Re: [syzbot] [netfilter?] KMSAN: uninit-value in ip6table_mangle_hook (3)
From: syzbot
Date: Tue Dec 03 2024 - 09:02:10 EST
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in ip6table_mangle_hook
=====================================================
BUG: KMSAN: uninit-value in ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:56 [inline]
BUG: KMSAN: uninit-value in ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72
ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:56 [inline]
ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
__ip6_local_out+0x5ac/0x640 net/ipv6/output_core.c:143
ip6_local_out+0x4c/0x210 net/ipv6/output_core.c:153
ip6tunnel_xmit+0x129/0x460 include/net/ip6_tunnel.h:161
ip6_tnl_xmit+0x3526/0x3980 net/ipv6/ip6_tunnel.c:1283
__gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606
sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x30b9/0x57d0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3146 [inline]
packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:726
__sys_sendto+0x594/0x750 net/socket.c:2197
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
ip6_tnl_xmit+0x3657/0x3980 net/ipv6/ip6_tunnel.c:1279
__gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606
sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x30b9/0x57d0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3146 [inline]
packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:726
__sys_sendto+0x594/0x750 net/socket.c:2197
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4110 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_node_track_caller_noprof+0x945/0x1240 mm/slub.c:4302
kmalloc_reserve+0x23e/0x4a0 net/core/skbuff.c:609
__alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
skb_copy_expand+0x1f6/0x1090 net/core/skbuff.c:2499
ip6_tnl_xmit+0x2191/0x3980 net/ipv6/ip6_tunnel.c:1227
__gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606
sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x30b9/0x57d0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3146 [inline]
packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:726
__sys_sendto+0x594/0x750 net/socket.c:2197
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2200
x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 6676 Comm: syz.0.15 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================
Tested on:
commit: cdd30ebb module: Convert symbol namespace to string li..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=135ec0f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46e22a9795a5542
dashboard link: https://syzkaller.appspot.com/bug?extid=6023ea32e206eef7920a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=145b75e8580000