Re: [syzbot] [tipc?] KMSAN: uninit-value in tipc_rcv (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, horms@kernel.org,
	 jmaloy@redhat.com, kuba@kernel.org,
	linux-kernel@vger.kernel.org,  netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
	 tipc-discussion@lists.sourceforge.net
Subject: Re: [syzbot] [tipc?] KMSAN: uninit-value in tipc_rcv (2)
Date: Sun, 03 Aug 2025 02:39:29 -0700	[thread overview]
Message-ID: <688f2e51.050a0220.1fc43d.0002.GAE@google.com> (raw)
In-Reply-To: <6880f58e.050a0220.248954.0001.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    89748acdf226 Merge tag 'drm-next-2025-08-01' of https://gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1395bcf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ff65239b4835001
dashboard link: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1625ff82580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=131bb834580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ce090dd92dc2/disk-89748acd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/32b5903a7759/vmlinux-89748acd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc68a867773d/bzImage-89748acd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com

tipc: Started in network mode
tipc: Node identity 4689370d27fe, cluster identity 4711
tipc: Enabled bearer <eth:syzkaller0>, priority 0
=====================================================
BUG: KMSAN: uninit-value in tipc_rcv+0x17fa/0x1ea0 net/tipc/node.c:2132
 tipc_rcv+0x17fa/0x1ea0 net/tipc/node.c:2132
 tipc_l2_rcv_msg+0x213/0x320 net/tipc/bearer.c:668
 __netif_receive_skb_list_ptype net/core/dev.c:6027 [inline]
 __netif_receive_skb_list_core+0x133b/0x16b0 net/core/dev.c:6069
 __netif_receive_skb_list net/core/dev.c:6121 [inline]
 netif_receive_skb_list_internal+0xee7/0x1530 net/core/dev.c:6212
 gro_normal_list include/net/gro.h:532 [inline]
 gro_flush_normal include/net/gro.h:540 [inline]
 napi_complete_done+0x3fb/0x7d0 net/core/dev.c:6581
 napi_complete include/linux/netdevice.h:589 [inline]
 tun_get_user+0x4c0d/0x6ca0 drivers/net/tun.c:1921
 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1996
 do_iter_readv_writev+0x947/0xba0 fs/read_write.c:-1
 vfs_writev+0x52a/0x1500 fs/read_write.c:1057
 do_writev+0x1b5/0x580 fs/read_write.c:1103
 __do_sys_writev fs/read_write.c:1171 [inline]
 __se_sys_writev fs/read_write.c:1168 [inline]
 __x64_sys_writev+0x99/0xf0 fs/read_write.c:1168
 x64_sys_call+0x24b1/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:21
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4186 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4281
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:578
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:669
 napi_alloc_skb+0xc1/0x740 net/core/skbuff.c:811
 napi_get_frags+0xab/0x250 net/core/gro.c:673
 tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]
 tun_get_user+0x134f/0x6ca0 drivers/net/tun.c:1784
 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1996
 do_iter_readv_writev+0x947/0xba0 fs/read_write.c:-1
 vfs_writev+0x52a/0x1500 fs/read_write.c:1057
 do_writev+0x1b5/0x580 fs/read_write.c:1103
 __do_sys_writev fs/read_write.c:1171 [inline]
 __se_sys_writev fs/read_write.c:1168 [inline]
 __x64_sys_writev+0x99/0xf0 fs/read_write.c:1168
 x64_sys_call+0x24b1/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:21
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5808 Comm: syz-executor123 Not tainted 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2025-08-03  9:39 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-23 14:45 [syzbot] [tipc?] KMSAN: uninit-value in tipc_rcv (2) syzbot
2025-08-03  9:39 ` syzbot [this message]
2025-09-19 15:23 ` Forwarded: [PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv syzbot
2025-09-20 17:01 ` Forwarded: [PATCH v2 " syzbot
2025-11-07  6:06 ` Forwarded: [PATCH] net: core: fix KMSAN: unint " syzbot
2025-11-07  7:15 ` syzbot
2025-11-07 10:19 ` syzbot
2025-11-18 12:37 ` syzbot
2025-11-22  3:37 ` syzbot
     [not found] <20250919152337.47803-1-hariconscious@gmail.com>
2025-09-19 17:10 ` [syzbot] [tipc?] KMSAN: uninit-value in tipc_rcv (2) syzbot
     [not found] <20250920170037.9612-1-hariconscious@gmail.com>
2025-09-20 19:43 ` syzbot
     [not found] <e8b78334-cb9f-900b-f05a-23a0d0ee902a@gmail.com>
2025-11-07  6:46 ` syzbot
     [not found] <5715ad57-d676-ecde-1636-1634b49316d6@gmail.com>
2025-11-07  9:21 ` syzbot
     [not found] <CABBwEEhHeCq3Ry-6JoG1ruTTbfeRUKcYxTobQd88O8wYvOQBUQ@mail.gmail.com>
2025-11-07 10:58 ` syzbot
     [not found] <0f7bf1a1-7708-b253-fd8a-3bfbefe4e309@gmail.com>
2025-11-18 13:28 ` syzbot
     [not found] <CABBwEEgK85XKVdisWmzKVUQS0ZKnVa0TmRQHP+g1t+mfEWpu0A@mail.gmail.com>
2025-11-22 10:11 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=688f2e51.050a0220.1fc43d.0002.GAE@google.com \
    --to=syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jmaloy@redhat.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tipc-discussion@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.