search

google / kmsan

KernelMemorySanitizer, a detector of uses of uninitialized memory in the Linux kernel
Other
406 stars 62 forks source link

duplicate stack origin PC #68

Closed dvyukov closed 3 years ago

dvyukov commented 4 years ago

KMSAN report on df335139:

[ 1784.019981][    C0] =====================================================
[ 1784.022223][    C0] BUG: KMSAN: uninit-value in nf_ip_checksum+0x758/0x770
[ 1784.022223][    C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.4.0-rc8-syzkaller #0
[ 1784.022223][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1784.022223][    C0] Call Trace:
[ 1784.022223][    C0]  dump_stack+0x1c9/0x220
[ 1784.022223][    C0]  kmsan_report+0x128/0x220
[ 1784.022223][    C0]  __msan_warning+0x64/0xc0
[ 1784.022223][    C0]  nf_ip_checksum+0x758/0x770
[ 1784.022223][    C0]  nf_nat_icmp_reply_translation+0x2ba/0x970
[ 1784.022223][    C0]  ? kmsan_get_shadow_origin_ptr+0x1e8/0x4d0
[ 1784.022223][    C0]  ? nf_nat_ipv4_in+0x23b/0x580
[ 1784.022223][    C0]  nf_nat_ipv4_in+0x2a7/0x580
[ 1784.022223][    C0]  ? sctp_csum_combine+0xa0/0xa0
[ 1784.022223][    C0]  nf_hook_slow+0x18b/0x3f0
[ 1784.022223][    C0]  ip_rcv+0x259/0x740
[ 1784.022223][    C0]  ? ip_rcv_core+0x11d0/0x11d0
[ 1784.022223][    C0]  ? ip_local_deliver_finish+0x350/0x350
[ 1784.022223][    C0]  process_backlog+0xece/0x13c0
[ 1784.022223][    C0]  ? ip_local_deliver_finish+0x350/0x350
[ 1784.022223][    C0]  ? rps_trigger_softirq+0x2e0/0x2e0
[ 1784.022223][    C0]  net_rx_action+0x7a6/0x1aa0
[ 1784.022223][    C0]  ? net_tx_action+0xc40/0xc40
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  ? ksoftirqd_should_run+0x30/0x30
[ 1784.022223][    C0]  ? takeover_tasklets+0x900/0x900
[ 1784.022223][    C0]  run_ksoftirqd+0x25/0x40
[ 1784.022223][    C0]  smpboot_thread_fn+0x4a3/0x990
[ 1784.022223][    C0]  kthread+0x4b5/0x4f0
[ 1784.022223][    C0]  ? cpu_report_death+0x190/0x190
[ 1784.022223][    C0]  ? kthread_blkcg+0xf0/0xf0
[ 1784.022223][    C0]  ret_from_fork+0x35/0x40
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  __msan_chain_origin+0x5c/0xc0
[ 1784.022223][    C0]  __skb_checksum_complete+0x419/0x530
[ 1784.022223][    C0]  nf_ip_checksum+0x567/0x770
[ 1784.022223][    C0]  nf_nat_icmp_reply_translation+0x2ba/0x970
[ 1784.022223][    C0]  nf_nat_ipv4_local_fn+0x215/0x840
[ 1784.022223][    C0]  nf_hook_slow+0x18b/0x3f0
[ 1784.022223][    C0]  __ip_local_out+0x69b/0x800
[ 1784.022223][    C0]  ip_push_pending_frames+0x16f/0x460
[ 1784.022223][    C0]  icmp_push_reply+0x692/0x750
[ 1784.022223][    C0]  __icmp_send+0x2313/0x3080
[ 1784.022223][    C0]  ipv4_link_failure+0x73c/0xaf0
[ 1784.022223][    C0]  arp_error_report+0x106/0x1a0
[ 1784.022223][    C0]  neigh_invalidate+0x362/0x8f0
[ 1784.022223][    C0]  neigh_timer_handler+0xda4/0x1450
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  metadata_is_contiguous+0xa/0x270
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x6e/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_store_4+0x13/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1dec/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  csum_partial_copy+0xae/0x100
[ 1784.022223][    C0]  skb_copy_and_csum_bits+0x205/0x10b0
[ 1784.022223][    C0]  icmp_glue_bits+0x16b/0x380
[ 1784.022223][    C0]  __ip_append_data+0x435f/0x5290
[ 1784.022223][    C0]  ip_append_data+0x328/0x480
[ 1784.022223][    C0]  icmp_push_reply+0x210/0x750
[ 1784.022223][    C0]  __icmp_send+0x2313/0x3080
[ 1784.022223][    C0]  ipv4_link_failure+0x73c/0xaf0
[ 1784.022223][    C0]  arp_error_report+0x106/0x1a0
[ 1784.022223][    C0]  neigh_invalidate+0x362/0x8f0
[ 1784.022223][    C0]  neigh_timer_handler+0xda4/0x1450
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  metadata_is_contiguous+0xa/0x270
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x6e/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_store_4+0x13/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1dec/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_packet_transmit+0x1d9e/0x4250
[ 1784.022223][    C0]  sctp_outq_flush+0x1823/0x5d80
[ 1784.022223][    C0]  sctp_outq_uncork+0xd0/0xf0
[ 1784.022223][    C0]  sctp_do_sm+0x8fe1/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_make_heartbeat+0x612/0x9e0
[ 1784.022223][    C0]  sctp_sf_sendbeat_8_3+0x18d/0xb10
[ 1784.022223][    C0]  sctp_do_sm+0x2b2/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_make_heartbeat+0x3e9/0x9e0
[ 1784.022223][    C0]  sctp_sf_sendbeat_8_3+0x18d/0xb10
[ 1784.022223][    C0]  sctp_do_sm+0x2b2/0x9720
[ 1784.022223][    C0]  sctp_generate_heartbeat_event+0x3c6/0x5a0
[ 1784.022223][    C0]  call_timer_fn+0x232/0x530
[ 1784.022223][    C0]  __run_timers+0xd60/0x1270
[ 1784.022223][    C0]  run_timer_softirq+0x2d/0x50
[ 1784.022223][    C0]  __do_softirq+0x4a1/0x83a
[ 1784.022223][    C0]  irq_exit+0x230/0x280
[ 1784.022223][    C0]  exiting_irq+0xe/0x10
[ 1784.022223][    C0]  smp_apic_timer_interrupt+0x48/0x70
[ 1784.022223][    C0]  apic_timer_interrupt+0x2e/0x40
[ 1784.022223][    C0]  kmsan_get_shadow_origin_ptr+0x52/0x4d0
[ 1784.022223][    C0]  __msan_metadata_ptr_for_load_8+0x10/0x20
[ 1784.022223][    C0]  unmap_page_range+0x1886/0x3ac0
[ 1784.022223][    C0]  unmap_single_vma+0x43f/0x5e0
[ 1784.022223][    C0]  unmap_vmas+0x391/0x4b0
[ 1784.022223][    C0]  exit_mmap+0x50e/0xa00
[ 1784.022223][    C0]  __mmput+0x148/0x590
[ 1784.022223][    C0]  mmput+0x83/0x90
[ 1784.022223][    C0]  exit_mm+0x6b7/0x770
[ 1784.022223][    C0]  do_exit+0xae4/0x3a70
[ 1784.022223][    C0]  do_group_exit+0x18a/0x320
[ 1784.022223][    C0]  get_signal+0xbf6/0x32f0
[ 1784.022223][    C0]  do_signal+0x6f/0xe10
[ 1784.022223][    C0]  prepare_exit_to_usermode+0x2c5/0x4d0
[ 1784.022223][    C0]  syscall_return_slowpath+0x90/0x610
[ 1784.022223][    C0]  do_syscall_64+0xdc/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Uninit was stored to memory at:
[ 1784.022223][    C0]  kmsan_internal_chain_origin+0xbd/0x180
[ 1784.022223][    C0]  kmsan_memcpy_memmove_metadata+0x25c/0x2e0
[ 1784.022223][    C0]  kmsan_memcpy_metadata+0xb/0x10
[ 1784.022223][    C0]  __msan_memcpy+0x56/0x70
[ 1784.022223][    C0]  sctp_transport_new+0x248/0xa00
[ 1784.022223][    C0]  sctp_assoc_add_peer+0x5ba/0x2030
[ 1784.022223][    C0]  sctp_process_init+0x162b/0x3e30
[ 1784.022223][    C0]  sctp_do_sm+0x1b8b/0x9720
[ 1784.022223][    C0]  sctp_assoc_bh_rcv+0x65a/0xd80
[ 1784.022223][    C0]  sctp_inq_push+0x300/0x420
[ 1784.022223][    C0]  sctp_backlog_rcv+0x2d7/0x11a0
[ 1784.022223][    C0]  __release_sock+0x448/0x640
[ 1784.022223][    C0]  release_sock+0x99/0x2a0
[ 1784.022223][    C0]  sctp_wait_for_connect+0x3d7/0x840
[ 1784.022223][    C0]  __sctp_connect+0x1e9d/0x1f20
[ 1784.022223][    C0]  sctp_setsockopt+0x960d/0x19090
[ 1784.022223][    C0]  sock_common_setsockopt+0x13b/0x170
[ 1784.022223][    C0]  __sys_setsockopt+0x7c3/0xa30
[ 1784.022223][    C0]  __se_sys_setsockopt+0xdd/0x100
[ 1784.022223][    C0]  __x64_sys_setsockopt+0x62/0x80
[ 1784.022223][    C0]  do_syscall_64+0xb6/0x160
[ 1784.022223][    C0]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1784.022223][    C0] 
[ 1784.022223][    C0] Local variable description: ----addr.i@sctp_process_init
[ 1784.022223][    C0] Variable was created at:
[ 1784.022223][    C0]  sctp_process_init+0x603/0x3e30
[ 1784.022223][    C0]  sctp_process_init+0x603/0x3e30
[ 1784.022223][    C0] =====================================================

The origin stack has 2 duplicate PCs. As far as I remember we aimed at memorizing caller PC and grand-caller PC. Do we falsely memorize one of them twice and drop the other one?

dvyukov commented 3 years ago

Still happens:

[  136.988453][    T7] Local variable ----wait@mempool_alloc created at:
[  136.995017][    T7]  mempool_alloc+0x66/0x990
[  136.999518][    T7]  mempool_alloc+0x66/0x990
ramosian-glider commented 3 years ago

Duplicate of #75