Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1922167imm; Sun, 23 Sep 2018 15:11:04 -0700 (PDT) X-Google-Smtp-Source: ACcGV61PI7sbNZhCLsbyCvppVu0W64OBkM8Gi3jj2NR/jtsyg/DulLjcmKT6xuS6nkPkC4JKzCoy X-Received: by 2002:a63:6445:: with SMTP id y66-v6mr7116348pgb.443.1537740664583; Sun, 23 Sep 2018 15:11:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537740664; cv=none; d=google.com; s=arc-20160816; b=v3Jl0ukQ7GdZUfuS8TnTlMCFnvK1DokOQT1tGwmaxaj6g2VuRTq0O5QV042ftD0K/v Z6Gn0+IORAc31mWn1VnecaJ+bSl7sq6zGEWdk0MjvPVHBDexu/HXnYaR09vgCdA288BR cO+rg/ppZ2c2R4ygR8y0bue45sRcn7pvy0BtheBpKQlXTrtJKhPXNou6jXv6mI1GfV6d BAmqIhQE6eB+xrZnXIYnu37cevS7recEtMz10YOO3q1kpwLSGWpo33XNM4Gc9PpkWfee pvV/14U9by6mCCabkKK5vLC4ugkZhvFFdI5dfHQ1bg6TOQIqkALzPjOJCh97fRBHAzHC 9zxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=GaII+KnyrrgNsGz/osuId8vRKNw4qfsYFmt7bt08VHA=; b=z1PW0gXMYPTt/J61yyDzSxcN84Iwl2+ZA0qtuzBBln4DTxYLOr3oJMnedQ3Ba6qSt5 4Qd8SzNd4L0nDfV1Gj5DtUxULX0wvpDXqnX/+wdPeIjHjKrX+f7VT7HMbj3s1mB0YNAj +xNcdBQjxrZa9xjcsYfUZtzEKQzl3bCxyNLt+vw12XadzqAaEfGf4XZrTDcmcOSmaLig Pe6IBUAYeSU6Wf+oRtOuGMhnIi6B0+QnN+cpAGju34lu4m1PVcTxC0xNZ3UOZng6/qWN rkL4nwAm6JZ1YWvwcLT0ZnGEt4aWI1AZtPR/u7oCnQfFcA1/8q9ZDfGdb5HHAxpJrzak DRrQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d16-v6si33238440pfe.267.2018.09.23.15.10.46; Sun, 23 Sep 2018 15:11:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726053AbeIXEIZ (ORCPT + 99 others); Mon, 24 Sep 2018 00:08:25 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50662 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725804AbeIXEIZ (ORCPT ); Mon, 24 Sep 2018 00:08:25 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CE7204DD49; Sun, 23 Sep 2018 22:09:18 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A2E2018EF3; Sun, 23 Sep 2018 22:09:18 +0000 (UTC) Received: from zmail21.collab.prod.int.phx2.redhat.com (zmail21.collab.prod.int.phx2.redhat.com [10.5.83.24]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 64EEF4BB74; Sun, 23 Sep 2018 22:09:18 +0000 (UTC) Date: Sun, 23 Sep 2018 18:09:18 -0400 (EDT) From: Vladis Dronov To: Dmitry Vyukov Cc: syzbot , syzkaller-bugs , David Miller , Eric Dumazet , LKML , netdev , sunlianwen Message-ID: <1040580049.15456466.1537740558279.JavaMail.zimbra@redhat.com> In-Reply-To: References: <000000000000565ab805768bf006@google.com> <125732064.15444205.1537718529926.JavaMail.zimbra@redhat.com> Subject: Re: KMSAN: uninit-value in memcmp (2) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.40.200.22, 10.4.195.29] Thread-Topic: KMSAN: uninit-value in memcmp (2) Thread-Index: tQAyG5rC4ivVSoeQ1Fo/EeLJVURPlQ== X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Sun, 23 Sep 2018 22:09:18 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Dmirty, Thank you for the reply. Can we please, discuss this further? > You can see on dashboard that the last crash > for the second version (2) happened just few days ago. So this is a > different bug. Well... yes and no. When I was looking at this bug (bug?id=088efeac32fd) I was looking at the report at "2018/05/09 18:55" (https://syzkaller.appspot.com/text?tag=CrashReport&x=141b707b800000), since it was the only report with a reproducer. This was my error. The error and the call trace in this report are: >>> BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861 CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.17.0-rc3+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 memcmp+0x119/0x180 lib/string.c:861 __hw_addr_add_ex net/core/dev_addr_lists.c:61 [inline] __dev_mc_add+0x1fc/0x900 net/core/dev_addr_lists.c:670 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662 ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914 addrconf_join_solict net/ipv6/addrconf.c:2103 [inline] addrconf_dad_begin net/ipv6/addrconf.c:3853 [inline] addrconf_dad_work+0x462/0x2a20 net/ipv6/addrconf.c:3979 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412 Local variable description: ----buf@igmp6_group_added Variable was created at: igmp6_group_added+0x4a/0xa00 net/ipv6/mcast.c:650 ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914 <<< It is the same like in bug?id=3887c0d99aecb27d085180c5222d245d08a30806 which, after some more test, made me believe these bugs are duplicate and are fixed by the same commit. But let's look at another report at "2018/09/12 21:00" (https://syzkaller.appspot.com/text?tag=CrashReport&x=14f99b71400000) at the bug (bug?id=088efeac32fd), the one you've mentioned as "the last crash for the second version (2) happened just few days ago". Its error and the call trace are completely different: >>> BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863 CPU: 0 PID: 6107 Comm: syz-executor4 Not tainted 4.19.0-rc3+ #45 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x14b/0x190 lib/dump_stack.c:113 kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956 __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645 memcmp+0x11d/0x180 lib/string.c:863 dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464 ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline] rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558 rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715 netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ... Uninit was created at: ... slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2718 [inline] __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 <<< This is a different bug. How come these 2 different reports for 2 different bugs have ended in the same syzkaller report (bug?id=088efeac32fd) ? One bug is fixed by the "net: fix uninit-value in __hw_addr_add_ex()" commit, the second one is not, but they are still in the same syzkaller report. This was the reason of my confusion. I'm not sure how to fix this. If it is possible, probably we need to cancel/revoke "#syz fix: net: fix uninit-value in __hw_addr_add_ex()" for this syzkaller report (bug?id=088efeac32fd). And then "split" it into 2 or more different reports, but I'm not sure if this is possible. Probably, syzkaller needs to look deeper into the KMSAN reports to differentiate KMSAN errors happening because of different reasons. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer ----- Original Message ----- > From: "Dmitry Vyukov" > To: "Vladis Dronov" > Cc: "syzbot" , "syzkaller-bugs" > , "David Miller" , "Eric Dumazet" , > "LKML" , "netdev" , "sunlianwen" > Sent: Sunday, September 23, 2018 6:22:36 PM > Subject: Re: KMSAN: uninit-value in memcmp (2) > > On Sun, Sep 23, 2018 at 6:02 PM, Vladis Dronov wrote: > > #syz fix: net: fix uninit-value in __hw_addr_add_ex() > > Hi Vladis, > > This can be fixed with "net: fix uninit-value in __hw_addr_add_ex()". > That commit landed in April, syzbot waited till the commit reached all > tested trees, and then closed the bug. > But the similar bug continued to happen, so syzbot created second > version of this bug (2). You can see on dashboard that the last crash > for the second version (2) happened just few days ago. So this is a > different bug. >