KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet

From: syzbot
Date: Wed Aug 21 2019 - 18:38:11 EST

Next message: syzbot: "WARNING: bad usercopy in hidraw_ioctl"
Previous message: Frederic Weisbecker: "Re: [patch V2 01/38] posix-cpu-timers: Provide task validation functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot found the following crash on:

HEAD commit: 61ccdad1 Revert "drm/bochs: Use shadow buffer for bochs fr..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13d6909c600000
kernel config: https://syzkaller.appspot.com/x/.config?x=27abc558ecb16a3b
dashboard link: https://syzkaller.appspot.com/bug?extid=355cab184197dbbfa384
compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1612b9d2600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d388ac600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+355cab184197dbbfa384@xxxxxxxxxxxxxxxxxxxxxxxxx

==================================================================
BUG: KMSAN: uninit-value in batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline]
BUG: KMSAN: uninit-value in batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline]
BUG: KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0 net/batman-adv/bat_iv_ogm.c:1657
CPU: 1 PID: 290 Comm: kworker/u4:7 Not tainted 5.3.0-rc3+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
__msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline]
batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline]
batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0 net/batman-adv/bat_iv_ogm.c:1657
process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
kthread+0x4b5/0x4f0 kernel/kthread.c:256
ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Uninit was created at:
kmsan_save_stack_with_flags+0x37/0x70 mm/kmsan/kmsan.c:187
kmsan_internal_alloc_meta_for_pages+0x123/0x510 mm/kmsan/kmsan_hooks.c:114
kmsan_alloc_page+0x7a/0xf0 mm/kmsan/kmsan_hooks.c:244
__alloc_pages_nodemask+0x142d/0x5fa0 mm/page_alloc.c:4768
__alloc_pages include/linux/gfp.h:475 [inline]
__alloc_pages_node include/linux/gfp.h:488 [inline]
alloc_pages_node include/linux/gfp.h:502 [inline]
__page_frag_cache_refill mm/page_alloc.c:4843 [inline]
page_frag_alloc+0x35b/0x890 mm/page_alloc.c:4873
__napi_alloc_skb+0x195/0x980 net/core/skbuff.c:519
napi_alloc_skb include/linux/skbuff.h:2808 [inline]
page_to_skb+0x134/0x1150 drivers/net/virtio_net.c:384
receive_mergeable drivers/net/virtio_net.c:924 [inline]
receive_buf+0xe7b/0x8810 drivers/net/virtio_net.c:1033
virtnet_receive drivers/net/virtio_net.c:1323 [inline]
virtnet_poll+0x666/0x19d0 drivers/net/virtio_net.c:1428
napi_poll net/core/dev.c:6347 [inline]
net_rx_action+0x74b/0x1950 net/core/dev.c:6413
__do_softirq+0x4a1/0x83a kernel/softirq.c:293
invoke_softirq kernel/softirq.c:375 [inline]
irq_exit+0x230/0x280 kernel/softirq.c:416
exiting_irq arch/x86/include/asm/apic.h:537 [inline]
do_IRQ+0x20d/0x3a0 arch/x86/kernel/irq.c:259
ret_from_intr+0x0/0x33
kmsan_get_shadow_origin_ptr+0x6/0x3a0 mm/kmsan/kmsan.c:656
__msan_metadata_ptr_for_load_8+0x10/0x20 mm/kmsan/kmsan_instr.c:55
compound_head include/linux/compiler.h:206 [inline]
PageReferenced include/linux/page-flags.h:315 [inline]
mark_page_accessed+0x30c/0xa00 mm/swap.c:391
touch_buffer fs/buffer.c:60 [inline]
__find_get_block+0x1681/0x19e0 fs/buffer.c:1303
__getblk_gfp+0xc5/0x1080 fs/buffer.c:1321
sb_getblk include/linux/buffer_head.h:325 [inline]
__ext4_get_inode_loc+0x647/0x1c80 fs/ext4/inode.c:4611
ext4_get_inode_loc fs/ext4/inode.c:4726 [inline]
ext4_reserve_inode_write+0x15d/0x430 fs/ext4/inode.c:5919
ext4_mark_inode_dirty+0x2dd/0xca0 fs/ext4/inode.c:6071
ext4_dirty_inode+0x187/0x1d0 fs/ext4/inode.c:6110
__mark_inode_dirty+0x486/0x1380 fs/fs-writeback.c:2170
mark_inode_dirty include/linux/fs.h:2138 [inline]
generic_write_end+0x3f7/0x460 fs/buffer.c:2164
ext4_da_write_end+0x1050/0x1240 fs/ext4/inode.c:3217
generic_perform_write+0x618/0x990 mm/filemap.c:3341
__generic_file_write_iter+0x421/0xa30 mm/filemap.c:3459
ext4_file_write_iter+0xc97/0x2010 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1870 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0xa2c/0xcb0 fs/read_write.c:496
vfs_write+0x481/0x920 fs/read_write.c:558
ksys_write+0x265/0x430 fs/read_write.c:611
__do_sys_write fs/read_write.c:623 [inline]
__se_sys_write+0x92/0xb0 fs/read_write.c:620
__x64_sys_write+0x4a/0x70 fs/read_write.c:620
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x63/0xe7
==================================================================

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Next message: syzbot: "WARNING: bad usercopy in hidraw_ioctl"
Previous message: Frederic Weisbecker: "Re: [patch V2 01/38] posix-cpu-timers: Provide task validation functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]