syzbot

 sign-in | mailing list | source | docs
🐞 Open [1510]
Subsystems
🐞 Fixed [6529]
🐞 Invalid [16647]
Missing Backports [205]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in update_load_avg

Status: closed as invalid on 2018/07/20 10:48
Subsystems: net
[Documentation on labels]
First crash: 2626d, last: 2626d

Sample crash report:
netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'.
RBP: 000000000072bea0 R08: 00000000200043c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00000000004c0914 R14: 00000000004d04f8 R15: 0000000000000000
==================================================================
BUG: KMSAN: uninit-value in update_load_avg+0x83f/0x2cc0 kernel/sched/fair.c:3794
CPU: 1 PID: 31831 Comm: syz-executor1 Not tainted 4.17.0+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
 update_load_avg+0x83f/0x2cc0 kernel/sched/fair.c:3794
 put_prev_entity+0x457/0x700 kernel/sched/fair.c:4447
 pick_next_task_fair+0x1e6a/0x2530 kernel/sched/fair.c:6934
 pick_next_task+0x1ba/0x420 kernel/sched/core.c:3368
 __schedule+0x20f/0x770 kernel/sched/core.c:3498
 preempt_schedule_common kernel/sched/core.c:3648 [inline]
 _cond_resched+0x5e/0xd0 kernel/sched/core.c:4999
 slab_pre_alloc_hook mm/slab.h:421 [inline]
 slab_alloc_node mm/slub.c:2679 [inline]
 kmem_cache_alloc_node+0x121/0xc80 mm/slub.c:2795
 __alloc_skb+0x202/0x9e0 net/core/skbuff.c:194
 alloc_skb include/linux/skbuff.h:988 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 netlink_ack+0x553/0x1140 net/netlink/af_netlink.c:2382
 netlink_rcv_skb+0x312/0x600 net/netlink/af_netlink.c:2454
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455b29
RSP: 002b:00007f9ec28d0c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f9ec28d16d4 RCX: 0000000000455b29
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c0f0f R14: 00000000004d0db0 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 set_next_entity+0x131/0xb60 kernel/sched/fair.c:4345
 pick_next_task_fair+0x1f3c/0x2530 kernel/sched/fair.c:6938
 pick_next_task+0x1ba/0x420 kernel/sched/core.c:3368
 __schedule+0x20f/0x770 kernel/sched/core.c:3498
 preempt_schedule_common kernel/sched/core.c:3648 [inline]
 _cond_resched+0x5e/0xd0 kernel/sched/core.c:4999
 zap_pmd_range mm/memory.c:1444 [inline]
 zap_pud_range mm/memory.c:1471 [inline]
 zap_p4d_range mm/memory.c:1492 [inline]
 unmap_page_range+0x35e0/0x3be0 mm/memory.c:1513
 unmap_single_vma+0x445/0x5e0 mm/memory.c:1558
 unmap_vmas+0x1f4/0x360 mm/memory.c:1588
 exit_mmap+0x4d7/0x980 mm/mmap.c:3105
 __mmput+0x158/0x600 kernel/fork.c:962
 mmput+0xab/0xf0 kernel/fork.c:983
 exit_mm+0x6ed/0x7a0 kernel/exit.c:545
 do_exit+0xc12/0x3930 kernel/exit.c:854
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
 get_signal+0x1405/0x1ec0 kernel/signal.c:2482
 do_signal+0xb8/0x1d20 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop arch/x86/entry/common.c:162 [inline]
 prepare_exit_to_usermode+0x271/0x3a0 arch/x86/entry/common.c:196
 syscall_return_slowpath+0xe9/0x710 arch/x86/entry/common.c:265
 do_syscall_64+0x1ad/0x230 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 enqueue_entity kernel/sched/fair.c:4173 [inline]
 enqueue_task_fair+0x558/0x4490 kernel/sched/fair.c:5359
 enqueue_task kernel/sched/core.c:751 [inline]
 activate_task kernel/sched/core.c:770 [inline]
 ttwu_activate kernel/sched/core.c:1658 [inline]
 ttwu_do_activate kernel/sched/core.c:1717 [inline]
 ttwu_queue kernel/sched/core.c:1862 [inline]
 try_to_wake_up+0x162f/0x2260 kernel/sched/core.c:2075
 wake_up_process+0x34/0x40 kernel/sched/core.c:2148
 hrtimer_wakeup+0xac/0x100 kernel/time/hrtimer.c:1647
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0xc54/0x1630 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x451/0x13c0 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt+0x6b/0x250 arch/x86/kernel/apic/apic.c:1025
 smp_apic_timer_interrupt+0x5a/0x90 arch/x86/kernel/apic/apic.c:1053

