From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net-next] tipc: eliminate complaint of KMSAN uninit-value in tipc_conn_rcv_sub Date: Sat, 19 May 2018 23:00:21 -0400 (EDT) Message-ID: <20180519.230021.538446373514892322.davem@davemloft.net> References: <1526644255-9182-1-git-send-email-ying.xue@windriver.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, jon.maloy@ericsson.com, syzkaller-bugs@googlegroups.com, tipc-discussion@lists.sourceforge.net To: ying.xue@windriver.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:37506 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752459AbeETDAW (ORCPT ); Sat, 19 May 2018 23:00:22 -0400 In-Reply-To: <1526644255-9182-1-git-send-email-ying.xue@windriver.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Ying Xue Date: Fri, 18 May 2018 19:50:55 +0800 > As variable s of struct tipc_subscr type is not initialized > in tipc_conn_rcv_from_sock() before it is used in tipc_conn_rcv_sub(), > KMSAN reported the following uninit-value type complaint: I agree with others that the short read is the bug. You need to decide what should happen if not a full tipc_subscr object is obtained from the sock_recvmsg() call. Proceeding to pass it on to tipc_conn_rcv_sub() cannot possibly be correct. You're not getting what you are expecting from the peer, the memset() you are adding doesn't change that. And once you get this badly sized read, what does that do to the stream of subsequent recvmsg calls here?