* [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep()
@ 2025-11-07 4:10 Kriish Sharma
2025-11-07 15:37 ` Jason Gunthorpe
0 siblings, 1 reply; 8+ messages in thread
From: Kriish Sharma @ 2025-11-07 4:10 UTC (permalink / raw)
To: Jason Gunthorpe, Leon Romanovsky, Vlad Dumitrescu, Parav Pandit,
Edward Srouji
Cc: linux-rdma, linux-kernel, Kriish Sharma,
syzbot+938fcd548c303fe33c1a
KMSAN reported a use of uninitialized memory in hex_byte_pack()
via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp().
If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains
uninitialized before being used in pr_info(), leading to a
KMSAN uninit-value report.
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com>
---
drivers/infiniband/core/addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 61596cda2b65..4c602fcae12f 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
{
const struct nlattr *head, *curr;
- union ib_gid gid;
+ union ib_gid gid = {};
struct addr_req *req;
int len, rem;
int found = 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 4:10 [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() Kriish Sharma @ 2025-11-07 15:37 ` Jason Gunthorpe 2025-11-07 18:13 ` Kriish Sharma 2025-11-07 19:11 ` Vlad Dumitrescu 0 siblings, 2 replies; 8+ messages in thread From: Jason Gunthorpe @ 2025-11-07 15:37 UTC (permalink / raw) To: Kriish Sharma Cc: Leon Romanovsky, Vlad Dumitrescu, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a On Fri, Nov 07, 2025 at 04:10:02AM +0000, Kriish Sharma wrote: > KMSAN reported a use of uninitialized memory in hex_byte_pack() > via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp(). > If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains > uninitialized before being used in pr_info(), leading to a > KMSAN uninit-value report. > > Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a > Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") > Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com> > --- > drivers/infiniband/core/addr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c > index 61596cda2b65..4c602fcae12f 100644 > --- a/drivers/infiniband/core/addr.c > +++ b/drivers/infiniband/core/addr.c > @@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh) > static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh) > { > const struct nlattr *head, *curr; > - union ib_gid gid; > + union ib_gid gid = {}; > struct addr_req *req; > int len, rem; > int found = 0; This doesn't seem right. We have this as the only caller: if (ib_nl_is_good_ip_resp(nlh)) ib_nl_process_good_ip_rsep(nlh); And ib_nl_is_good_ip_resp() does: ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh), nlmsg_len(nlh), ib_nl_addr_policy, NULL); static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = { [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY, .len = sizeof(struct rdma_nla_ls_gid), .validation_type = NLA_VALIDATE_MIN, .min = sizeof(struct rdma_nla_ls_gid)}, }; So I expect the nla_parse_deprecated() to fail if this: nla_for_each_attr(curr, head, len, rem) { if (curr->nla_type == LS_NLA_TYPE_DGID) memcpy(&gid, nla_data(curr), nla_len(curr)); } Doesn't find a DGID. So how can gid be uninitialized? The fix to whatever this is should be in ib_nl_is_good_ip_resp(). Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 15:37 ` Jason Gunthorpe @ 2025-11-07 18:13 ` Kriish Sharma 2025-11-07 19:11 ` Vlad Dumitrescu 1 sibling, 0 replies; 8+ messages in thread From: Kriish Sharma @ 2025-11-07 18:13 UTC (permalink / raw) To: Jason Gunthorpe Cc: Leon Romanovsky, Vlad Dumitrescu, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a Hi Jason, Thanks for the insight. I’ll dig deeper into the handling inside ib_nl_is_good_ip_resp() and follow up with an updated analysis or patch. Regards, Kriish On Fri, Nov 7, 2025 at 9:07 PM Jason Gunthorpe <jgg@ziepe.ca> wrote: > > On Fri, Nov 07, 2025 at 04:10:02AM +0000, Kriish Sharma wrote: > > KMSAN reported a use of uninitialized memory in hex_byte_pack() > > via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp(). > > If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains > > uninitialized before being used in pr_info(), leading to a > > KMSAN uninit-value report. > > > > Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a > > Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") > > Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com> > > --- > > drivers/infiniband/core/addr.