2019-10-19 08:29:21

by Sven Eckelmann

[permalink] [raw]
Subject: Re: KMSAN: uninit-value in batadv_hard_if_event

Hi,

not sure whether this is now a bug in batman-adv or in the rtl8150 driver. See
my comments inline.

On Friday, 18 October 2019 16:12:08 CEST syzbot wrote:
[...]
> usb 1-1: config 0 has no interface number 0
> usb 1-1: New USB device found, idVendor=0411, idProduct=0012,
> bcdDevice=56.5f
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> usb 1-1: config 0 descriptor??
> =====================================================
> BUG: KMSAN: uninit-value in batadv_check_known_mac_addr
> net/batman-adv/hard-interface.c:511 [inline]
> BUG: KMSAN: uninit-value in batadv_hardif_add_interface
> net/batman-adv/hard-interface.c:942 [inline]
> BUG: KMSAN: uninit-value in batadv_hard_if_event+0x23c0/0x3260
> net/batman-adv/hard-interface.c:1032
> CPU: 0 PID: 13223 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
> __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
> batadv_check_known_mac_addr net/batman-adv/hard-interface.c:511 [inline]
> batadv_hardif_add_interface net/batman-adv/hard-interface.c:942 [inline]
> batadv_hard_if_event+0x23c0/0x3260 net/batman-adv/hard-interface.c:1032
> notifier_call_chain kernel/notifier.c:95 [inline]
[...]

The line in batman-adv is (batadv_check_known_mac_addr):

if (!batadv_compare_eth(hard_iface->net_dev->dev_addr,
net_dev->dev_addr))

So it goes through the list of ethernet interfaces (which are currently
attached to a batadv interface) and compares it with the new device's MAC
address. And it seems like the new device doesn't have the mac address part
initialized yet.

Is this allowed in NETDEV_REGISTER/NETDEV_POST_TYPE_CHANGE?

> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
> kmsan_internal_chain_origin+0xbd/0x170 mm/kmsan/kmsan.c:317
> kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:253
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:273
> __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
> set_ethernet_addr drivers/net/usb/rtl8150.c:282 [inline]
> rtl8150_probe+0x1143/0x14a0 drivers/net/usb/rtl8150.c:912

This looks like it should store the mac address at this point.

static inline void set_ethernet_addr(rtl8150_t * dev)
{
u8 node_id[6];

get_registers(dev, IDR, sizeof(node_id), node_id);
memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
}

But it seems more like get_registers failed and the uninitialized was still
copied to the mac address. Thus causing the KMSAN error in batman-adv.

Is this interpretation of the KMSAN output correct or do I miss something?

Kind regards,
Sven


Attachments:
signature.asc (849.00 B)
This is a digitally signed message part.

2019-10-19 08:31:29

by Alexander Potapenko

[permalink] [raw]
Subject: Re: KMSAN: uninit-value in batadv_hard_if_event

On Fri, Oct 18, 2019 at 4:32 PM Sven Eckelmann <[email protected]> wrote:
>
> Hi,
>
> not sure whether this is now a bug in batman-adv or in the rtl8150 driver. See
> my comments inline.
>
> On Friday, 18 October 2019 16:12:08 CEST syzbot wrote:
> [...]
> > usb 1-1: config 0 has no interface number 0
> > usb 1-1: New USB device found, idVendor=0411, idProduct=0012,
> > bcdDevice=56.5f
> > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > usb 1-1: config 0 descriptor??
> > =====================================================
> > BUG: KMSAN: uninit-value in batadv_check_known_mac_addr
> > net/batman-adv/hard-interface.c:511 [inline]
> > BUG: KMSAN: uninit-value in batadv_hardif_add_interface
> > net/batman-adv/hard-interface.c:942 [inline]
> > BUG: KMSAN: uninit-value in batadv_hard_if_event+0x23c0/0x3260
> > net/batman-adv/hard-interface.c:1032
> > CPU: 0 PID: 13223 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> > kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
> > __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
> > batadv_check_known_mac_addr net/batman-adv/hard-interface.c:511 [inline]
> > batadv_hardif_add_interface net/batman-adv/hard-interface.c:942 [inline]
> > batadv_hard_if_event+0x23c0/0x3260 net/batman-adv/hard-interface.c:1032
> > notifier_call_chain kernel/notifier.c:95 [inline]
> [...]
>
> The line in batman-adv is (batadv_check_known_mac_addr):
>
> if (!batadv_compare_eth(hard_iface->net_dev->dev_addr,
> net_dev->dev_addr))
>
> So it goes through the list of ethernet interfaces (which are currently
> attached to a batadv interface) and compares it with the new device's MAC
> address. And it seems like the new device doesn't have the mac address part
> initialized yet.
>
> Is this allowed in NETDEV_REGISTER/NETDEV_POST_TYPE_CHANGE?
>
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
> > kmsan_internal_chain_origin+0xbd/0x170 mm/kmsan/kmsan.c:317
> > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:253
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:273
> > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
> > set_ethernet_addr drivers/net/usb/rtl8150.c:282 [inline]
> > rtl8150_probe+0x1143/0x14a0 drivers/net/usb/rtl8150.c:912
>
> This looks like it should store the mac address at this point.
>
> static inline void set_ethernet_addr(rtl8150_t * dev)
> {
> u8 node_id[6];
>
> get_registers(dev, IDR, sizeof(node_id), node_id);
> memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
> }
>
> But it seems more like get_registers failed and the uninitialized was still
> copied to the mac address. Thus causing the KMSAN error in batman-adv.
Yes, most of such reports is usually because functions like
get_registers() fail or read 0 bytes.

> Is this interpretation of the KMSAN output correct or do I miss something?
>
> Kind regards,
> Sven



--
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg