Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp897815imm; Thu, 13 Sep 2018 09:21:43 -0700 (PDT) X-Google-Smtp-Source: ANB0VdakMZPh6jNr+ij7sY4UNqAj7/Bd7gY49RmsGWjOMCJADQ6EHfHgWkNWhndRLNNwZmME5OPn X-Received: by 2002:a62:bd4:: with SMTP id 81-v6mr8210742pfl.67.1536855703613; Thu, 13 Sep 2018 09:21:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536855703; cv=none; d=google.com; s=arc-20160816; b=ZNBUxSA8hsBRw+cY9vWUJM/K5wS4wCxBmKhF1wvCdDgw3cHqi9fmMaEWn7ht+dn6gF 0yaTH1MyKMXchA5WWMTZn5ot5pkGlFkHkWCM0ki5kzzLsd6Z7A0PDi4BgTKKO+pxpyQn FQh2A2kuLtRPL4D2uBOcx5V6wnIgF7j9UlcH2RAYiCh1CqrqnlPGCVBV8j+HlxoGrLg4 NDaWEYGPsXXkeLDZ8m/BoTFm5feHb81d5d1X4sQXaZDZObysg5gGGrRiqlovq3sUP8MJ nXkbSVHHCPRjxuReONQLUIQfnzPVFuVlGEqWbaVvtwjuzf6Y0W/UbELvo1M6GVBzUOEE sM0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=clxU/wyiW3QOnT8cxNXuSnXmmF+cbEB3FYNRIIuH+Es=; b=RSmsTxSwNJzW4kZnu9CiRH9cuKj0/y4h3mAAvmAQzLCcvcNbQ4IBZ7IEtZKIEHMuE/ W1TI+eCJLBa4h6CCEj35iblXPJk2QL0zfSuY2AproH2SUX9C6U7SnVTXNwsetrC41Tfq Wtm31ZOCYpKLh1XD20P5D0lov4fUfAG5BS3PIYJdsztXIfXukE+Z0o1x4f8QLf6fXDyA a7HRa4/WMe47psYrVPq7OYB/4Hq6QHHWt4Taot/FiihatbvPXxfTVjZwS/wLUa6jTZao 1FUjiFSDVmsJHzRwBT4QnmOvCBnDJcMRYLpJalFVCGTdnY+eRdZdTPpW15ri4HSRvJiY Lo7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2-v6si4481391pfd.39.2018.09.13.09.21.26; Thu, 13 Sep 2018 09:21:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728440AbeIMV3q (ORCPT + 99 others); Thu, 13 Sep 2018 17:29:46 -0400 Received: from zimbra.alphalink.fr ([217.15.80.77]:45447 "EHLO zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727690AbeIMV3q (ORCPT ); Thu, 13 Sep 2018 17:29:46 -0400 Received: from localhost (localhost [127.0.0.1]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 3940D2B52005; Thu, 13 Sep 2018 18:19:32 +0200 (CEST) Received: from zimbra.alphalink.fr ([127.0.0.1]) by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id YJCIvgJfKKaJ; Thu, 13 Sep 2018 18:19:30 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 3C1CD2B52072; Thu, 13 Sep 2018 18:19:30 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr Received: from zimbra.alphalink.fr ([127.0.0.1]) by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id xBXZyxQ19h-V; Thu, 13 Sep 2018 18:19:30 +0200 (CEST) Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr [217.15.84.94]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 01FE02B52005; Thu, 13 Sep 2018 18:19:30 +0200 (CEST) Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000) id B26546014D; Thu, 13 Sep 2018 18:19:29 +0200 (CEST) Date: Thu, 13 Sep 2018 18:19:29 +0200 From: Guillaume Nault To: Alexander Potapenko Cc: Eric Dumazet , syzbot+f5f6080811c849739212@syzkaller.appspotmail.com, LKML , mostrows@earthlink.net, Networking , syzkaller-bugs@googlegroups.com Subject: Re: KMSAN: uninit-value in pppoe_rcv Message-ID: <20180913161929.GA1507@alphalink.fr> References: <0000000000004624c30575a9fd40@google.com> <7424e094-afda-084a-ad80-299f219ced92@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2018 at 04:12:38PM +0200, Alexander Potapenko wrote: > On Thu, Sep 13, 2018 at 3:57 PM Eric Dumazet wrote: > > > > > > > > On 09/12/2018 03:38 AM, Alexander Potapenko wrote: > > > On Wed, Sep 12, 2018 at 12:24 PM syzbot > > > wrote: > > >> > > >> Hello, > > >> > > >> syzbot found the following crash on: > > >> > > >> HEAD commit: d2d741e5d189 kmsan: add initialization for shmem pages > > >> git tree: https://github.com/google/kmsan.git/master > > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1465fc37800000 > > >> kernel config: https://syzkaller.appspot.com/x/.config?x=48f9de3384bcd0f > > >> dashboard link: https://syzkaller.appspot.com/bug?extid=f5f6080811c849739212 > > >> compiler: clang version 7.0.0 (trunk 329391) > > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d6e607800000 > > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10a15b5b800000 > > >> > > >> IMPORTANT: if you fix the bug, please add the following tag to the commit: > > >> Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com > > >> > > >> IPVS: ftp: loaded support on port[0] = 21 > > >> ================================================================== > > >> BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline] > > >> BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline] > > >> BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 > > >> drivers/net/ppp/pppoe.c:450 > > >> CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87 > > >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > >> Google 01/01/2011 > > >> Call Trace: > > >> __dump_stack lib/dump_stack.c:17 [inline] > > >> dump_stack+0x185/0x1d0 lib/dump_stack.c:53 > > >> kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 > > >> __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 > > >> __get_item drivers/net/ppp/pppoe.c:172 [inline] > > >> get_item drivers/net/ppp/pppoe.c:236 [inline] > > >> pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450 > > >> __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562 > > >> __netif_receive_skb net/core/dev.c:4627 [inline] > > >> netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 > > >> netif_receive_skb+0x230/0x240 net/core/dev.c:4725 > > >> tun_rx_batched drivers/net/tun.c:1555 [inline] > > >> tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962 > > >> tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 > > >> call_write_iter include/linux/fs.h:1782 [inline] > > >> new_sync_write fs/read_write.c:469 [inline] > > >> __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 > > >> vfs_write+0x463/0x8d0 fs/read_write.c:544 > > >> SYSC_write+0x172/0x360 fs/read_write.c:589 > > >> SyS_write+0x55/0x80 fs/read_write.c:581 > > >> do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 > > >> entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > > >> RIP: 0033:0x4447c9 > > >> RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001 > > >> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9 > > >> RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004 > > >> RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda > > >> R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0 > > >> R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000 > > >> > > >> Uninit was created at: > > >> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] > > >> kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 > > >> kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 > > >> kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 > > >> slab_post_alloc_hook mm/slab.h:445 [inline] > > >> slab_alloc_node mm/slub.c:2737 [inline] > > >> __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 > > >> __kmalloc_reserve net/core/skbuff.c:138 [inline] > > >> __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 > > >> alloc_skb include/linux/skbuff.h:984 [inline] > > >> alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 > > >> sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 > > >> tun_alloc_skb drivers/net/tun.c:1532 [inline] > > >> tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829 > > >> tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 > > >> call_write_iter include/linux/fs.h:1782 [inline] > > >> new_sync_write fs/read_write.c:469 [inline] > > >> __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 > > >> vfs_write+0x463/0x8d0 fs/read_write.c:544 > > >> SYSC_write+0x172/0x360 fs/read_write.c:589 > > >> SyS_write+0x55/0x80 fs/read_write.c:581 > > >> do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 > > >> entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > > >> ================================================================== > > > I did a little digging before sending the bug upstream. > > > If I add memset(obj, 0xfe, size) to __kmalloc_reserve(), these 0xfe > > > bytes are visible in __get_item() at the place where KMSAN reports an > > > error. > > > > > > The problem is somehow related to tun_get_user() creating a fragmented > > > sk_buff - when I change the call to tun_alloc_skb() so that it > > > allocates a single buffer the bug goes away. > > > > > > > I guess the following patch would fix the issue > > > > (I will submit it more formally) > No, as far as I can see it doesn't. > Saving sid before __skb_pull() is still a good idea, but in this > particular case |ph| doesn't change. Yes, we probably need to save sid. But I think the problem found by syzbot is related to eth_hdr(skb)->h_source. PPPoE expects that Ethernet header has already been parsed and is accessible at skb_mac_header(skb). But here skb_mac_header(skb) == skb->data, and we may pull only 6 bytes (sizeof(truct pppoe_hdr)). Therefore eth_hdr(skb)->h_source points past skb's head length. Not sure if something needs to be changed in tun.c for properly setting skb_mac_header. But PPPoE has no reason to consider packets from non-Ethernet devices anyway.