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c > > index 61596cda2b65..4c602fcae12f 100644 > > --- a/drivers/infiniband/core/addr.c > > +++ b/drivers/infiniband/core/addr.c > > @@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh) > > static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh) > > { > > const struct nlattr *head, *curr; > > - union ib_gid gid; > > + union ib_gid gid = {}; > > struct addr_req *req; > > int len, rem; > > int found = 0; > > This doesn't seem right. > > We have this as the only caller: > > if (ib_nl_is_good_ip_resp(nlh)) > ib_nl_process_good_ip_rsep(nlh); > > And ib_nl_is_good_ip_resp() does: > > ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh), > nlmsg_len(nlh), ib_nl_addr_policy, > NULL); > > static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = { > [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY, > .len = sizeof(struct rdma_nla_ls_gid), > .validation_type = NLA_VALIDATE_MIN, > .min = sizeof(struct rdma_nla_ls_gid)}, > }; > > So I expect the nla_parse_deprecated() to fail if this: > > nla_for_each_attr(curr, head, len, rem) { > if (curr->nla_type == LS_NLA_TYPE_DGID) > memcpy(&gid, nla_data(curr), nla_len(curr)); > } > > Doesn't find a DGID. > > So how can gid be uninitialized? > > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). > > Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 15:37 ` Jason Gunthorpe 2025-11-07 18:13 ` Kriish Sharma @ 2025-11-07 19:11 ` Vlad Dumitrescu 2025-11-07 19:17 ` Jason Gunthorpe 1 sibling, 1 reply; 8+ messages in thread From: Vlad Dumitrescu @ 2025-11-07 19:11 UTC (permalink / raw) To: Jason Gunthorpe, Kriish Sharma Cc: Leon Romanovsky, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a On 11/7/25 07:37, Jason Gunthorpe wrote: > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). nla_parse_deprecated returns success if attrs are missing? Other callers also check for their expected attrs to be present in tb, after checking nla_parse_deprecated()'s return code. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 19:11 ` Vlad Dumitrescu @ 2025-11-07 19:17 ` Jason Gunthorpe 2025-11-07 19:58 ` Kriish Sharma 0 siblings, 1 reply; 8+ messages in thread From: Jason Gunthorpe @ 2025-11-07 19:17 UTC (permalink / raw) To: Vlad Dumitrescu Cc: Kriish Sharma, Leon Romanovsky, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a On Fri, Nov 07, 2025 at 11:11:40AM -0800, Vlad Dumitrescu wrote: > On 11/7/25 07:37, Jason Gunthorpe wrote: > > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). > > nla_parse_deprecated returns success if attrs are missing? > > Other callers also check for their expected attrs to be present in tb, > after checking nla_parse_deprecated()'s return code. That sounds like the trouble then, the check for tb presence should be added to the ib_nl_is_good_ip_resp.. Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 19:17 ` Jason Gunthorpe @ 2025-11-07 19:58 ` Kriish Sharma 2025-11-07 21:06 ` Vlad Dumitrescu 0 siblings, 1 reply; 8+ messages in thread From: Kriish Sharma @ 2025-11-07 19:58 UTC (permalink / raw) To: Jason Gunthorpe Cc: Vlad Dumitrescu, Leon Romanovsky, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a Should I prepare and send a patch that adds the suggested check in ib_nl_is_good_ip_resp() as Vlad mentioned? On Sat, Nov 8, 2025 at 12:47 AM Jason Gunthorpe <jgg@ziepe.ca> wrote: > > On Fri, Nov 07, 2025 at 11:11:40AM -0800, Vlad Dumitrescu wrote: > > On 11/7/25 07:37, Jason Gunthorpe wrote: > > > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). > > > > nla_parse_deprecated returns success if attrs are missing? > > > > Other callers also check for their expected attrs to be present in tb, > > after checking nla_parse_deprecated()'s return code. > > That sounds like the trouble then, the check for tb presence should be > added to the ib_nl_is_good_ip_resp.. > > Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 19:58 ` Kriish Sharma @ 2025-11-07 21:06 ` Vlad Dumitrescu 2025-11-08 3:48 ` Kriish Sharma 0 siblings, 1 reply; 8+ messages in thread From: Vlad Dumitrescu @ 2025-11-07 21:06 UTC (permalink / raw) To: Kriish Sharma, Jason Gunthorpe Cc: Leon Romanovsky, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a On 11/7/25 11:58, Kriish Sharma wrote: > Should I prepare and send a patch that adds the suggested check in > ib_nl_is_good_ip_resp() as Vlad mentioned? From my p.o.v., feel free to send it. Can we have syzkaller test it? Thanks! ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() 2025-11-07 21:06 ` Vlad Dumitrescu @ 2025-11-08 3:48 ` Kriish Sharma 0 siblings, 0 replies; 8+ messages in thread From: Kriish Sharma @ 2025-11-08 3:48 UTC (permalink / raw) To: Vlad Dumitrescu Cc: Jason Gunthorpe, Leon Romanovsky, Parav Pandit, Edward Srouji, linux-rdma, linux-kernel, syzbot+938fcd548c303fe33c1a Hi Vlad, Jason, Thanks for the confirmation. I’ve sent a v2 patch incorporating the suggested check in ib_nl_is_good_ip_resp(). link to v2 : https://lore.kernel.org/all/20251108034336.2100529-1-kriish.sharma2006@gmail.com/ On Sat, Nov 8, 2025 at 2:36 AM Vlad Dumitrescu <vdumitrescu@nvidia.com> wrote: > Can we have syzkaller test it? It has been tested with syzbot, and no KMSAN or other alarms were raised. Best regards, Kriish ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-11-08 3:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-07 4:10 [PATCH] RDMA/core: Fix uninitialized gid in ib_nl_process_good_ip_rsep() Kriish Sharma 2025-11-07 15:37 ` Jason Gunthorpe 2025-11-07 18:13 ` Kriish Sharma 2025-11-07 19:11 ` Vlad Dumitrescu 2025-11-07 19:17 ` Jason Gunthorpe 2025-11-07 19:58 ` Kriish Sharma 2025-11-07 21:06 ` Vlad Dumitrescu 2025-11-08 3:48 ` Kriish Sharma
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox