From: Simon Horman <horms@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-kernel <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, Eric Dumazet <eric.dumazet@gmail.com>,
syzbot <syzkaller@googlegroups.com>,
stable@vger.kernel.org, Josef Bacik <josef@toxicpanda.com>,
linux-block@vger.kernel.org, nbd@other.debian.org
Subject: Re: [PATCH net] nbd: always initialize struct msghdr completely
Date: Mon, 15 Jan 2024 13:50:51 +0000 [thread overview]
Message-ID: <20240115135051.GA432001@kernel.org> (raw)
In-Reply-To: <20240112132657.647112-1-edumazet@google.com>
On Fri, Jan 12, 2024 at 01:26:57PM +0000, Eric Dumazet wrote:
> syzbot complains that msg->msg_get_inq value can be uninitialized [1]
>
> struct msghdr got many new fields recently, we should always make
> sure their values is zero by default.
>
> [1]
> BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571
> tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571
> inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879
> sock_recvmsg_nosec net/socket.c:1044 [inline]
> sock_recvmsg+0x12b/0x1e0 net/socket.c:1066
> __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538
> nbd_read_reply drivers/block/nbd.c:732 [inline]
> recv_work+0x262/0x3100 drivers/block/nbd.c:863
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700
> worker_thread+0xf45/0x1490 kernel/workqueue.c:2781
> kthread+0x3ed/0x540 kernel/kthread.c:388
> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
>
> Local variable msg created at:
> __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513
> nbd_read_reply drivers/block/nbd.c:732 [inline]
> recv_work+0x262/0x3100 drivers/block/nbd.c:863
>
> CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> Workqueue: nbd5-recv recv_work
>
> Fixes: f94fd25cb0aa ("tcp: pass back data left in socket after receive")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
...
next prev parent reply other threads:[~2024-01-15 13:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-12 13:26 [PATCH net] nbd: always initialize struct msghdr completely Eric Dumazet
2024-01-15 13:50 ` Simon Horman [this message]
2024-01-17 15:48 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240115135051.GA432001@kernel.org \
--to=horms@kernel.org \
--cc=axboe@kernel.dk \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.