* [syzbot] [net?] KMSAN: uninit-value in validate_xmit_skb @ 2024-01-11 20:27 syzbot 2024-01-11 20:32 ` Eric Dumazet 0 siblings, 1 reply; 3+ messages in thread From: syzbot @ 2024-01-11 20:27 UTC (permalink / raw) To: davem, edumazet, kuba, linux-kernel, netdev, pabeni, syzkaller-bugs, willemdebruijn.kernel Hello, syzbot found the following issue on: HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=1135ab95e80000 kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3 dashboard link: https://syzkaller.appspot.com/bug?extid=7f4d0ea3df4d4fa9a65f compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e15379e80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170f6981e80000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com ===================================================== BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline] BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [net?] KMSAN: uninit-value in validate_xmit_skb 2024-01-11 20:27 [syzbot] [net?] KMSAN: uninit-value in validate_xmit_skb syzbot @ 2024-01-11 20:32 ` Eric Dumazet 2024-01-11 20:32 ` syzbot 0 siblings, 1 reply; 3+ messages in thread From: Eric Dumazet @ 2024-01-11 20:32 UTC (permalink / raw) To: syzbot Cc: davem, kuba, linux-kernel, netdev, pabeni, syzkaller-bugs, willemdebruijn.kernel On Thu, Jan 11, 2024 at 9:27 PM syzbot <syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org.. > git tree: upstream > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1135ab95e80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3 > dashboard link: https://syzkaller.appspot.com/bug?extid=7f4d0ea3df4d4fa9a65f > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e15379e80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170f6981e80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz > kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com > > ===================================================== > BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline] > BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 > skb_gso_segment include/net/gso.h:83 [inline] > validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 > __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341 > dev_queue_xmit include/linux/netdevice.h:3134 [inline] > packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 > packet_snd net/packet/af_packet.c:3087 [inline] > packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg net/socket.c:745 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 > __sys_sendmsg net/socket.c:2667 [inline] > __do_sys_sendmsg net/socket.c:2676 [inline] > __se_sys_sendmsg net/socket.c:2674 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > > Uninit was created at: > slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 > kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 > __alloc_skb+0x318/0x740 net/core/skbuff.c:651 > alloc_skb include/linux/skbuff.h:1286 [inline] > alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 > sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 > packet_alloc_skb net/packet/af_packet.c:2936 [inline] > packet_snd net/packet/af_packet.c:3030 [inline] > packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg net/socket.c:745 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 > __sys_sendmsg net/socket.c:2667 [inline] > __do_sys_sendmsg net/socket.c:2676 [inline] > __se_sys_sendmsg net/socket.c:2674 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > > CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > ===================================================== > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master ``` diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 27cc1d4643219a44c01a2404124cd45ef46f7f3d..4dfa9b69ca8d95d43e44831bc166eadbe5715d3c 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -3,6 +3,8 @@ #define _LINUX_VIRTIO_NET_H #include <linux/if_vlan.h> +#include <linux/ip.h> +#include <linux/ipv6.h> #include <linux/udp.h> #include <uapi/linux/tcp.h> #include <uapi/linux/virtio_net.h> @@ -49,6 +51,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, const struct virtio_net_hdr *hdr, bool little_endian) { + unsigned int nh_min_len = sizeof(struct iphdr); unsigned int gso_type = 0; unsigned int thlen = 0; unsigned int p_off = 0; @@ -65,6 +68,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, gso_type = SKB_GSO_TCPV6; ip_proto = IPPROTO_TCP; thlen = sizeof(struct tcphdr); + nh_min_len = sizeof(struct ipv6hdr); break; case VIRTIO_NET_HDR_GSO_UDP: gso_type = SKB_GSO_UDP; @@ -100,7 +104,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (!skb_partial_csum_set(skb, start, off)) return -EINVAL; - p_off = skb_transport_offset(skb) + thlen; + nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb)); + p_off = nh_min_len + thlen; if (!pskb_may_pull(skb, p_off)) return -EINVAL; } else { @@ -140,7 +145,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, skb_set_transport_header(skb, keys.control.thoff); } else if (gso_type) { - p_off = thlen; + p_off = nh_min_len + thlen; if (!pskb_may_pull(skb, p_off)) return -EINVAL; } ``` ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [net?] KMSAN: uninit-value in validate_xmit_skb 