[syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    0bbac3facb5d Linux 6.9-rc4
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15d9a36d180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14069fcb180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155da7cb180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/93eb2bab28b5/disk-0bbac3fa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47a883d2dfaa/vmlinux-0bbac3fa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6bc56900ec1d/bzImage-0bbac3fa.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com

syz_tun: entered promiscuous mode
batadv_slave_0: entered promiscuous mode
=====================================================
BUG: KMSAN: uninit-value in hsr_get_node+0xab0/0xad0 net/hsr/hsr_framereg.c:250
 hsr_get_node+0xab0/0xad0 net/hsr/hsr_framereg.c:250
 fill_frame_info net/hsr/hsr_forward.c:577 [inline]
 hsr_forward_skb+0x330/0x30e0 net/hsr/hsr_forward.c:615
 hsr_handle_frame+0xa20/0xb50 net/hsr/hsr_slave.c:69
 __netif_receive_skb_core+0x1cff/0x6190 net/core/dev.c:5432
 __netif_receive_skb_one_core net/core/dev.c:5536 [inline]
 __netif_receive_skb+0xca/0xa00 net/core/dev.c:5652
 netif_receive_skb_internal net/core/dev.c:5738 [inline]
 netif_receive_skb+0x58/0x660 net/core/dev.c:5798
 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb63/0x1520 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3062/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
 alloc_pages_mpol+0x299/0x990 mm/mempolicy.c:2264
 alloc_pages+0x1bf/0x1e0 mm/mempolicy.c:2335
 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2921
 tun_build_skb drivers/net/tun.c:1679 [inline]
 tun_get_user+0x1258/0x69e0 drivers/net/tun.c:1819
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb63/0x1520 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3062/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 PID: 5050 Comm: syz-executor387 Not tainted 6.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

please test uninit-value in hsr_get_node

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in hsr_get_node

=====================================================
BUG: KMSAN: uninit-value in hsr_get_node+0xab0/0xad0 net/hsr/hsr_framereg.c:250
 hsr_get_node+0xab0/0xad0 net/hsr/hsr_framereg.c:250
 fill_frame_info net/hsr/hsr_forward.c:577 [inline]
 hsr_forward_skb+0x330/0x30e0 net/hsr/hsr_forward.c:615
 hsr_handle_frame+0xa20/0xb50 net/hsr/hsr_slave.c:69
 __netif_receive_skb_core+0x1cff/0x6190 net/core/dev.c:5432
 __netif_receive_skb_one_core net/core/dev.c:5536 [inline]
 __netif_receive_skb+0xca/0xa00 net/core/dev.c:5652
 netif_receive_skb_internal net/core/dev.c:5738 [inline]
 netif_receive_skb+0x58/0x660 net/core/dev.c:5798
 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb63/0x1520 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3062/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
 alloc_pages_mpol+0x299/0x990 mm/mempolicy.c:2264
 alloc_pages+0x1bf/0x1e0 mm/mempolicy.c:2335
 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2921
 tun_build_skb drivers/net/tun.c:1679 [inline]
 tun_get_user+0x1258/0x69e0 drivers/net/tun.c:1819
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
 call_write_iter include/linux/fs.h:2110 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb63/0x1520 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3062/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 PID: 5497 Comm: syz-executor.0 Not tainted 6.9.0-rc4-syzkaller-00038-g8cd26fd90c1a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================


Tested on:

commit:         8cd26fd9 Merge tag 'for-6.9-rc4-tag' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1398c9ab180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

please test uninit-value in hsr_get_node

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 net/core/sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 0963689a5950..847233e8f3e6 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2920,7 +2920,7 @@ bool skb_page_frag_refill(unsigned int sz, struct page_frag *pfrag, gfp_t gfp)
 		/* Avoid direct reclaim but allow kswapd to wake */
 		pfrag->page = alloc_pages((gfp & ~__GFP_DIRECT_RECLAIM) |
 					  __GFP_COMP | __GFP_NOWARN |
-					  __GFP_NORETRY,
+					  __GFP_NORETRY | __GFP_ZERO,
 					  SKB_FRAG_PAGE_ORDER);
 		if (likely(pfrag->page)) {
 			pfrag->size = PAGE_SIZE << SKB_FRAG_PAGE_ORDER;
-- 
2.34.1

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com

Tested on:

commit:         2668e3ae Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1405f520980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1341bcfd180000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

please test uninit-value in hsr_get_node

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/net/tun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 0b3f21cba552..5300bbbc617d 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1676,7 +1676,7 @@ static struct sk_buff *tun_build_skb(struct tun_struct *tun,
 	rcu_read_unlock();
 
 	alloc_frag->offset = ALIGN((u64)alloc_frag->offset, SMP_CACHE_BYTES);
-	if (unlikely(!skb_page_frag_refill(buflen, alloc_frag, GFP_KERNEL)))
+	if (unlikely(!skb_page_frag_refill(buflen, alloc_frag, GFP_KERNEL | __GFP_ZERO)))
 		return ERR_PTR(-ENOMEM);
 
 	buf = (char *)page_address(alloc_frag->page) + alloc_frag->offset;
-- 
2.34.1

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com

Tested on:

commit:         2668e3ae Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=113f5af5180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10feef00980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

48.966940][    T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[   49.476665][    T1] registered taskstats version 1
[   49.903659][    T1] Loading compiled-in X.509 certificates
[   49.948716][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 7a9f7c0e186ee0aeb7cac048f6481049478c3b01'
[   50.193178][    T1] zswap: loaded using pool lzo/zsmalloc
[   50.202395][    T1] Demotion targets for Node 0: null
[   50.207808][    T1] Demotion targets for Node 1: null
[   50.215494][    T1] Key type .fscrypt registered
[   50.220532][    T1] Key type fscrypt-provisioning registered
[   50.227797][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   50.261264][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   50.287630][    T1] Key type encrypted registered
[   50.292626][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   50.299502][    T1] ima: No TPM chip found, activating TPM-bypass!
[   50.307180][    T1] Loading compiled-in module X.509 certificates
[   50.350409][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 7a9f7c0e186ee0aeb7cac048f6481049478c3b01'
[   50.361855][    T1] ima: Allocated hash algorithm: sha256
[   50.368263][    T1] ima: No architecture policies found
[   50.374819][    T1] evm: Initialising EVM extended attributes:
[   50.380893][    T1] evm: security.selinux (disabled)
[   50.386225][    T1] evm: security.SMACK64 (disabled)
[   50.391519][    T1] evm: security.SMACK64EXEC (disabled)
[   50.397102][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   50.403132][    T1] evm: security.SMACK64MMAP (disabled)
[   50.408774][    T1] evm: security.apparmor
[   50.413106][    T1] evm: security.ima
[   50.417038][    T1] evm: security.capability
[   50.421495][    T1] evm: HMAC attrs: 0x1
[   50.430616][    T1] PM:   Magic number: 0:906:489
[   50.437158][    T1] bdi 43:128: hash matches
[   50.443197][    T1] printk: legacy console [netcon0] enabled
[   50.449358][    T1] netconsole: network logging started
[   50.456386][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   50.465653][    T1] rdma_rxe: loaded
[   50.471498][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   50.492635][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   50.510300][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   50.519733][    T1] clk: Disabling unused clocks
[   50.524657][    T1] ALSA device list:
[   50.528687][    T1]   #0: Dummy 1
[   50.532268][    T1]   #1: Loopback 1
[   50.536369][    T1]   #2: Virtual MIDI Card 1
[   50.546627][   T10] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   50.557233][   T10] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   50.566838][    T1] md: Waiting for all devices to be available before autodetect
[   50.574890][    T1] md: If you don't use raid, use raid=noautodetect
[   50.581546][    T1] md: Autodetecting RAID arrays.
[   50.587056][    T1] md: autorun ...
[   50.590820][    T1] md: ... autorun DONE.
[   50.731901][    T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[   50.745418][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   50.827185][    T1] devtmpfs: mounted
[   51.097752][    T1] Freeing unused kernel image (initmem) memory: 37116K
[   51.109692][    T1] Write protecting the kernel read-only data: 262144k
[   51.156794][    T1] Freeing unused kernel image (rodata/data gap) memory: 1752K
[   52.824942][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   52.835392][    T1] x86/mm: Checking user space page tables
[   54.345909][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   54.354936][    T1] Failed to set sysctl parameter 'kernel.hung_task_all_cpu_backtrace=1': parameter not found
[   54.376222][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   54.387939][    T1] Run /sbin/init as init process
[   56.033419][ T4451] mount (4451) used greatest stack depth: 8144 bytes left
[   56.138109][ T4452] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   56.471743][ T4455] mount (4455) used greatest stack depth: 5536 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   60.408422][ T4485] udevd[4485]: starting version 3.2.11
[   64.035314][ T4486] udevd[4486]: starting eudev-3.2.11
[   64.047218][ T4485] udevd (4485) used greatest stack depth: 5328 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
DUID 00:04:98:24:4c:28:99:7c:d9:70:fe:51:ca:fe:56:33:2c:7d
[  111.696683][   T10] cfg80211: failed to load regulatory.db
forked to background, child pid 4699
[  112.850716][ T4700] 8021q: adding VLAN 0 to HW filter on device bond0
[  112.877161][ T4700] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: [  115.050362][ T4785] sshd (4785) used greatest stack depth: 4360 bytes left
OK