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 dequeue_entity kernel/sched/fair.c:4257 [inline]
 dequeue_task_fair+0x13f/0x3300 kernel/sched/fair.c:5407
 dequeue_task kernel/sched/core.c:762 [inline]
 deactivate_task+0x560/0x7d0 kernel/sched/core.c:778
 __schedule+0x164/0x770 kernel/sched/core.c:3474
 schedule+0x1cc/0x2f0 kernel/sched/core.c:3568
 freezable_schedule include/linux/freezer.h:172 [inline]
 do_nanosleep+0x2c3/0x9c0 kernel/time/hrtimer.c:1689
 hrtimer_nanosleep kernel/time/hrtimer.c:1743 [inline]
 __do_sys_nanosleep kernel/time/hrtimer.c:1775 [inline]
 __se_sys_nanosleep+0x4b3/0x6a0 kernel/time/hrtimer.c:1762
 __x64_sys_nanosleep+0x92/0xc0 kernel/time/hrtimer.c:1762
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 set_next_entity+0x131/0xb60 kernel/sched/fair.c:4345
 pick_next_task_fair+0x1f3c/0x2530 kernel/sched/fair.c:6938
 pick_next_task+0x1ba/0x420 kernel/sched/core.c:3368
 __schedule+0x20f/0x770 kernel/sched/core.c:3498
 preempt_schedule_common kernel/sched/core.c:3648 [inline]
 _cond_resched+0x5e/0xd0 kernel/sched/core.c:4999
 prepare_alloc_pages mm/page_alloc.c:4324 [inline]
 __alloc_pages_nodemask+0x457/0x5cc0 mm/page_alloc.c:4365
 alloc_pages_vma+0xcc6/0x17f0 mm/mempolicy.c:2057
 alloc_zeroed_user_highpage_movable include/linux/highmem.h:187 [inline]
 wp_page_copy+0x2fe/0x2470 mm/memory.c:2486
 do_wp_page+0xe83/0x2fa0 include/linux/spinlock_api_smp.h:152
 handle_pte_fault mm/memory.c:3981 [inline]
 __handle_mm_fault mm/memory.c:4089 [inline]
 handle_mm_fault+0x33a9/0x7ed0 mm/memory.c:4126
 __do_page_fault+0xec6/0x1a10 arch/x86/mm/fault.c:1400
 do_page_fault+0xb7/0x250 arch/x86/mm/fault.c:1477
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1163

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 enqueue_entity kernel/sched/fair.c:4173 [inline]
 enqueue_task_fair+0x558/0x4490 kernel/sched/fair.c:5359
 enqueue_task kernel/sched/core.c:751 [inline]
 activate_task kernel/sched/core.c:770 [inline]
 ttwu_activate kernel/sched/core.c:1658 [inline]
 ttwu_do_activate kernel/sched/core.c:1717 [inline]
 ttwu_queue kernel/sched/core.c:1862 [inline]
 try_to_wake_up+0x162f/0x2260 kernel/sched/core.c:2075
 wake_up_process+0x34/0x40 kernel/sched/core.c:2148
 hrtimer_wakeup+0xac/0x100 kernel/time/hrtimer.c:1647
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0xc54/0x1630 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x451/0x13c0 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt+0x6b/0x250 arch/x86/kernel/apic/apic.c:1025
 smp_apic_timer_interrupt+0x5a/0x90 arch/x86/kernel/apic/apic.c:1053

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 dequeue_entity kernel/sched/fair.c:4257 [inline]
 dequeue_task_fair+0x13f/0x3300 kernel/sched/fair.c:5407
 dequeue_task kernel/sched/core.c:762 [inline]
 deactivate_task+0x560/0x7d0 kernel/sched/core.c:778
 __schedule+0x164/0x770 kernel/sched/core.c:3474
 schedule+0x1cc/0x2f0 kernel/sched/core.c:3568
 freezable_schedule include/linux/freezer.h:172 [inline]
 do_nanosleep+0x2c3/0x9c0 kernel/time/hrtimer.c:1689
 hrtimer_nanosleep kernel/time/hrtimer.c:1743 [inline]
 __do_sys_nanosleep kernel/time/hrtimer.c:1775 [inline]
 __se_sys_nanosleep+0x4b3/0x6a0 kernel/time/hrtimer.c:1762
 __x64_sys_nanosleep+0x92/0xc0 kernel/time/hrtimer.c:1762
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:297 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:689
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:464
 ___update_load_sum kernel/sched/fair.c:3193 [inline]
 __update_load_avg_cfs_rq kernel/sched/fair.c:3320 [inline]
 update_cfs_rq_load_avg+0x12f5/0x1aa0 kernel/sched/fair.c:3696
 update_load_avg+0xe50/0x2cc0 kernel/sched/fair.c:3797
 set_next_entity+0x131/0xb60 kernel/sched/fair.c:4345
 pick_next_task_fair+0x1f3c/0x2530 kernel/sched/fair.c:6938
 pick_next_task+0x1ba/0x420 kernel/sched/core.c:3368
 __schedule+0x20f/0x770 kernel/sched/core.c:3498
 preempt_schedule_common kernel/sched/core.c:3648 [inline]
 _cond_resched+0x5e/0xd0 kernel/sched/core.c:4999
 zap_pmd_range mm/memory.c:1444 [inline]
 zap_pud_range mm/memory.c:1471 [inline]
 zap_p4d_range mm/memory.c:1492 [inline]
 unmap_page_range+0x35e0/0x3be0 mm/memory.c:1513
 unmap_single_vma+0x445/0x5e0 mm/memory.c:1558
 unmap_vmas+0x1f4/0x360 mm/memory.c:1588
 exit_mmap+0x4d7/0x980 mm/mmap.c:3105
 __mmput+0x158/0x600 kernel/fork.c:962
 mmput+0xab/0xf0 kernel/fork.c:983
 exit_mm+0x6ed/0x7a0 kernel/exit.c:545
 do_exit+0xc12/0x3930 kernel/exit.c:854
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
 __do_sys_exit_group+0x21/0x30 kernel/exit.c:981
 __se_sys_exit_group+0x14/0x20 kernel/exit.c:979
 __x64_sys_exit_group+0x4c/0x50 kernel/exit.c:979
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xd5/0x810 net/socket.c:2246
 __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/06/20 01:09 https://github.com/google/kmsan.git master 123906095e30 095ef806 .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.