unbootable kernel

[butterflyhack]

I use cp .config.example instead of .config. and compile sucessfuly, but use syz-manager run the bzImage, the kernel also 0ops, and log is as below,

[   28.962520] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[   29.021618] 8021q: adding VLAN 0 to HW filter on device eth0
[   29.024422] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   29.070438] ip (3686) used greatest stack depth: 54136 bytes left
[   29.229868] ==================================================================
[   29.232076] BUG: KMSAN: uninit-value in eth_type_trans+0x356/0xa90
[   29.233936] CPU: 1 PID: 3599 Comm: systemd-udevd Not tainted 5.3.0-rc6+ #3
[   29.235989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   29.238783] Call Trace:
[   29.239546]  <IRQ>
[   29.240186]  dump_stack+0x196/0x1f0
[   29.241301]  kmsan_report+0x162/0x2d0
[   29.242426]  __msan_warning+0x75/0xe0
[   29.243551]  eth_type_trans+0x356/0xa90
[   29.244752]  e1000_clean_rx_irq+0x182a/0x21f0
[   29.246198]  e1000_clean+0x1a49/0x5e20
[   29.247362]  ? e1000_alloc_jumbo_rx_buffers+0xd10/0xd10
[   29.248966]  ? kmsan_get_shadow_origin_ptr+0x230/0x3a0
[   29.250573]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.252148]  ? e1000_shutdown+0x160/0x160
[   29.253396]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.254937]  ? e1000_shutdown+0x160/0x160
[   29.256154]  ? e1000_shutdown+0x160/0x160
[   29.257395]  net_rx_action+0x73b/0x1930
[   29.258597]  ? net_tx_action+0xbc0/0xbc0
[   29.259798]  __do_softirq+0x311/0x83d
[   29.260959]  irq_exit+0x230/0x280
[   29.262005]  do_IRQ+0x20d/0x3a0
[   29.263013]  common_interrupt+0x2e/0x2e
[   29.264186]  </IRQ>
[   29.264877] RIP: 0010:__msan_chain_origin+0x8c/0xe0
[   29.266368] Code: 4a 44 89 f7 e8 95 e9 ff ff 89 c3 65 ff 0d a0 ff ff 7d 65 8b 05 99 ff ff 7d 85 c0 75 30 e8 9c e3 38 ff 4c 89 7d d0 ff 75 d0 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 e0 75 0d 89 d8 48 83 c4 18 5b
[   29.271841] RSP: 0018:ffff8880451cf9d0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
[   29.274078] RAX: 0000000000000000 RBX: 00000000f70000ca RCX: 3acde965b1fdf800
[   29.276188] RDX: 0000000000000a20 RSI: 00000000000836e3 RDI: 00000000d99ad567
[   29.278305] RBP: ffff8880451cfa00 R08: 0000000000000003 R09: ffff8880451cf78c
[   29.280411] R10: 0000000000000003 R11: ffffffff81819f30 R12: ffffc90000916040
[   29.282529] R13: 0000000000000000 R14: 00000000f5c000ca R15: 0000000000000246
[   29.284648]  ? stack_trace_save+0x1b0/0x1b0
[   29.285949]  ___bpf_prog_run+0x68e4/0x9400
[   29.287221]  ? kmsan_get_metadata_or_null+0x208/0x290
[   29.288770]  __bpf_prog_run32+0x101/0x170
[   29.290008]  ? kmem_cache_free+0x18c4/0x2a20
[   29.291347]  ? kmsan_get_shadow_origin_ptr+0x6e/0x3a0
[   29.292902]  ? ___bpf_prog_run+0x9400/0x9400
[   29.294147]  __seccomp_filter+0x587/0x2640
[   29.295440]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[   29.297046]  ? blkcg_maybe_throttle_current+0x184/0x1380
[   29.298658]  ? kmsan_set_origin+0x25d/0x340
[   29.299949]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.301522]  ? __secure_computing+0x96/0x380
[   29.302816]  __secure_computing+0x1fa/0x380
[   29.304104]  syscall_trace_enter+0x6ed/0xf60
[   29.305467]  do_syscall_64+0x51/0xf0
[   29.306550]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.308066] RIP: 0033:0x7fa53cc340ba
[   29.309168] Code: 48 8b 0d e1 bd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 0b 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ae bd 2b 00 f7 d8 64 89 01 48
[   29.314666] RSP: 002b:00007ffe8e610f38 EFLAGS: 00000206 ORIG_RAX: 000000000000010b
[   29.316888] RAX: ffffffffffffffda RBX: 000055783a011ba0 RCX: 00007fa53cc340ba
[   29.318998] RDX: 000055783a011ba0 RSI: 00007ffe8e610fc0 RDI: 00000000ffffff9c
[   29.321129] RBP: 0000000000000064 R08: 00005578392a0670 R09: 0000000000000070
[   29.323229] R10: 0000000000000063 R11: 0000000000000206 R12: 00007ffe8e610fc0
[   29.325359] R13: 00000000ffffff9c R14: 00007ffe8e610f90 R15: 0000000000000063
[   29.327513] 
[   29.328004] Uninit was created at:
[   29.329081]  kmsan_save_stack_with_flags+0x37/0x70
[   29.330543]  kmsan_internal_alloc_meta_for_pages+0x10f/0x500
[   29.332244]  kmsan_alloc_page+0x7a/0xf0
[   29.333429]  __alloc_pages_nodemask+0x581e/0x5f20
[   29.334849]  page_frag_alloc+0x35b/0x890
[   29.336047]  netdev_alloc_frag+0x1ab/0x1e0
[   29.337304]  e1000_alloc_rx_buffers+0x417/0x1830
[   29.338696]  e1000_configure+0x150f/0x1670
[   29.339931]  e1000_open+0x3c0/0x10a0
[   29.341032]  __dev_open+0x621/0x880
[   29.342103]  __dev_change_flags+0x386/0xb70
[   29.343348]  dev_change_flags+0xf1/0x260
[   29.344532]  do_setlink+0x15c0/0x5ec0
[   29.345647]  rtnl_newlink+0x2eab/0x3990
[   29.346802]  rtnetlink_rcv_msg+0x1158/0x1580
[   29.348073]  netlink_rcv_skb+0x401/0x5f0
[   29.349272]  rtnetlink_rcv+0x50/0x60
[   29.350363]  netlink_unicast+0xf08/0xfe0
[   29.351556]  netlink_sendmsg+0x110d/0x1320
[   29.352794]  ___sys_sendmsg+0x14ef/0x1580
[   29.353968]  __se_sys_sendmsg+0x305/0x460
[   29.355173]  __x64_sys_sendmsg+0x4a/0x70
[   29.356276]  do_syscall_64+0xbc/0xf0
[   29.357305]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.358756] ==================================================================
[   29.360885] Disabling lock debugging due to kernel taint
[   29.362467] Kernel panic - not syncing: panic_on_warn set ...
[   29.364198] CPU: 1 PID: 3599 Comm: systemd-udevd Tainted: G    B             5.3.0-rc6+ #3
[   29.366653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   29.369482] Call Trace:
[   29.370254]  <IRQ>
[   29.370905]  dump_stack+0x196/0x1f0
[   29.371959]  panic+0x3cb/0xc2e
[   29.372969]  kmsan_report+0x2ca/0x2d0
[   29.374103]  __msan_warning+0x75/0xe0
[   29.375235]  eth_type_trans+0x356/0xa90
[   29.376446]  e1000_clean_rx_irq+0x182a/0x21f0
[   29.377877]  e1000_clean+0x1a49/0x5e20
[   29.379034]  ? e1000_alloc_jumbo_rx_buffers+0xd10/0xd10
[   29.380621]  ? kmsan_get_shadow_origin_ptr+0x230/0x3a0
[   29.382252]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.383806]  ? e1000_shutdown+0x160/0x160
[   29.385028]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.386599]  ? e1000_shutdown+0x160/0x160
[   29.387832]  ? e1000_shutdown+0x160/0x160
[   29.389078]  net_rx_action+0x73b/0x1930
[   29.390317]  ? net_tx_action+0xbc0/0xbc0
[   29.391539]  __do_softirq+0x311/0x83d
[   29.392684]  irq_exit+0x230/0x280
[   29.393725]  do_IRQ+0x20d/0x3a0
[   29.394717]  common_interrupt+0x2e/0x2e
[   29.395859]  </IRQ>
[   29.396534] RIP: 0010:__msan_chain_origin+0x8c/0xe0
[   29.398006] Code: 4a 44 89 f7 e8 95 e9 ff ff 89 c3 65 ff 0d a0 ff ff 7d 65 8b 05 99 ff ff 7d 85 c0 75 30 e8 9c e3 38 ff 4c 89 7d d0 ff 75 d0 9d <65> 48 8b 04 25 28 00 00 00 48 3b 45 e0 75 0d 89 d8 48 83 c4 18 5b
[   29.403501] RSP: 0018:ffff8880451cf9d0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
[   29.405770] RAX: 0000000000000000 RBX: 00000000f70000ca RCX: 3acde965b1fdf800
[   29.407877] RDX: 0000000000000a20 RSI: 00000000000836e3 RDI: 00000000d99ad567
[   29.410023] RBP: ffff8880451cfa00 R08: 0000000000000003 R09: ffff8880451cf78c
[   29.412138] R10: 0000000000000003 R11: ffffffff81819f30 R12: ffffc90000916040
[   29.425441] R13: 0000000000000000 R14: 00000000f5c000ca R15: 0000000000000246
[   29.427432]  ? stack_trace_save+0x1b0/0x1b0
[   29.428747]  ___bpf_prog_run+0x68e4/0x9400
[   29.431772]  ? kmsan_get_metadata_or_null+0x208/0x290
[   29.433333]  __bpf_prog_run32+0x101/0x170
[   29.434552]  ? kmem_cache_free+0x18c4/0x2a20
[   29.435865]  ? kmsan_get_shadow_origin_ptr+0x6e/0x3a0
[   29.437785]  ? ___bpf_prog_run+0x9400/0x9400
[   29.439075]  __seccomp_filter+0x587/0x2640
[   29.440288]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[   29.441888]  ? blkcg_maybe_throttle_current+0x184/0x1380
[   29.443503]  ? kmsan_set_origin+0x25d/0x340
[   29.444784]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[   29.446317]  ? __secure_computing+0x96/0x380
[   29.447608]  __secure_computing+0x1fa/0x380
[   29.449128]  syscall_trace_enter+0x6ed/0xf60
[   29.450473]  do_syscall_64+0x51/0xf0
[   29.451603]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[   29.453208] RIP: 0033:0x7fa53cc340ba
[   29.454304] Code: 48 8b 0d e1 bd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 0b 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ae bd 2b 00 f7 d8 64 89 01 48
[   29.459704] RSP: 002b:00007ffe8e610f38 EFLAGS: 00000206 ORIG_RAX: 000000000000010b
[   29.461971] RAX: ffffffffffffffda RBX: 000055783a011ba0 RCX: 00007fa53cc340ba
[   29.464067] RDX: 000055783a011ba0 RSI: 00007ffe8e610fc0 RDI: 00000000ffffff9c
[   29.466168] RBP: 0000000000000064 R08: 00005578392a0670 R09: 0000000000000070
[   29.468264] R10: 0000000000000063 R11: 0000000000000206 R12: 00007ffe8e610fc0
[   29.470370] R13: 00000000ffffff9c R14: 00007ffe8e610f90 R15: 0000000000000063
[   29.472786] Dumping ftrace buffer:
[   29.473672]    (ftrace buffer empty)
[   29.474496] Kernel Offset: disabled
[   29.475300] Rebooting in 1 seconds..
^CSIGINT: shutting down...

