From: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
To: anna.schumaker@netapp.com, bfields@fieldses.org,
davem@davemloft.net, jlayton@kernel.org,
linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
trond.myklebust@hammerspace.com
Subject: KMSAN: uninit-value in ip6_compressed_string
Date: Wed, 28 Nov 2018 09:40:03 -0800 [thread overview]
Message-ID: <00000000000062ece6057bbd0e4a@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=156ad1f5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
dashboard link: https://syzkaller.appspot.com/bug?extid=047a11c361b872896a4f
compiler: clang version 8.0.0 (trunk 343298)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1031326d400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16212b0b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com
==================================================================
BUG: KMSAN: uninit-value in ip6_compressed_string+0x1a9/0x1460
lib/vsprintf.c:1161
CPU: 1 PID: 6762 Comm: syz-executor445 Not tainted 4.20.0-rc3+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x32d/0x480 lib/dump_stack.c:113
kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
__msan_warning+0x76/0xc0 mm/kmsan/kmsan_instr.c:330
ip6_compressed_string+0x1a9/0x1460 lib/vsprintf.c:1161
ip6_addr_string+0x165/0x2b0 lib/vsprintf.c:1247
pointer+0x110e/0x1520 lib/vsprintf.c:1911
vsnprintf+0xabf/0x3110 lib/vsprintf.c:2300
snprintf+0x246/0x290 lib/vsprintf.c:2429
rpc_ntop6_noscopeid net/sunrpc/addr.c:56 [inline]
rpc_sockaddr2uaddr+0x3aa/0x6f0 net/sunrpc/addr.c:281
rpcb_getport_async+0x10d4/0x1770 net/sunrpc/rpcb_clnt.c:773
call_bind+0x1a8/0x260 net/sunrpc/clnt.c:1802
__rpc_execute+0xacb/0x19c0 net/sunrpc/sched.c:832
rpc_execute+0x6ad/0x940 net/sunrpc/sched.c:900
rpc_run_task+0xc42/0xe70 net/sunrpc/clnt.c:1065
rpc_call_sync net/sunrpc/clnt.c:1094 [inline]
rpc_ping net/sunrpc/clnt.c:2516 [inline]
rpc_create_xprt+0x6a9/0xe80 net/sunrpc/clnt.c:480
rpc_create+0xa78/0xb30 net/sunrpc/clnt.c:588
nfs_create_rpc_client+0x752/0x860 fs/nfs/client.c:523
nfs_init_client+0xb8/0x1d0 fs/nfs/client.c:634
nfs_get_client+0x14fc/0x1720 fs/nfs/client.c:425
nfs_init_server fs/nfs/client.c:670 [inline]
nfs_create_server+0xbd7/0x3290 fs/nfs/client.c:954
nfs_try_mount+0x4de/0x14b0 fs/nfs/super.c:1884
nfs_fs_mount+0x393d/0x4000 fs/nfs/super.c:2695
mount_fs+0x282/0x790 fs/super.c:1261
vfs_kern_mount+0x231/0x8c0 fs/namespace.c:961
do_new_mount fs/namespace.c:2469 [inline]
do_mount+0xd1f/0x5ac0 fs/namespace.c:2801
ksys_mount+0x32e/0x3d0 fs/namespace.c:3017
__do_sys_mount fs/namespace.c:3031 [inline]
__se_sys_mount+0xe5/0x110 fs/namespace.c:3028
__x64_sys_mount+0x62/0x80 fs/namespace.c:3028
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4401c9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff7eefaf48 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401c9
RDX: 0000000020000180 RSI: 0000000020000140 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 000000002000a000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401a50
R13: 0000000000401ae0 R14: 0000000000000000 R15: 0000000000000000
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
ip6_compressed_string+0x89/0x1460 lib/vsprintf.c:1154
ip6_addr_string+0x165/0x2b0 lib/vsprintf.c:1247
pointer+0x110e/0x1520 lib/vsprintf.c:1911
vsnprintf+0xabf/0x3110 lib/vsprintf.c:2300
snprintf+0x246/0x290 lib/vsprintf.c:2429
rpc_ntop6_noscopeid net/sunrpc/addr.c:56 [inline]
rpc_sockaddr2uaddr+0x3aa/0x6f0 net/sunrpc/addr.c:281
rpcb_getport_async+0x10d4/0x1770 net/sunrpc/rpcb_clnt.c:773
call_bind+0x1a8/0x260 net/sunrpc/clnt.c:1802
__rpc_execute+0xacb/0x19c0 net/sunrpc/sched.c:832
rpc_execute+0x6ad/0x940 net/sunrpc/sched.c:900
rpc_run_task+0xc42/0xe70 net/sunrpc/clnt.c:1065
rpc_call_sync net/sunrpc/clnt.c:1094 [inline]
rpc_ping net/sunrpc/clnt.c:2516 [inline]
rpc_create_xprt+0x6a9/0xe80 net/sunrpc/clnt.c:480
rpc_create+0xa78/0xb30 net/sunrpc/clnt.c:588
nfs_create_rpc_client+0x752/0x860 fs/nfs/client.c:523
nfs_init_client+0xb8/0x1d0 fs/nfs/client.c:634
nfs_get_client+0x14fc/0x1720 fs/nfs/client.c:425
nfs_init_server fs/nfs/client.c:670 [inline]
nfs_create_server+0xbd7/0x3290 fs/nfs/client.c:954
nfs_try_mount+0x4de/0x14b0 fs/nfs/super.c:1884
nfs_fs_mount+0x393d/0x4000 fs/nfs/super.c:2695
mount_fs+0x282/0x790 fs/super.c:1261
vfs_kern_mount+0x231/0x8c0 fs/namespace.c:961
do_new_mount fs/namespace.c:2469 [inline]
do_mount+0xd1f/0x5ac0 fs/namespace.c:2801
ksys_mount+0x32e/0x3d0 fs/namespace.c:3017
__do_sys_mount fs/namespace.c:3031 [inline]
__se_sys_mount+0xe5/0x110 fs/namespace.c:3028
__x64_sys_mount+0x62/0x80 fs/namespace.c:3028
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Local variable description: ----addr@rpcb_getport_async
Variable was created at:
rpcb_getport_async+0xb3/0x1770 net/sunrpc/rpcb_clnt.c:673
call_bind+0x1a8/0x260 net/sunrpc/clnt.c:1802
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2018-11-28 17:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-28 17:40 syzbot [this message]
2019-03-30 1:21 ` [PATCH] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000062ece6057bbd0e4a@google.com \
--to=syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com \
--cc=anna.schumaker@netapp.com \
--cc=bfields@fieldses.org \
--cc=davem@davemloft.net \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.