syzbot

 sign-in | mailing list | source | docs
🐞 Open [972] 🐞 Fixed [3882] 🐞 Invalid [8372] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KMSAN: uninit-value in pfifo_fast_dequeue

Status: upstream: reported C repro on 2020/05/18 18:23
Reported-by: syzbot+ae62f326a5154c4b908f@syzkaller.appspotmail.com
First crash: 870d, last: 346d

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_check_skb+0x3c/0x240 mm/kmsan/kmsan_hooks.c:279
 pfifo_fast_dequeue+0x1098/0x1210 net/sched/sch_generic.c:659
 dequeue_skb+0x492/0x3760 net/sched/sch_generic.c:264
 qdisc_restart net/sched/sch_generic.c:367 [inline]
 __qdisc_run+0x101/0x490 net/sched/sch_generic.c:385
 qdisc_run include/net/pkt_sched.h:134 [inline]
 __dev_xmit_skb net/core/dev.c:3747 [inline]
 __dev_queue_xmit+0x2cfa/0x4470 net/core/dev.c:4100
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4164
 br_dev_queue_push_xmit+0xba8/0xc90 net/bridge/br_forward.c:52
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_forward_finish net/bridge/br_forward.c:65 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 __br_forward+0xd73/0xec0 net/bridge/br_forward.c:109
 deliver_clone net/bridge/br_forward.c:125 [inline]
 maybe_deliver net/bridge/br_forward.c:181 [inline]
 br_flood+0xcbe/0x1130 net/bridge/br_forward.c:223
 br_handle_frame_finish+0x1e35/0x2020 net/bridge/br_input.c:166
 nf_hook_bridge_pre net/bridge/br_input.c:250 [inline]
 br_handle_frame+0x12c9/0x25a0 net/bridge/br_input.c:356
 __netif_receive_skb_core+0x3710/0x6520 net/core/dev.c:5175
 __netif_receive_skb_one_core net/core/dev.c:5279 [inline]
 __netif_receive_skb+0x164/0x670 net/core/dev.c:5395
 process_backlog+0x50d/0xba0 net/core/dev.c:6239
 napi_poll+0x43b/0xfd0 net/core/dev.c:6684
 net_rx_action+0x35c/0xd40 net/core/dev.c:6752
 __do_softirq+0x2ea/0x7f5 kernel/softirq.c:293
 run_ksoftirqd+0x25/0x40 kernel/softirq.c:634
 smpboot_thread_fn+0x5f5/0xa90 kernel/smpboot.c:165
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
 pskb_expand_head+0x3fd/0x1e30 net/core/skbuff.c:1636
 __skb_cow include/linux/skbuff.h:3145 [inline]
 skb_cow_head include/linux/skbuff.h:3179 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:75
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2e/0xef0 net/batman-adv/bat_iv_ogm.c:1710
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:269 [inline]
 kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:293
 __alloc_pages_nodemask+0xdf0/0x1030 mm/page_alloc.c:4889
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 alloc_pages_node include/linux/gfp.h:536 [inline]
 __page_frag_cache_refill mm/page_alloc.c:4964 [inline]
 page_frag_alloc+0x35b/0x880 mm/page_alloc.c:4994
 __netdev_alloc_skb+0xc3d/0xc90 net/core/skbuff.c:456
 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2826 [inline]
 netdev_alloc_skb_ip_align include/linux/skbuff.h:2836 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline]
 batadv_iv_ogm_queue_add+0x13bf/0x1c60 net/batman-adv/bat_iv_ogm.c:670
 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:833 [inline]
 batadv_iv_ogm_schedule+0xe3e/0x1660 net/batman-adv/bat_iv_ogm.c:869
 batadv_iv_send_outstanding_bat_ogm_packet+0xd69/0xef0 net/batman-adv/bat_iv_ogm.c:1722
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Bytes 52-53 of 82 are uninitialized
Memory access of size 82 starts at ffff8880b7e57040
=====================================================