syzkaller

syzkaller login: [  116.643435][    C0] =====================================================
[  116.650771][    C0] BUG: KMSAN: uninit-value in receive_buf+0xba1/0x25d0
[  116.657866][    C0]  receive_buf+0xba1/0x25d0
[  116.662559][    C0]  virtnet_poll+0x529c/0x6a20
[  116.667462][    C0]  __napi_poll+0xe7/0x980
[  116.671960][    C0]  net_rx_action+0xa5a/0x19b0
[  116.676848][    C0]  handle_softirqs+0x1ce/0x800
[  116.681888][    C0]  __irq_exit_rcu+0x68/0x120
[  116.686694][    C0]  irq_exit_rcu+0x12/0x20
[  116.691222][    C0]  common_interrupt+0x94/0xa0
[  116.696212][    C0]  asm_common_interrupt+0x2b/0x40
[  116.701531][    C0]  acpi_safe_halt+0x25/0x30
[  116.706292][    C0]  acpi_idle_do_entry+0x22/0x40
[  116.711361][    C0]  acpi_idle_enter+0xa1/0xc0
[  116.716198][    C0]  cpuidle_enter_state+0xcb/0x250
[  116.721427][    C0]  cpuidle_enter+0x7f/0xf0
[  116.726170][    C0]  do_idle+0x551/0x750
[  116.730471][    C0]  cpu_startup_entry+0x65/0x80
[  116.735581][    C0]  rest_init+0x1e8/0x260
[  116.740082][    C0]  start_kernel+0x92c/0xa70
[  116.744831][    C0]  x86_64_start_reservations+0x2e/0x30
[  116.750479][    C0]  x86_64_start_kernel+0x98/0xa0
[  116.755835][    C0]  common_startup_64+0x12c/0x137
[  116.761043][    C0] 
[  116.763470][    C0] Uninit was created at:
[  116.768120][    C0]  __alloc_pages_noprof+0x9d6/0xe70
[  116.773563][    C0]  alloc_pages_mpol_noprof+0x299/0x990
[  116.779504][    C0]  alloc_pages_noprof+0x1bf/0x1e0
[  116.784868][    C0]  skb_page_frag_refill+0x2bf/0x7c0
[  116.790292][    C0]  virtnet_rq_alloc+0x43/0xbb0
[  116.795404][    C0]  try_fill_recv+0x89c/0x3bc0
[  116.800317][    C0]  virtnet_open+0x1d8/0xd00
[  116.805145][    C0]  __dev_open+0x546/0x6f0
[  116.809680][    C0]  __dev_change_flags+0x309/0x9a0
[  116.815032][    C0]  dev_change_flags+0x8e/0x1d0
[  116.820028][    C0]  devinet_ioctl+0x13ec/0x22c0
[  116.825116][    C0]  inet_ioctl+0x4bd/0x6d0
[  116.829651][    C0]  sock_do_ioctl+0xb7/0x540
[  116.834365][    C0]  sock_ioctl+0x727/0xd70
[  116.839197][    C0]  __se_sys_ioctl+0x261/0x450
[  116.844107][    C0]  __x64_sys_ioctl+0x96/0xe0
[  116.848999][    C0]  x64_sys_call+0x18bf/0x3b90
[  116.853894][    C0]  do_syscall_64+0xcd/0x1e0
[  116.859293][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  116.865586][    C0] 
[  116.868032][    C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0-syzkaller-04472-g51835949dda3 #0
[  116.878152][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  116.888572][    C0] =====================================================
[  116.895809][    C0] Disabling lock debugging due to kernel taint
[  116.902113][    C0] Kernel panic - not syncing: kmsan.panic set ...
[  116.908671][    C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B              6.10.0-syzkaller-04472-g51835949dda3 #0
[  116.919740][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  116.929999][    C0] Call Trace:
[  116.933421][    C0]  <IRQ>
[  116.936413][    C0]  dump_stack_lvl+0x216/0x2d0
[  116.941336][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  116.947440][    C0]  dump_stack+0x1e/0x30
[  116.951880][    C0]  panic+0x4e2/0xcd0
[  116.955996][    C0]  ? kmsan_get_metadata+0x61/0x1d0
[  116.961602][    C0]  kmsan_report+0x2d5/0x2e0
[  116.966223][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  116.971532][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  116.976858][    C0]  ? __msan_warning+0x95/0x120
[  116.981727][    C0]  ? receive_buf+0xba1/0x25d0
[  116.986505][    C0]  ? virtnet_poll+0x529c/0x6a20
[  116.991508][    C0]  ? __napi_poll+0xe7/0x980
[  116.996160][    C0]  ? net_rx_action+0xa5a/0x19b0
[  117.001182][    C0]  ? handle_softirqs+0x1ce/0x800
[  117.006255][    C0]  ? __irq_exit_rcu+0x68/0x120
[  117.011134][    C0]  ? irq_exit_rcu+0x12/0x20
[  117.015844][    C0]  ? common_interrupt+0x94/0xa0
[  117.020805][    C0]  ? asm_common_interrupt+0x2b/0x40
[  117.026140][    C0]  ? acpi_safe_halt+0x25/0x30
[  117.030962][    C0]  ? acpi_idle_do_entry+0x22/0x40
[  117.036126][    C0]  ? acpi_idle_enter+0xa1/0xc0
[  117.041004][    C0]  ? cpuidle_enter_state+0xcb/0x250
[  117.046344][    C0]  ? cpuidle_enter+0x7f/0xf0
[  117.051083][    C0]  ? do_idle+0x551/0x750
[  117.055489][    C0]  ? cpu_startup_entry+0x65/0x80
[  117.060596][    C0]  ? rest_init+0x1e8/0x260
[  117.065142][    C0]  ? start_kernel+0x92c/0xa70
[  117.069942][    C0]  ? x86_64_start_reservations+0x2e/0x30
[  117.075704][    C0]  ? x86_64_start_kernel+0x98/0xa0
[  117.080927][    C0]  ? common_startup_64+0x12c/0x137
[  117.086177][    C0]  ? kmsan_internal_memmove_metadata+0x17b/0x230
[  117.092679][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.098052][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.103402][    C0]  ? page_to_skb+0xdae/0x1620
[  117.108232][    C0]  __msan_warning+0x95/0x120
[  117.112999][    C0]  receive_buf+0xba1/0x25d0
[  117.117693][    C0]  virtnet_poll+0x529c/0x6a20
[  117.122498][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.127843][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  117.133900][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.139362][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.144736][    C0]  ? __pfx_virtnet_poll+0x10/0x10
[  117.149900][    C0]  __napi_poll+0xe7/0x980
[  117.154356][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.159745][    C0]  net_rx_action+0xa5a/0x19b0
[  117.164549][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  117.170150][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  117.176230][    C0]  ? __pfx_net_rx_action+0x10/0x10
[  117.181495][    C0]  handle_softirqs+0x1ce/0x800
[  117.186493][    C0]  __irq_exit_rcu+0x68/0x120
[  117.191354][    C0]  irq_exit_rcu+0x12/0x20
[  117.195812][    C0]  common_interrupt+0x94/0xa0
[  117.200765][    C0]  </IRQ>
[  117.203745][    C0]  <TASK>
[  117.206740][    C0]  asm_common_interrupt+0x2b/0x40
[  117.212031][    C0] RIP: 0010:acpi_safe_halt+0x25/0x30
[  117.217509][    C0] Code: 90 90 90 90 90 55 48 89 e5 65 48 8b 04 25 80 5e 0a 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 8b fb 4f 00 f3 0f 1e fa fb f4 <fa> 5d c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90
[  117.237256][    C0] RSP: 0018:ffffffff91003ce8 EFLAGS: 00000246
[  117.243550][    C0] RAX: ffffffff9102bdc0 RBX: ffffffff9148a9b0 RCX: 0000000000000001
[  117.251879][    C0] RDX: ffff88810358e464 RSI: ffffffff9148a9b0 RDI: ffff88810358e464
[  117.260877][    C0] RBP: ffffffff91003ce8 R08: ffffea000000000f R09: 00000000000000ff
[  117.268965][    C0] R10: ffff88823f164dc2 R11: ffffffff8f8d7d30 R12: ffff888104e71c00
[  117.277283][    C0] R13: ffffffff9148aa30 R14: 0000000000000001 R15: 0000000000000001
[  117.285349][    C0]  ? __pfx_acpi_idle_enter+0x10/0x10
[  117.290848][    C0]  acpi_idle_do_entry+0x22/0x40
[  117.295937][    C0]  acpi_idle_enter+0xa1/0xc0
[  117.300690][    C0]  cpuidle_enter_state+0xcb/0x250
[  117.305878][    C0]  cpuidle_enter+0x7f/0xf0
[  117.310558][    C0]  do_idle+0x551/0x750
[  117.314882][    C0]  cpu_startup_entry+0x65/0x80
[  117.319980][    C0]  rest_init+0x1e8/0x260
[  117.324364][    C0]  start_kernel+0x92c/0xa70
[  117.329121][    C0]  x86_64_start_reservations+0x2e/0x30
[  117.334968][    C0]  x86_64_start_kernel+0x98/0xa0
[  117.340049][    C0]  common_startup_64+0x12c/0x137
[  117.345172][    C0]  </TASK>
[  117.348544][    C0] Kernel Offset: disabled
[  117.352967][    C0] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build865784958=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 0d592ce46e
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1215a959980000


