KMSAN: uninit-value in pfifo_fast

KMSAN: uninit-value in pfifo_fast_dequeue
Status: upstream: reported C repro on 2020/05/18 18:23
Reported-by: syzbot+ae62f326a5154c4b908f@syzkaller.appspotmail.com
First crash: 523d, last: 8d06h

Sample crash report:

=====================================================
BUG: KMSAN: uninit-value in kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
 pfifo_fast_dequeue+0x1098/0x1210 net/sched/sch_generic.c:659
 dequeue_skb+0x492/0x3760 net/sched/sch_generic.c:264
 qdisc_restart net/sched/sch_generic.c:367 [inline]
 __qdisc_run+0x101/0x490 net/sched/sch_generic.c:385
 qdisc_run include/net/pkt_sched.h:134 [inline]
 __dev_xmit_skb net/core/dev.c:3747 [inline]
 __dev_queue_xmit+0x2cfa/0x4470 net/core/dev.c:4100
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4164
 br_dev_queue_push_xmit+0xba8/0xc90 net/bridge/br_forward.c:52
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_forward_finish net/bridge/br_forward.c:65 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 __br_forward+0xd73/0xec0 net/bridge/br_forward.c:109
 deliver_clone net/bridge/br_forward.c:125 [inline]
 maybe_deliver net/bridge/br_forward.c:181 [inline]
 br_flood+0xcbe/0x1130 net/bridge/br_forward.c:223
 br_handle_frame_finish+0x1e35/0x2020 net/bridge/br_input.c:166
 nf_hook_bridge_pre net/bridge/br_input.c:250 [inline]
 br_handle_frame+0x12c9/0x25a0 net/bridge/br_input.c:356
 __netif_receive_skb_core+0x3710/0x6520 net/core/dev.c:5175
 __netif_receive_skb_one_core net/core/dev.c:5279 [inline]
 __netif_receive_skb+0x164/0x670 net/core/dev.c:5395
 process_backlog+0x50d/0xba0 net/core/dev.c:6239
 napi_poll+0x43b/0xfd0 net/core/dev.c:6684
 net_rx_action+0x35c/0xd40 net/core/dev.c:6752
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:293
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:634
 smpboot_thread_fn+0x5f5/0xa90 kernel/smpboot.c:165
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1636
 __skb_cow include/linux/skbuff.h:3145 [inline]
 skb_cow_head include/linux/skbuff.h:3179 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1710
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:269 [inline]
 kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:293
 __alloc_pages_nodemask+0xdf0/0x1030 mm/page_alloc.c:4889
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 alloc_pages_node include/linux/gfp.h:536 [inline]
 __page_frag_cache_refill mm/page_alloc.c:4964 [inline]
 page_frag_alloc+0x35b/0x880 mm/page_alloc.c:4994
 __netdev_alloc_skb+0xc3d/0xc90 net/core/skbuff.c:456
 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2826 [inline]
 netdev_alloc_skb_ip_align include/linux/skbuff.h:2836 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline]
 batadv_iv_ogm_queue_add+0x13bf/0x1c60 net/batman-adv/bat_iv_ogm.c:670
 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:833 [inline]
 batadv_iv_ogm_schedule+0xe3e/0x1660 net/batman-adv/bat_iv_ogm.c:869
 batadv_iv_send_outstanding_bat_ogm_packet+0xd69/0xef0 net/batman-adv/bat_iv_ogm.c:1722
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Bytes 52-53 of 82 are uninitialized
Memory access of size 82 starts at ffff8880b7e57040
=====================================================

