Re: [syzbot] KMSAN: uninit-value in hci_conn_request_evt

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+8f84cf3ec5c288e779ef@syzkaller.appspotmail.com>
To: davem@davemloft.net, glider@google.com, johan.hedberg@gmail.com,
	kuba@kernel.org, linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org, luiz.dentz@gmail.com,
	marcel@holtmann.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KMSAN: uninit-value in hci_conn_request_evt
Date: Sun, 02 Jan 2022 14:23:18 -0800	[thread overview]
Message-ID: <000000000000de69a305d4a0d958@google.com> (raw)
In-Reply-To: <000000000000f5dc0805cf7807a7@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=103ea4c7b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
compiler:       clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10051b67b00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12148a3bb00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f84cf3ec5c288e779ef@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
BUG: KMSAN: uninit-value in hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
 hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
 hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
 hci_event_packet+0x1452/0x23e0 net/bluetooth/hci_event.c:6360
 hci_rx_work+0x6a0/0xd00 net/bluetooth/hci_core.c:5084
 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
 kthread+0x721/0x850 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1126 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:413 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:287 [inline]
 vhci_write+0x187/0x8f0 drivers/bluetooth/hci_vhci.c:407
 call_write_iter include/linux/fs.h:2162 [inline]
 new_sync_write fs/read_write.c:503 [inline]
 vfs_write+0x1318/0x2030 fs/read_write.c:590
 ksys_write+0x28b/0x510 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0xdb/0x120 fs/read_write.c:652
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU: 1 PID: 43 Comm: kworker/u5:0 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
=====================================================

     prev parent reply	other threads:[~2022-01-02 22:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-29  6:35 [syzbot] KMSAN: uninit-value in hci_conn_request_evt syzbot
2022-01-02 22:23 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000de69a305d4a0d958@google.com \
    --to=syzbot+8f84cf3ec5c288e779ef@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=glider@google.com \
    --cc=johan.hedberg@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.