Crashes (2114):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kmsan-gce 2020/08/21 05:33 https://github.com/google/kmsan.git master ce8056d1f79e 1d75fe45 .config log report syz C
ci-upstream-kmsan-gce 2020/07/19 09:39 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config log report syz C
ci-upstream-kmsan-gce 2020/03/21 20:08 https://github.com/google/kmsan.git master a58741ac26cc 4288d95e .config log report syz C
ci-upstream-kmsan-gce-386 2020/03/17 16:26 https://github.com/google/kmsan.git master a58741ac26cc 749688d2 .config log report syz C
ci-upstream-kmsan-gce 2021/07/16 04:28 https://github.com/google/kmsan.git master 57b5797c8013 f115ae98 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/16 00:24 https://github.com/google/kmsan.git master 57b5797c8013 f115ae98 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/15 15:20 https://github.com/google/kmsan.git master 57b5797c8013 b9a2f64e .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/15 06:12 https://github.com/google/kmsan.git master 57b5797c8013 b9a2f64e .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/12 07:26 https://github.com/google/kmsan.git master 57b5797c8013 a4869c92 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/08 02:03 https://github.com/google/kmsan.git master 57b5797c8013 95793bce .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/06 17:04 https://github.com/google/kmsan.git master 57b5797c8013 6c4484eb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/06 08:54 https://github.com/google/kmsan.git master 57b5797c8013 6c4484eb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/04 22:00 https://github.com/google/kmsan.git master 57b5797c8013 55aa55c2 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/04 20:49 https://github.com/google/kmsan.git master 57b5797c8013 55aa55c2 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/07/03 23:21 https://github.com/google/kmsan.git master 57b5797c8013 55aa55c2 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/30 21:05 https://github.com/google/kmsan.git master 57b5797c8013 38a885d1 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/30 02:21 https://github.com/google/kmsan.git master 57b5797c8013 a4fccb01 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/29 15:33 https://github.com/google/kmsan.git master 57b5797c8013 9d2ab5df .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/26 07:49 https://github.com/google/kmsan.git master 57b5797c8013 9d2ab5df .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/23 20:08 https://github.com/google/kmsan.git master 31ffdb453231 fe4ab389 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/23 10:06 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/23 06:23 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/23 02:30 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/21 11:45 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/20 19:08 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/20 12:48 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/18 07:29 https://github.com/google/kmsan.git master bfeba8b4c158 aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/17 07:25 https://github.com/google/kmsan.git master 89a0faf20faa aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/15 19:30 https://github.com/google/kmsan.git master 7bcc9a7be76b 58636922 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2021/06/12 07:28 https://github.com/google/kmsan.git master 6099c9da2f7d 1ba81399 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/25 16:13 https://github.com/google/kmsan.git master a43e029dee89 4d1b57d4 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/14 03:04 https://github.com/google/kmsan.git master 57b5797c8013 fa0594c3 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/13 07:40 https://github.com/google/kmsan.git master 57b5797c8013 f415556d .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/11 12:52 https://github.com/google/kmsan.git master 57b5797c8013 8f5a7b8c .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/10 19:55 https://github.com/google/kmsan.git master 57b5797c8013 8f5a7b8c .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/10 16:36 https://github.com/google/kmsan.git master 57b5797c8013 8f5a7b8c .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/07 14:49 https://github.com/google/kmsan.git master 57b5797c8013 4846d5c1 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/04 13:55 https://github.com/google/kmsan.git master 57b5797c8013 55aa55c2 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/03 04:01 https://github.com/google/kmsan.git master 57b5797c8013 55aa55c2 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/01 22:07 https://github.com/google/kmsan.git master 57b5797c8013 658ebc66 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/07/01 15:54 https://github.com/google/kmsan.git master 57b5797c8013 658ebc66 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/30 07:28 https://github.com/google/kmsan.git master 57b5797c8013 a4fccb01 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/26 00:14 https://github.com/google/kmsan.git master 57b5797c8013 ae6bf8dd .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/24 08:04 https://github.com/google/kmsan.git master 31ffdb453231 ec865f6a .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/21 04:25 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/20 17:00 https://github.com/google/kmsan.git master 6a6a67f21dec aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/18 01:08 https://github.com/google/kmsan.git master bfeba8b4c158 aba2b2fb .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/16 08:21 https://github.com/google/kmsan.git master 7bcc9a7be76b 990d3cbe .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/13 16:05 https://github.com/google/kmsan.git master 6099c9da2f7d 1ba81399 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-kmsan-gce-386 2021/06/12 14:56 https://github.com/google/kmsan.git master 6099c9da2f7d 1ba81399 .config log report info KMSAN: uninit-value in pfifo_fast_dequeue
ci-upstream-net-kasan-gce 2021/04/23 20:58 net-next cad4162a90ae 17f0b706 .config log report info general protection fault in pfifo_fast_dequeue
ci-upstream-linux-next-kasan-gce-root 2021/05/04 01:29 linux-next e3d35712f85a ad61f371 .config log report info general protection fault in pfifo_fast_dequeue
ci-upstream-linux-next-kasan-gce-root 2021/05/03 07:20 linux-next e3d35712f85a 77e2b668 .config log report info general protection fault in pfifo_fast_dequeue
ci-upstream-kmsan-gce 2020/02/16 22:02 https://github.com/google/kmsan.git master 686a4f77cb0c 1f448cd6 .config log report
ci-upstream-kmsan-gce-386 2021/01/17 07:47 https://github.com/google/kmsan.git master 73d62e81b476 65a7a854 .config log report info