clang version:clang-10, kernel: 5.3.6-rc7, the error is caused by CONFIG_KMASN?

[dvyukov]

Is it a true bug in the driver? Is so, somebody needs to fix the bug.

[butterflyhack]

the function eth_type_trans code is as below:

__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
    unsigned short _service_access_point;
    const unsigned short *sap;
    const struct ethhdr *eth;

    skb->dev = dev;
    skb_reset_mac_header(skb);

    eth = (struct ethhdr *)skb->data;   -----> the data is uninit?
    skb_pull_inline(skb, ETH_HLEN);

[ramosian-glider]

May I ask you to symbolize this report? The easiest way to do so is to run it through scripts/decode_stacktrace.sh, just make sure CONFIG_DEBUG_INFO is on.

[ramosian-glider]

By the way, do you have panic_on_warn=1 in the boot parameters? If so, the kernel won't proceed after the first warning.

[butterflyhack]

the cmd is right?

./scripts/decode_stacktrace.sh ./vmlinux net/ethernet/ ./drivers/net/ethernet/intel/e1000/

[ramosian-glider]

I believe

$ ./scripts/decode_stacktrace.sh ./vmlinux

should be enough.

[butterflyhack]

the cmd is that:

./scripts/decode_stacktrace.sh ./vmlinux net/ethernet/ ./drivers/net/ethernet/intel/e1000

input:

eth_type_trans+0x356/0xa90

output:

eth_type_trans (/home/adlab/Desktop/kernel-fuzz/kmsan/./include/linux/etherdevice.h:353 /home/adlab/Desktop/kernel-fuzz/kmsan/net/ethernet/eth.c:167) 

etherdevice.h:353:

static inline bool ether_addr_equal_64bits(const u8 addr1[6+2],
                       const u8 addr2[6+2])
{
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
    u64 fold = (*(const u64 *)addr1) ^ (*(const u64 *)addr2);

#ifdef __BIG_ENDIAN
    return (fold >> 16) == 0;
#else
    return (fold << 16) == 0; ------> line 353
#endif
#else
    return ether_addr_equal(addr1, addr2);
#endif
}

eth.c:167

__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
    unsigned short _service_access_point;
    const unsigned short *sap;
    const struct ethhdr *eth;

    skb->dev = dev;
    skb_reset_mac_header(skb);

    eth = (struct ethhdr *)skb->data;
    skb_pull_inline(skb, ETH_HLEN);

    if (unlikely(!ether_addr_equal_64bits(eth->h_dest, ------> line 167
                          dev->dev_addr))) {
        if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
            if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
                skb->pkt_type = PACKET_BROADCAST;
            else
                skb->pkt_type = PACKET_MULTICAST;
        } else {
            skb->pkt_type = PACKET_OTHERHOST;
        }
    }

ether_addr_equal_64bits have some problem. Maybe is a ture bug?

[ramosian-glider]

Sorry, I didn't have time to look into this issue. Is it still reproducible? Also, may I take a look at the whole symbolized report, not just a single line?

[ramosian-glider]

Closing for now, feel free to reopen if the bug is still reproducible.