syzbot

 sign-in | mailing list | source | docs
🐞 Open [1490]
Subsystems
🐞 Fixed [6693]
🐞 Invalid [17166]
Missing Backports [216]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in ipvlan_queue_xmit (2)

Status: fixed on 2024/05/22 23:26
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+42a0dc856239de4de60e@syzkaller.appspotmail.com
Fix commit: 4b911a9690d7 nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
First crash: 619d, last: 600d
Discussions (2)
Title Replies (including bot) Last reply
[PATCH v2 net] nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 3 (3) 2024/04/26 10:50
[syzbot] [net?] KMSAN: uninit-value in ipvlan_queue_xmit (2) 3 (5) 2024/04/23 01:46
Similar bugs (7)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in ipvlan_queue_xmit net 7 C 2 1158d 1741d 22/29 fixed on 2023/02/24 13:50
linux-4.14 KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit 17 C error 1 1158d 1158d 0/1 upstream: reported C repro on 2022/08/30 13:48
upstream KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit net 17 C error error 8 1343d 1820d 22/29 fixed on 2023/02/24 13:50
upstream Internal error in ipvlan_queue_xmit net 2 3 725d 758d 0/29 auto-obsoleted due to no activity on 2024/02/04 03:58
linux-4.19 KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit 17 C error 4 996d 1796d 0/1 upstream: reported C repro on 2020/11/30 08:36
linux-4.19 KASAN: use-after-free Read in ipvlan_queue_xmit (2) 19 C error 2 1158d 1627d 0/1 upstream: reported C repro on 2021/05/18 15:37
upstream KASAN: use-after-free Read in ipvlan_queue_xmit (3) net 19 C error error 8 1184d 1782d 22/29 fixed on 2023/02/24 13:51
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/04/22 16:07 7h04m kuniyu@amazon.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git f2e367d6ad3bdc527c2b14e759c2f010d6b2b7a1 OK log
2024/03/10 07:07 22m retest repro upstream report log

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
 ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
 ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
 __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
 netdev_start_xmit include/linux/netdevice.h:5003 [inline]
 xmit_one net/core/dev.c:3547 [inline]
 dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3081 [inline]
 packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x735/0xa10 net/socket.c:2191
 __do_sys_sendto net/socket.c:2203 [inline]
 __se_sys_sendto net/socket.c:2199 [inline]
 __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3819 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 __do_kmalloc_node mm/slub.c:3980 [inline]
 __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
 __alloc_skb+0x352/0x790 net/core/skbuff.c:651
 skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
 udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
 ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
 skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
 nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
 skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
 __skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
 __dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3081 [inline]
 packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x735/0xa10 net/socket.c:2191
 __do_sys_sendto net/socket.c:2203 [inline]
 __se_sys_sendto net/socket.c:2199 [inline]
 __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
=====================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/02/25 06:25 upstream f2e367d6ad3b 8d446f15 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in ipvlan_queue_xmit
2024/02/20 06:35 upstream b401b621758e 3af7dd65 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in ipvlan_queue_xmit
* Struck through repros no longer work on HEAD.