auto-closed as invalid on 2020/04/24 09:27
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net 7 906d 1142d 0/26 auto-closed as invalid on 2022/04/04 17:22
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 356d 1525d 22/26 fixed on 2023/06/08 14:41
upstream KMSAN: uninit-value in __xfrm_decode_session net 1 1704d 1704d 0/26 closed as invalid on 2019/10/08 12:18
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net C 138977 460d 812d 22/26 fixed on 2023/02/24 13:50
upstream KMSAN: uninit-value in __xfrm_decode_session (3) net 1 1407d 1407d 0/26 auto-closed as invalid on 2020/10/20 16:12
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream C error 7 203d 390d 0/3 auto-obsoleted due to no activity on 2024/02/16 23:16
linux-6.1 KASAN: use-after-free Read in __xfrm_decode_session 4 249d 380d 0/3 auto-obsoleted due to no activity on 2024/01/01 21:03
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/12/05 18:25 26m edumazet@google.com upstream OK log
2023/10/21 10:27 18m retest repro upstream report log

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in decode_session4 net/xfrm/xfrm_policy.c:3391 [inline]
BUG: KMSAN: uninit-value in __xfrm_decode_session+0x16ba/0x2890 net/xfrm/xfrm_policy.c:3562
 decode_session4 net/xfrm/xfrm_policy.c:3391 [inline]
 __xfrm_decode_session+0x16ba/0x2890 net/xfrm/xfrm_policy.c:3562
 xfrm_decode_session include/net/xfrm.h:1216 [inline]
 xfrmi_xmit+0x1ea/0x2270 net/xfrm/xfrm_interface_core.c:556
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
 __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3087 [inline]
 packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg net/socket.c:753 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594
 __sys_sendmsg net/socket.c:2623 [inline]
 __do_sys_sendmsg net/socket.c:2632 [inline]
 __se_sys_sendmsg net/socket.c:2630 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
 slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
 kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
 __alloc_skb+0x318/0x740 net/core/skbuff.c:644
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
 packet_alloc_skb net/packet/af_packet.c:2936 [inline]
 packet_snd net/packet/af_packet.c:3030 [inline]
 packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg net/socket.c:753 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594
 __sys_sendmsg net/socket.c:2623 [inline]
 __do_sys_sendmsg net/socket.c:2632 [inline]
 __se_sys_sendmsg net/socket.c:2630 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CPU: 0 PID: 5025 Comm: syz-executor305 Not tainted 6.5.0-syzkaller-11329-g708283abf896 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
=====================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/04 19:53 upstream 708283abf896 8bc9053e .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce KMSAN: uninit-value in __xfrm_decode_session
2023/10/22 07:17 upstream 1acfd2bd3f0d 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce KMSAN: uninit-value in __xfrm_decode_session
2023/09/26 16:32 upstream 6465e260f487 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce KMSAN: uninit-value in __xfrm_decode_session
2023/09/04 17:43 upstream 708283abf896 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce KMSAN: uninit-value in __xfrm_decode_session
2023/09/04 17:42 upstream 708283abf896 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce KMSAN: uninit-value in __xfrm_decode_session
2023/10/07 09:57 upstream 82714078aee4 5e837c76 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in __xfrm_decode_session
2023/09/26 16:41 upstream 6465e260f487 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in __xfrm_decode_session
2023/09/14 03:39 upstream aed8aee11130 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in __xfrm_decode_session
* Struck through repros no longer work on HEAD.