KMSAN: uninit-value in pfifo_fast

KMSAN: uninit-value in pfifo_fast_dequeue
Status: upstream: reported C repro on 2020/05/18 18:23
Reported-by: syzbot+ae62f326a5154c4b908f@syzkaller.appspotmail.com
First crash: 430d, last: 2h47m

Sample crash report:

=====================================================
BUG: KMSAN: uninit-value in kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
 pfifo_fast_dequeue+0x1098/0x1210 net/sched/sch_generic.c:659
 dequeue_skb+0x492/0x3760 net/sched/sch_generic.c:264
 qdisc_restart net/sched/sch_generic.c:367 [inline]
 __qdisc_run+0x101/0x490 net/sched/sch_generic.c:385
 qdisc_run include/net/pkt_sched.h:134 [inline]
 __dev_xmit_skb net/core/dev.c:3747 [inline]
 __dev_queue_xmit+0x2cfa/0x4470 net/core/dev.c:4100
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4164
 br_dev_queue_push_xmit+0xba8/0xc90 net/bridge/br_forward.c:52
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_forward_finish net/bridge/br_forward.c:65 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 __br_forward+0xd73/0xec0 net/bridge/br_forward.c:109
 deliver_clone net/bridge/br_forward.c:125 [inline]
 maybe_deliver net/bridge/br_forward.c:181 [inline]
 br_flood+0xcbe/0x1130 net/bridge/br_forward.c:223
 br_handle_frame_finish+0x1e35/0x2020 net/bridge/br_input.c:166
 nf_hook_bridge_pre net/bridge/br_input.c:250 [inline]
 br_handle_frame+0x12c9/0x25a0 net/bridge/br_input.c:356
 __netif_receive_skb_core+0x3710/0x6520 net/core/dev.c:5175
 __netif_receive_skb_one_core net/core/dev.c:5279 [inline]
 __netif_receive_skb+0x164/0x670 net/core/dev.c:5395
 process_backlog+0x50d/0xba0 net/core/dev.c:6239
 napi_poll+0x43b/0xfd0 net/core/dev.c:6684
 net_rx_action+0x35c/0xd40 net/core/dev.c:6752
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:293
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:634
 smpboot_thread_fn+0x5f5/0xa90 kernel/smpboot.c:165
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1636
 __skb_cow include/linux/skbuff.h:3145 [inline]
 skb_cow_head include/linux/skbuff.h:3179 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1710
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:269 [inline]
 kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:293
 __alloc_pages_nodemask+0xdf0/0x1030 mm/page_alloc.c:4889
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 alloc_pages_node include/linux/gfp.h:536 [inline]
 __page_frag_cache_refill mm/page_alloc.c:4964 [inline]
 page_frag_alloc+0x35b/0x880 mm/page_alloc.c:4994
 __netdev_alloc_skb+0xc3d/0xc90 net/core/skbuff.c:456
 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2826 [inline]
 netdev_alloc_skb_ip_align include/linux/skbuff.h:2836 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline]
 batadv_iv_ogm_queue_add+0x13bf/0x1c60 net/batman-adv/bat_iv_ogm.c:670
 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:833 [inline]
 batadv_iv_ogm_schedule+0xe3e/0x1660 net/batman-adv/bat_iv_ogm.c:869
 batadv_iv_send_outstanding_bat_ogm_packet+0xd69/0xef0 net/batman-adv/bat_iv_ogm.c:1722
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Bytes 52-53 of 82 are uninitialized
Memory access of size 82 starts at ffff8880b7e57040
=====================================================

Crashes (1947):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2020/08/21 05:33	https://github.com/google/kmsan.git master	ce8056d1	1d75fe45	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/07/19 09:39	https://github.com/google/kmsan.git master	14525656	9c812472	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/03/21 20:08	https://github.com/google/kmsan.git master	a58741ac	4288d95e	.config	log	report	syz	C
ci-upstream-kmsan-gce-386	2020/03/17 16:26	https://github.com/google/kmsan.git master	a58741ac	749688d2	.config	log	report	syz	C
ci-upstream-kmsan-gce	2021/04/20 23:41	https://github.com/google/kmsan.git master	4ebaab5f	c0ced557	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/19 17:01	https://github.com/google/kmsan.git master	4ebaab5f	50f523d7	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/19 14:08	https://github.com/google/kmsan.git master	4ebaab5f	50f523d7	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/17 20:32	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/16 23:25	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/16 21:46	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/16 16:18	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/16 02:13	https://github.com/google/kmsan.git master	4ebaab5f	c59079a6	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/14 03:20	https://github.com/google/kmsan.git master	4ebaab5f	a184b83e	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/13 21:42	https://github.com/google/kmsan.git master	4ebaab5f	a184b83e	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/11 22:32	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/10 14:07	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/09 19:13	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/08 17:58	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/08 04:55	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/05 11:09	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/04 14:46	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/03 22:59	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/02 21:12	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/02 13:14	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/04/01 11:08	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/31 09:00	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/30 08:46	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/30 04:22	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/28 03:43	https://github.com/google/kmsan.git master	29ad81a1	a8529b82	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/25 08:26	https://github.com/google/kmsan.git master	29ad81a1	607e3baf	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/03/24 19:22	https://github.com/google/kmsan.git master	29ad81a1	607e3baf	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/20 20:23	https://github.com/google/kmsan.git master	4ebaab5f	c0ced557	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/20 12:38	https://github.com/google/kmsan.git master	4ebaab5f	c0ced557	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/18 03:48	https://github.com/google/kmsan.git master	4ebaab5f	7e2b734b	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/14 15:06	https://github.com/google/kmsan.git master	4ebaab5f	3134b37f	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/14 10:34	https://github.com/google/kmsan.git master	4ebaab5f	3134b37f	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/13 09:24	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/13 04:47	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/12 15:09	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/12 13:20	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/11 04:56	https://github.com/google/kmsan.git master	4ebaab5f	bfeda1b1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/10 00:21	https://github.com/google/kmsan.git master	4ebaab5f	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/09 07:39	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/04/03 01:44	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/31 04:32	https://github.com/google/kmsan.git master	29ad81a1	6a81331a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/29 05:21	https://github.com/google/kmsan.git master	29ad81a1	a8529b82	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/28 22:43	https://github.com/google/kmsan.git master	29ad81a1	a8529b82	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/28 03:53	https://github.com/google/kmsan.git master	29ad81a1	a8529b82	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/27 12:16	https://github.com/google/kmsan.git master	29ad81a1	a8529b82	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/03/26 09:09	https://github.com/google/kmsan.git master	29ad81a1	6a383ecf	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-net-kasan-gce	2021/04/21 20:38	net-next	53e35ebb	2bc8999a	.config	log	report			info	general protection fault in pfifo_fast_dequeue
ci-upstream-linux-next-kasan-gce-root	2021/04/21 11:44	linux-next	b7452388	95777977	.config	log	report			info	general protection fault in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2020/02/16 22:02	https://github.com/google/kmsan.git master	686a4f77	1f448cd6	.config	log	report
ci-upstream-kmsan-gce-386	2021/01/17 07:47	https://github.com/google/kmsan.git master	73d62e81	65a7a854	.config	log	report			info