syzbot


KMSAN: uninit-value in inet_frag_find (2)

Status: auto-closed as invalid on 2022/04/11 17:13
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 242d, last: 210d
similar bugs (6):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in inet_frag_find 141 1246d 1344d 0/23 auto-closed as invalid on 2019/09/09 04:47
upstream KMSAN: uninit-value in skb_release_data (3) C 10 21d 700d 0/23 upstream: reported C repro on 2020/09/09 09:58
upstream KMSAN: uninit-value in ipv6_find_tlv C 16 90d 1093d 0/23 upstream: reported C repro on 2019/08/13 14:48
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) C 568 3h38m 154d 21/23 internal: reported C repro on 2022/03/09 07:32
upstream KMSAN: kernel-infoleak in _copy_to_iter (6) C 748 154d 244d 22/23 fixed on 2022/03/08 16:11
upstream KMSAN: uninit-value in eth_type_trans (2) C 2127 9h15m 930d 0/23 upstream: reported C repro on 2020/01/22 16:47

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:369 [inline]
BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:599 [inline]
BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:638 [inline]
BUG: KMSAN: uninit-value in inet_frag_find+0x861/0x2a60 net/ipv4/inet_fragment.c:362
 rht_ptr_rcu include/linux/rhashtable.h:369 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:599 [inline]
 rhashtable_lookup include/linux/rhashtable.h:638 [inline]
 inet_frag_find+0x861/0x2a60 net/ipv4/inet_fragment.c:362
 fq_find net/ipv6/reassembly.c:99 [inline]
 ipv6_frag_rcv+0x180a/0x4370 net/ipv6/reassembly.c:374
 ip6_protocol_deliver_rcu+0xe7c/0x2ab0 net/ipv6/ip6_input.c:422
 ip6_input_finish net/ipv6/ip6_input.c:463 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_input+0x130/0x390 net/ipv6/ip6_input.c:472
 ip6_mc_input+0xcab/0xef0 net/ipv6/ip6_input.c:566
 dst_input include/net/dst.h:460 [inline]
 ip6_rcv_finish+0x670/0x850 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ipv6_rcv+0x1d1/0x460 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core net/core/dev.c:5465 [inline]
 __netif_receive_skb+0x1ec/0x630 net/core/dev.c:5579
 process_backlog+0x54b/0xc10 net/core/dev.c:6455
 __napi_poll+0x14c/0xc00 net/core/dev.c:7023
 napi_poll net/core/dev.c:7090 [inline]
 net_rx_action+0x7e2/0x1820 net/core/dev.c:7177
 __do_softirq+0x1ee/0x7c5 kernel/softirq.c:558
 do_softirq+0x16d/0x220 kernel/softirq.c:459
 netif_rx_ni+0xb6/0x410 net/core/dev.c:4973
 dev_loopback_xmit+0x7cb/0x8d0 net/core/dev.c:3927
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_finish_output2+0x69b/0x2c50 net/ipv6/ip6_output.c:92
 ip6_fragment+0x2c5e/0x4210 net/ipv6/ip6_output.c:907
 __ip6_finish_output+0xca4/0x10a0 net/ipv6/ip6_output.c:189
 ip6_finish_output+0x15c/0x4d0 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x4ac/0x7f0 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 ip6_local_out+0x180/0x1f0 net/ipv6/output_core.c:161
 ip6_send_skb+0xf8/0x3f0 net/ipv6/ip6_output.c:1912
 udp_v6_send_skb+0x1441/0x2200 net/ipv6/udp.c:1249
 udpv6_sendmsg+0x4c5a/0x4f40 net/ipv6/udp.c:1547
 inet6_sendmsg+0x15b/0x1d0 net/ipv6/af_inet6.c:644
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409
 ___sys_sendmsg net/socket.c:2463 [inline]
 __sys_sendmmsg+0x845/0xf60 net/socket.c:2542
 __compat_sys_sendmmsg net/compat.c:361 [inline]
 __do_compat_sys_sendmmsg net/compat.c:368 [inline]
 __se_compat_sys_sendmmsg net/compat.c:365 [inline]
 __ia32_compat_sys_sendmmsg+0x127/0x180 net/compat.c:365
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was stored to memory at:
 fq_find net/ipv6/reassembly.c:86 [inline]
 ipv6_frag_rcv+0x1760/0x4370 net/ipv6/reassembly.c:374
 ip6_protocol_deliver_rcu+0xe7c/0x2ab0 net/ipv6/ip6_input.c:422
 ip6_input_finish net/ipv6/ip6_input.c:463 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_input+0x130/0x390 net/ipv6/ip6_input.c:472
 ip6_mc_input+0xcab/0xef0 net/ipv6/ip6_input.c:566
 dst_input include/net/dst.h:460 [inline]
 ip6_rcv_finish+0x670/0x850 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ipv6_rcv+0x1d1/0x460 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core net/core/dev.c:5465 [inline]
 __netif_receive_skb+0x1ec/0x630 net/core/dev.c:5579
 process_backlog+0x54b/0xc10 net/core/dev.c:6455
 __napi_poll+0x14c/0xc00 net/core/dev.c:7023
 napi_poll net/core/dev.c:7090 [inline]
 net_rx_action+0x7e2/0x1820 net/core/dev.c:7177
 __do_softirq+0x1ee/0x7c5 kernel/softirq.c:558