Tested on:

commit:         51835949 Merge tag 'net-next-6.11' of git://git.kernel..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=ec91e4c9ea460c2a
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/net/virtio_net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index af474cc191d0..2088b566d10b 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -2895,7 +2895,7 @@ static int virtnet_open(struct net_device *dev)
 	for (i = 0; i < vi->max_queue_pairs; i++) {
 		if (i < vi->curr_queue_pairs)
 			/* Make sure we have some buffers: if oom use wq. */
-			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL | GFP_ZERO))
 				schedule_delayed_work(&vi->refill, 0);
 
 		err = virtnet_enable_queue_pair(vi, i);
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/net/virtio_net.c:2898:52: error: use of undeclared identifier 'GFP_ZERO'


Tested on:

commit:         b1bc554e Merge tag 'media/v6.11-1' of git://git.kernel..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=116413e9980000

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/net/virtio_net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index af474cc191d0..2088b566d10b 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -2895,7 +2895,7 @@ static int virtnet_open(struct net_device *dev)
 	for (i = 0; i < vi->max_queue_pairs; i++) {
 		if (i < vi->curr_queue_pairs)
 			/* Make sure we have some buffers: if oom use wq. */
-			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL | __GFP_ZERO))
 				schedule_delayed_work(&vi->refill, 0);
 
 		err = virtnet_enable_queue_pair(vi, i);
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.0.244:./syz-execprog"]
Executing: program /usr/bin/ssh host 10.128.0.244, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.0.244 [10.128.0.244] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.128.0.244:22 as 'root'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:88IuL3orPAmVsyjIy2DvkKzVRHqGoDXxazNYOfOHasg
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '10.128.0.244' (ED25519) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Authenticated to 10.128.0.244 ([10.128.0.244]:22) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending subsystem: sftp
debug1: pledge: fork
scp: debug1: stat remote: No such file or directory




syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1182856952=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 0d592ce46e
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf\"



Tested on:

commit:         b1bc554e Merge tag 'media/v6.11-1' of git://git.kernel..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=bb3ca33fe161b0cc
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15796f2d980000

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/net/virtio_net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index af474cc191d0..2088b566d10b 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -2895,7 +2895,7 @@ static int virtnet_open(struct net_device *dev)
 	for (i = 0; i < vi->max_queue_pairs; i++) {
 		if (i < vi->curr_queue_pairs)
 			/* Make sure we have some buffers: if oom use wq. */
-			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+			if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL | __GFP_ZERO))
 				schedule_delayed_work(&vi->refill, 0);
 
 		err = virtnet_enable_queue_pair(vi, i);
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.1.88:./syz-execprog"]
Executing: program /usr/bin/ssh host 10.128.1.88, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.1.88 [10.128.1.88] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.128.1.88:22 as 'root'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:88IuL3orPAmVsyjIy2DvkKzVRHqGoDXxazNYOfOHasg
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '10.128.1.88' (ED25519) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Authenticated to 10.128.1.88 ([10.128.1.88]:22) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending subsystem: sftp
debug1: pledge: fork
scp: debug1: stat remote: No such file or directory




syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4224677735=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 0d592ce46e
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240415-175759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf\"



Tested on:

commit:         720261cf Merge tag 'bcachefs-2024-07-18.2' of https://..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=60fe94c4ee0cdbda
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=107805fd980000

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/net/virtio_net.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index af474cc191d0..1ee2dff625dd 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -2258,6 +2258,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
 
 	if (unlikely(!curr_skb))
 		goto err_skb;
+	printk(KERN_INFO "num_buf = %d\n", num_buf);
 	while (--num_buf) {
 		buf = virtnet_rq_get_buf(rq, &len, &ctx);
 		if (unlikely(!buf)) {
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in hsr_get_node

=====================================================
BUG: KMSAN: uninit-value in hsr_get_node+0xd05/0xd30 net/hsr/hsr_framereg.c:275
 hsr_get_node+0xd05/0xd30 net/hsr/hsr_framereg.c:275
 fill_frame_info net/hsr/hsr_forward.c:678 [inline]
 hsr_forward_skb+0xe9d/0x3b40 net/hsr/hsr_forward.c:715
 hsr_handle_frame+0x914/0xbb0 net/hsr/hsr_slave.c:70
 __netif_receive_skb_core+0x1f19/0x6c90 net/core/dev.c:5554
 __netif_receive_skb_one_core net/core/dev.c:5658 [inline]
 __netif_receive_skb+0xca/0xa00 net/core/dev.c:5774
 netif_receive_skb_internal net/core/dev.c:5860 [inline]
 netif_receive_skb+0x58/0x660 net/core/dev.c:5920
 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
 tun_get_user+0x5677/0x6b50 drivers/net/tun.c:2006
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_pages_noprof+0x9d6/0xe70 mm/page_alloc.c:4706
 alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265
 alloc_pages_noprof+0x1bf/0x1e0 mm/mempolicy.c:2336
 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2941
 tun_build_skb drivers/net/tun.c:1680 [inline]
 tun_get_user+0x1262/0x6b50 drivers/net/tun.c:1823
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 PID: 5480 Comm: syz-executor.0 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
=====================================================


Tested on:

commit:         d7e78951 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116a2349980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=be93d3b0d4dc66d7
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=106b443d980000

Re: [syzbot] Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 net/hsr/hsr_framereg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
index 73bc6f659812..b7d5b9da881a 100644
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -224,6 +224,9 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db,
 	if (!skb_mac_header_was_set(skb))
 		return NULL;
 
+	if (skb->max_len < sizeof(struct ethhdr))
+		return NULL;
+
 	ethhdr = (struct ethhdr *)skb_mac_header(skb);
 
 	list_for_each_entry_rcu(node, node_db, mac_list) {
--

Re: [syzbot] Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 net/hsr/hsr_framereg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
index 73bc6f659812..1c492146594c 100644
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -224,6 +224,9 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db,
 	if (!skb_mac_header_was_set(skb))
 		return NULL;
 
+	if (skb->mac_len < sizeof(struct ethhdr))
+		return NULL;
+
 	ethhdr = (struct ethhdr *)skb_mac_header(skb);
 
 	list_for_each_entry_rcu(node, node_db, mac_list) {
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/hsr/hsr_framereg.c:227:11: error: no member named 'max_len' in 'struct sk_buff'; did you mean 'mac_len'?


Tested on:

commit:         3c3ff7be Merge tag 'powerpc-6.11-1' of git://git.kerne..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=87a805e655619c64
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ff6521980000

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in hsr_get_node

syz_tun: entered promiscuous mode
batadv_slave_0: entered promiscuous mode
=====================================================
BUG: KMSAN: uninit-value in hsr_get_node+0xc3b/0xc50 net/hsr/hsr_framereg.c:278
 hsr_get_node+0xc3b/0xc50 net/hsr/hsr_framereg.c:278
 fill_frame_info net/hsr/hsr_forward.c:678 [inline]
 hsr_forward_skb+0xe9d/0x3b40 net/hsr/hsr_forward.c:715
 hsr_handle_frame+0x914/0xbb0 net/hsr/hsr_slave.c:70
 __netif_receive_skb_core+0x1f19/0x6c90 net/core/dev.c:5554
 __netif_receive_skb_one_core net/core/dev.c:5658 [inline]
 __netif_receive_skb+0xca/0xa00 net/core/dev.c:5774
 netif_receive_skb_internal net/core/dev.c:5860 [inline]
 netif_receive_skb+0x58/0x660 net/core/dev.c:5920
 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
 tun_get_user+0x5677/0x6b50 drivers/net/tun.c:2006
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_pages_noprof+0x9d6/0xe70 mm/page_alloc.c:4706
 alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265
 alloc_pages_noprof+0x1bf/0x1e0 mm/mempolicy.c:2336
 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2941
 tun_build_skb drivers/net/tun.c:1680 [inline]
 tun_get_user+0x1262/0x6b50 drivers/net/tun.c:1823
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 PID: 5477 Comm: syz-executor.0 Not tainted 6.10.0-syzkaller-10729-g3c3ff7be9729-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
=====================================================


Tested on:

commit:         3c3ff7be Merge tag 'powerpc-6.11-1' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12aa2559980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bf984d38d0f9fb49
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15a8d749980000

Re: [syzbot] Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 net/hsr/hsr_framereg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
index 73bc6f659812..ee388739f1f3 100644
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -154,7 +154,7 @@ void prp_handle_san_frame(bool san, enum hsr_port_type port,
 static struct hsr_node *hsr_add_node(struct hsr_priv *hsr,
 				     struct list_head *node_db,
 				     unsigned char addr[],
-				     u16 seq_out, bool san,
+				     int seq_out, bool san,
 				     enum hsr_port_type rx_port)
 {
 	struct hsr_node *new_node, *node;
@@ -219,7 +219,7 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db,
 	struct ethhdr *ethhdr;
 	struct prp_rct *rct;
 	bool san = false;
-	u16 seq_out;
+	int seq_out;
 
 	if (!skb_mac_header_was_set(skb))
 		return NULL;
--

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in hsr_get_node

syz_tun: entered promiscuous mode
batadv_slave_0: entered promiscuous mode
=====================================================
BUG: KMSAN: uninit-value in hsr_get_node+0xd1e/0xd40 net/hsr/hsr_framereg.c:275
 hsr_get_node+0xd1e/0xd40 net/hsr/hsr_framereg.c:275
 fill_frame_info net/hsr/hsr_forward.c:678 [inline]
 hsr_forward_skb+0xe9d/0x3b40 net/hsr/hsr_forward.c:715
 hsr_handle_frame+0x914/0xbb0 net/hsr/hsr_slave.c:70
 __netif_receive_skb_core+0x1f19/0x6c90 net/core/dev.c:5554
 __netif_receive_skb_one_core net/core/dev.c:5658 [inline]
 __netif_receive_skb+0xca/0xa00 net/core/dev.c:5774
 netif_receive_skb_internal net/core/dev.c:5860 [inline]
 netif_receive_skb+0x58/0x660 net/core/dev.c:5920
 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
 tun_get_user+0x5677/0x6b50 drivers/net/tun.c:2006
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_pages_noprof+0x9d6/0xe70 mm/page_alloc.c:4706
 alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265
 alloc_pages_noprof+0x1bf/0x1e0 mm/mempolicy.c:2336
 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2941
 tun_build_skb drivers/net/tun.c:1680 [inline]
 tun_get_user+0x1262/0x6b50 drivers/net/tun.c:1823
 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2052
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xb2f/0x1550 fs/read_write.c:590
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x3490/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 PID: 5476 Comm: syz-executor.0 Not tainted 6.10.0-syzkaller-10729-g3c3ff7be9729-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
=====================================================


Tested on:

commit:         3c3ff7be Merge tag 'powerpc-6.11-1' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13549349980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bf984d38d0f9fb49
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=150cd8ce980000

Forwarded: Test for a81f2759d022496b40ab

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Test for a81f2759d022496b40ab
Author: syoshida@redhat.com

#syz test

diff --git a/net/hsr/hsr_slave.c b/net/hsr/hsr_slave.c
index b87b6a6fe070..979fe4084f86 100644
--- a/net/hsr/hsr_slave.c
+++ b/net/hsr/hsr_slave.c
@@ -63,8 +63,12 @@ static rx_handler_result_t hsr_handle_frame(struct sk_buff **pskb)
 	skb_push(skb, ETH_HLEN);
 	skb_reset_mac_header(skb);
 	if ((!hsr->prot_version && protocol == htons(ETH_P_PRP)) ||
-	    protocol == htons(ETH_P_HSR))
+	    protocol == htons(ETH_P_HSR)) {
+		if (skb->len < ETH_HLEN + HSR_HLEN)
+			goto finish_pass;
+
 		skb_set_network_header(skb, ETH_HLEN + HSR_HLEN);
+	}
 	skb_reset_mac_len(skb);
 
 	/* Only the frames received over the interlink port will assign a

Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com
Tested-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com

Tested on:

commit:         b19a97d5 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133633bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=eb938e97c43073ea
dashboard link: https://syzkaller.appspot.com/bug?extid=a81f2759d022496b40ab
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=107317a2580000

Note: testing is done by a robot and is best-effort only.