Crashes (2113):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2020/08/21 05:33	https://github.com/google/kmsan.git master	ce8056d1f79e	1d75fe45	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/07/19 09:39	https://github.com/google/kmsan.git master	14525656779e	9c812472	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/03/21 20:08	https://github.com/google/kmsan.git master	a58741ac26cc	4288d95e	.config	log	report	syz	C
ci-upstream-kmsan-gce-386	2020/03/17 16:26	https://github.com/google/kmsan.git master	a58741ac26cc	749688d2	.config	log	report	syz	C
ci-upstream-kmsan-gce	2021/07/16 04:28	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/16 00:24	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/15 15:20	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/15 06:12	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/12 07:26	https://github.com/google/kmsan.git master	57b5797c8013	a4869c92	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/08 02:03	https://github.com/google/kmsan.git master	57b5797c8013	95793bce	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/06 17:04	https://github.com/google/kmsan.git master	57b5797c8013	6c4484eb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/06 08:54	https://github.com/google/kmsan.git master	57b5797c8013	6c4484eb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/04 22:00	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/04 20:49	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/07/03 23:21	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/30 21:05	https://github.com/google/kmsan.git master	57b5797c8013	38a885d1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/30 02:21	https://github.com/google/kmsan.git master	57b5797c8013	a4fccb01	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/29 15:33	https://github.com/google/kmsan.git master	57b5797c8013	9d2ab5df	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/26 07:49	https://github.com/google/kmsan.git master	57b5797c8013	9d2ab5df	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/23 20:08	https://github.com/google/kmsan.git master	31ffdb453231	fe4ab389	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/23 10:06	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/23 06:23	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/23 02:30	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/21 11:45	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/20 19:08	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/20 12:48	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/18 07:29	https://github.com/google/kmsan.git master	bfeba8b4c158	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/17 07:25	https://github.com/google/kmsan.git master	89a0faf20faa	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/15 19:30	https://github.com/google/kmsan.git master	7bcc9a7be76b	58636922	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2021/06/12 07:28	https://github.com/google/kmsan.git master	6099c9da2f7d	1ba81399	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/14 03:04	https://github.com/google/kmsan.git master	57b5797c8013	fa0594c3	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/13 07:40	https://github.com/google/kmsan.git master	57b5797c8013	f415556d	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/11 12:52	https://github.com/google/kmsan.git master	57b5797c8013	8f5a7b8c	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/10 19:55	https://github.com/google/kmsan.git master	57b5797c8013	8f5a7b8c	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/10 16:36	https://github.com/google/kmsan.git master	57b5797c8013	8f5a7b8c	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/07 14:49	https://github.com/google/kmsan.git master	57b5797c8013	4846d5c1	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/04 13:55	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/03 04:01	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/01 22:07	https://github.com/google/kmsan.git master	57b5797c8013	658ebc66	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/07/01 15:54	https://github.com/google/kmsan.git master	57b5797c8013	658ebc66	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/30 07:28	https://github.com/google/kmsan.git master	57b5797c8013	a4fccb01	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/26 00:14	https://github.com/google/kmsan.git master	57b5797c8013	ae6bf8dd	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/24 08:04	https://github.com/google/kmsan.git master	31ffdb453231	ec865f6a	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/21 04:25	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/20 17:00	https://github.com/google/kmsan.git master	6a6a67f21dec	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/18 01:08	https://github.com/google/kmsan.git master	bfeba8b4c158	aba2b2fb	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/16 08:21	https://github.com/google/kmsan.git master	7bcc9a7be76b	990d3cbe	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/13 16:05	https://github.com/google/kmsan.git master	6099c9da2f7d	1ba81399	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386	2021/06/12 14:56	https://github.com/google/kmsan.git master	6099c9da2f7d	1ba81399	.config	log	report			info	KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-net-kasan-gce	2021/04/23 20:58	net-next	cad4162a90ae	17f0b706	.config	log	report			info	general protection fault in pfifo_fast_dequeue
ci-upstream-linux-next-kasan-gce-root	2021/05/04 01:29	linux-next	e3d35712f85a	ad61f371	.config	log	report			info	general protection fault in pfifo_fast_dequeue
ci-upstream-linux-next-kasan-gce-root	2021/05/03 07:20	linux-next	e3d35712f85a	77e2b668	.config	log	report			info	general protection fault in pfifo_fast_dequeue
ci-upstream-kmsan-gce	2020/02/16 22:02	https://github.com/google/kmsan.git master	686a4f77cb0c	1f448cd6	.config	log	report
ci-upstream-kmsan-gce-386	2021/01/17 07:47	https://github.com/google/kmsan.git master	73d62e81b476	65a7a854	.config	log	report			info