Uninit was stored to memory at:
 pskb_expand_head+0x3c9/0x1ca0 net/core/skbuff.c:1710
 skb_unclone include/linux/skbuff.h:1690 [inline]
 skb_copy_ubufs+0x3db/0x2870 net/core/skbuff.c:1422
 skb_orphan_frags_rx include/linux/skbuff.h:2853 [inline]
 __netif_receive_skb_core+0x5938/0x5de0 net/core/dev.c:5430
 __netif_receive_skb_one_core net/core/dev.c:5463 [inline]
 __netif_receive_skb+0xf2/0x630 net/core/dev.c:5579
 process_backlog+0x54b/0xc10 net/core/dev.c:6455
 __napi_poll+0x14c/0xc00 net/core/dev.c:7023
 napi_poll net/core/dev.c:7090 [inline]
 net_rx_action+0x7e2/0x1820 net/core/dev.c:7177
 __do_softirq+0x1ee/0x7c5 kernel/softirq.c:558

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1126 [inline]
 alloc_skb_with_frags+0x1db/0xbc0 net/core/skbuff.c:6078
 sock_alloc_send_pskb+0xdf4/0xfc0 net/core/sock.c:2575
 sock_alloc_send_skb+0xca/0xe0 net/core/sock.c:2592
 __ip6_append_data+0x4d60/0x6f00 net/ipv6/ip6_output.c:1630
 ip6_make_skb+0x796/0xdc0 net/ipv6/ip6_output.c:1991
 udpv6_sendmsg+0x4a89/0x4f40 net/ipv6/udp.c:1541
 inet6_sendmsg+0x15b/0x1d0 net/ipv6/af_inet6.c:644
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409
 ___sys_sendmsg net/socket.c:2463 [inline]
 __sys_sendmmsg+0x845/0xf60 net/socket.c:2542
 __compat_sys_sendmmsg net/compat.c:361 [inline]
 __do_compat_sys_sendmmsg net/compat.c:368 [inline]
 __se_compat_sys_sendmmsg net/compat.c:365 [inline]
 __ia32_compat_sys_sendmmsg+0x127/0x180 net/compat.c:365
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

CPU: 1 PID: 5324 Comm: syz-executor.2 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kmsan-gce-386 2022/01/11 17:10 https://github.com/google/kmsan.git master fa3879a274df 1884f55a .config log report info KMSAN: uninit-value in inet_frag_find
ci-upstream-kmsan-gce-386 2021/12/11 00:39 https://github.com/google/kmsan.git master 8b936c96768e 49ca1f59 .config log report info KMSAN: uninit-value in inet_frag_find