2024-01-11 20:32 ` Eric Dumazet @ 2024-01-11 20:32 ` syzbot 0 siblings, 0 replies; 3+ messages in thread From: syzbot @ 2024-01-11 20:32 UTC (permalink / raw) To: edumazet Cc: davem, edumazet, kuba, linux-kernel, netdev, pabeni, syzkaller-bugs, willemdebruijn.kernel > On Thu, Jan 11, 2024 at 9:27 PM syzbot > <syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com> wrote: >> >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org.. >> git tree: upstream >> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1135ab95e80000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3 >> dashboard link: https://syzkaller.appspot.com/bug?extid=7f4d0ea3df4d4fa9a65f >> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e15379e80000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170f6981e80000 >> >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com >> >> ===================================================== >> BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline] >> BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 >> skb_gso_segment include/net/gso.h:83 [inline] >> validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 >> __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341 >> dev_queue_xmit include/linux/netdevice.h:3134 [inline] >> packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 >> packet_snd net/packet/af_packet.c:3087 [inline] >> packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> __sock_sendmsg net/socket.c:745 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 >> __sys_sendmsg net/socket.c:2667 [inline] >> __do_sys_sendmsg net/socket.c:2676 [inline] >> __se_sys_sendmsg net/socket.c:2674 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 >> entry_SYSCALL_64_after_hwframe+0x63/0x6b >> >> Uninit was created at: >> slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 >> slab_alloc_node mm/slub.c:3478 [inline] >> kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 >> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 >> __alloc_skb+0x318/0x740 net/core/skbuff.c:651 >> alloc_skb include/linux/skbuff.h:1286 [inline] >> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 >> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 >> packet_alloc_skb net/packet/af_packet.c:2936 [inline] >> packet_snd net/packet/af_packet.c:3030 [inline] >> packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> __sock_sendmsg net/socket.c:745 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 >> __sys_sendmsg net/socket.c:2667 [inline] >> __do_sys_sendmsg net/socket.c:2676 [inline] >> __se_sys_sendmsg net/socket.c:2674 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 >> entry_SYSCALL_64_after_hwframe+0x63/0x6b >> >> CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 >> ===================================================== >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@googlegroups.com. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want syzbot to run the reproducer, reply with: >> #syz test: git://repo/address.git branch-or-commit-hash >> If you attach or paste a git patch, syzbot will apply it before testing. >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup > > #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git want either no args or 2 args (repo, branch), got 1 > master > > ``` > diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h > index 27cc1d4643219a44c01a2404124cd45ef46f7f3d..4dfa9b69ca8d95d43e44831bc166eadbe5715d3c > 100644 > --- a/include/linux/virtio_net.h > +++ b/include/linux/virtio_net.h > @@ -3,6 +3,8 @@ > #define _LINUX_VIRTIO_NET_H > > #include <linux/if_vlan.h> > +#include <linux/ip.h> > +#include <linux/ipv6.h> > #include <linux/udp.h> > #include <uapi/linux/tcp.h> > #include <uapi/linux/virtio_net.h> > @@ -49,6 +51,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, > const struct virtio_net_hdr *hdr, > bool little_endian) > { > + unsigned int nh_min_len = sizeof(struct iphdr); > unsigned int gso_type = 0; > unsigned int thlen = 0; > unsigned int p_off = 0; > @@ -65,6 +68,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, > gso_type = SKB_GSO_TCPV6; > ip_proto = IPPROTO_TCP; > thlen = sizeof(struct tcphdr); > + nh_min_len = sizeof(struct ipv6hdr); > break; > case VIRTIO_NET_HDR_GSO_UDP: > gso_type = SKB_GSO_UDP; > @@ -100,7 +104,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, > if (!skb_partial_csum_set(skb, start, off)) > return -EINVAL; > > - p_off = skb_transport_offset(skb) + thlen; > + nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb)); > + p_off = nh_min_len + thlen; > if (!pskb_may_pull(skb, p_off)) > return -EINVAL; > } else { > @@ -140,7 +145,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, > > skb_set_transport_header(skb, keys.control.thoff); > } else if (gso_type) { > - p_off = thlen; > + p_off = nh_min_len + thlen; > if (!pskb_may_pull(skb, p_off)) > return -EINVAL; > } > ``` ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-11 20:32 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-01-11 20:27 [syzbot] [net?] KMSAN: uninit-value in validate_xmit_skb syzbot 2024-01-11 20:32 ` Eric Dumazet 2024-01-11 20:32 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).