Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3322421ybc; Mon, 18 Nov 2019 13:17:20 -0800 (PST) X-Google-Smtp-Source: APXvYqxbDqmp9dXGldTtsJYBcTrLHSNmyqa/TbOspUFqJPDNnzB4nMq5UNTbAfELvsZ2LzSO9wDX X-Received: by 2002:a17:907:20b4:: with SMTP id pw20mr28462141ejb.83.1574111840383; Mon, 18 Nov 2019 13:17:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574111840; cv=none; d=google.com; s=arc-20160816; b=hnwvlZeilnMxHceo349VQl9CYggS3LUOLxRQXMjvCYa6F+Gmlve8vEQDFoCftHSSXh K1EUdA9zuWvDuYHceFyYcnWg9GfjlPRXQH+kBE4Iz7tuWsCz23NLlxm6XDEerioksG0L D50xyT20uEjGQDKL+nVWfDp+hjzGOta2FGF/FfrzGkuZ/ef7/7kc+sHd/G5BP3rxpOYx gLLFCmXaTAmXvHDKgZQMjDkkIMr06XuJrqVIHfQr7+536EnmjQq31BOQy1fsg0foVPVA kZ3k4HRZc1rGynKnLPC5L2s6ysImZNQGeVW0Ck6Q7bynPAwf1vwPzbRsMz0uCwp3HVI6 PraA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:to:subject; bh=V29Z2VRFVezBgQTb40lJIo84ZijXmgDwCbo8mmCkiAU=; b=e1AiajdYY06EovW1lAQnxk+RukFJnqFXHEqXFxKxlhYMhyZ78NGGhhdLvSb/hl5kSq e0MC9rcBQi3VubD0mk3IIJx15Y9Gh+2q6hm3Ff3yG4dKuhnwRr5nzWsNT4acG6Z2aHV5 fLk9lG8ZLWLw3rZ1Q1buH6rsNeyI7C+yhs+BRZ3rtd3ZE8zTILmCYoJ3ZbP/4KKQ8q4T yv0a/7hD5KB0yQbOacA4M1ogKu7rbWFDTEkVUkRyHywj1CVEkG1WYDlrejvCS6j+eRuI HdGN8SfgqpwUAFBPZDkUK3G/xgST9sMZ2elo9iR1a/SLKfqVUAorbQYsFT6ODbZJQC01 nIqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6si12919763edr.52.2019.11.18.13.16.55; Mon, 18 Nov 2019 13:17:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726705AbfKRVPm (ORCPT + 99 others); Mon, 18 Nov 2019 16:15:42 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:45661 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726536AbfKRVPm (ORCPT ); Mon, 18 Nov 2019 16:15:42 -0500 Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=bjornoya.blackshift.org) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1iWoMz-0007ZE-Fc; Mon, 18 Nov 2019 22:15:37 +0100 Received: from [IPv6:2a03:f580:87bc:d400:5c97:9951:c8b:93e3] (unknown [IPv6:2a03:f580:87bc:d400:5c97:9951:c8b:93e3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mkl@blackshift.org", Issuer "StartCom Class 1 Client CA" (not verified)) (Authenticated sender: mkl@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 8D2CF47EF31; Mon, 18 Nov 2019 21:15:34 +0000 (UTC) Subject: Re: KMSAN: uninit-value in can_receive To: Oliver Hartkopp , syzbot , davem@davemloft.net, glider@google.com, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <0000000000005c08d10597a3a05d@google.com> <7934bc2b-597f-0bb3-be2d-32f3b07b4de9@hartkopp.net> From: Marc Kleine-Budde Openpgp: preference=signencrypt Autocrypt: addr=mkl@pengutronix.de; prefer-encrypt=mutual; keydata= mQINBFFVq30BEACtnSvtXHoeHJxG6nRULcvlkW6RuNwHKmrqoksispp43X8+nwqIFYgb8UaX zu8T6kZP2wEIpM9RjEL3jdBjZNCsjSS6x1qzpc2+2ivjdiJsqeaagIgvy2JWy7vUa4/PyGfx QyUeXOxdj59DvLwAx8I6hOgeHx2X/ntKAMUxwawYfPZpP3gwTNKc27dJWSomOLgp+gbmOmgc 6U5KwhAxPTEb3CsT5RicsC+uQQFumdl5I6XS+pbeXZndXwnj5t84M+HEj7RN6bUfV2WZO/AB Xt5+qFkC/AVUcj/dcHvZwQJlGeZxoi4veCoOT2MYqfR0ax1MmN+LVRvKm29oSyD4Ts/97cbs XsZDRxnEG3z/7Winiv0ZanclA7v7CQwrzsbpCv+oj+zokGuKasofzKdpywkjAfSE1zTyF+8K nxBAmzwEqeQ3iKqBc3AcCseqSPX53mPqmwvNVS2GqBpnOfY7Mxr1AEmxdEcRYbhG6Xdn+ACq Dq0Db3A++3PhMSaOu125uIAIwMXRJIzCXYSqXo8NIeo9tobk0C/9w3fUfMTrBDtSviLHqlp8 eQEP8+TDSmRP/CwmFHv36jd+XGmBHzW5I7qw0OORRwNFYBeEuiOIgxAfjjbLGHh9SRwEqXAL kw+WVTwh0MN1k7I9/CDVlGvc3yIKS0sA+wudYiselXzgLuP5cQARAQABtCZNYXJjIEtsZWlu ZS1CdWRkZSA8bWtsQHBlbmd1dHJvbml4LmRlPokCVAQTAQoAPgIbAwIeAQIXgAULCQgHAwUV CgkICwUWAgMBABYhBMFAC6CzmJ5vvH1bXCte4hHFiupUBQJcUsSbBQkM366zAAoJECte4hHF iupUgkAP/2RdxKPZ3GMqag33jKwKAbn/fRqAFWqUH9TCsRH3h6+/uEPnZdzhkL4a9p/6OeJn Z6NXqgsyRAOTZsSFcwlfxLNHVxBWm8pMwrBecdt4lzrjSt/3ws2GqxPsmza1Gs61lEdYvLST Ix2vPbB4FAfE0kizKAjRZzlwOyuHOr2ilujDsKTpFtd8lV1nBNNn6HBIBR5ShvJnwyUdzuby tOsSt7qJEvF1x3y49bHCy3uy+MmYuoEyG6zo9udUzhVsKe3hHYC2kfB16ZOBjFC3lH2U5An+ yQYIIPZrSWXUeKjeMaKGvbg6W9Oi4XEtrwpzUGhbewxCZZCIrzAH2hz0dUhacxB201Y/faY6 BdTS75SPs+zjTYo8yE9Y9eG7x/lB60nQjJiZVNvZ88QDfVuLl/heuIq+fyNajBbqbtBT5CWf mOP4Dh4xjm3Vwlz8imWW/drEVJZJrPYqv0HdPbY8jVMpqoe5jDloyVn3prfLdXSbKPexlJaW 5tnPd4lj8rqOFShRnLFCibpeHWIumqrIqIkiRA9kFW3XMgtU6JkIrQzhJb6Tc6mZg2wuYW0d Wo2qvdziMgPkMFiWJpsxM9xPk9BBVwR+uojNq5LzdCsXQ2seG0dhaOTaaIDWVS8U/V8Nqjrl 6bGG2quo5YzJuXKjtKjZ4R6k762pHJ3tnzI/jnlc1sXzuQENBFxSzJYBCAC58uHRFEjVVE3J 31eyEQT6H1zSFCccTMPO/ewwAnotQWo98Bc67ecmprcnjRjSUKTbyY/eFxS21JnC4ZB0pJKx MNwK6zq71wLmpseXOgjufuG3kvCgwHLGf/nkBHXmSINHvW00eFK/kJBakwHEbddq8Dr4ewmr G7yr8d6A3CSn/qhOYWhIxNORK3SVo4Io7ExNX/ljbisGsgRzsWvY1JlN4sabSNEr7a8YaqTd 2CfFe/5fPcQRGsfhAbH2pVGigr7JddONJPXGE7XzOrx5KTwEv19H6xNe+D/W3FwjZdO4TKIo vcZveSDrFWOi4o2Te4O5OB/2zZbNWPEON8MaXi9zABEBAAGJA3IEGAEKACYWIQTBQAugs5ie b7x9W1wrXuIRxYrqVAUCXFLMlgIbAgUJAeKNmgFACRArXuIRxYrqVMB0IAQZAQoAHRYhBJrx JF84Dn3PPNRrhVrGIaOR5J0gBQJcUsyWAAoJEFrGIaOR5J0grw4H/itil/yryJCvzi6iuZHS suSHHOiEf+UQHib1MLP96LM7FmDabjVSmJDpH4TsMu17A0HTG+bPMAdeia0+q9FWSvSHYW8D wNhfkb8zojpa37qBpVpiNy7r6BKGSRSoFOv6m/iIoRJuJ041AEKao6djj/FdQF8OV1EtWKRO +nE2bNuDCcwHkhHP+FHExdzhKSmnIsMjGpGwIQKN6DxlJ7fN4W7UZFIQdSO21ei+akinBo4K O0uNCnVmePU1UzrwXKG2sS2f97A+sZE89vkc59NtfPHhofI3JkmYexIF6uqLA3PumTqLQ2Lu bywPAC3YNphlhmBrG589p+sdtwDQlpoH9O7NeBAAg/lyGOUUIONrheii/l/zR0xxr2TDE6tq 6HZWdtjWoqcaky6MSyJQIeJ20AjzdV/PxMkd8zOijRVTnlK44bcfidqFM6yuT1bvXAO6NOPy pvBRnfP66L/xECnZe7s07rXpNFy72XGNZwhj89xfpK4a9E8HQcOD0mNtCJaz7TTugqBOsQx2 45VPHosmhdtBQ6/gjlf2WY9FXb5RyceeSuK4lVrz9uZB+fUHBge/giOSsrqFo/9fWAZsE67k 6Mkdbpc7ZQwxelcpP/giB9N+XAfBsffQ8q6kIyuFV4ILsIECCIA4nt1rYmzphv6t5J6PmlTq TzW9jNzbYANoOFAGnjzNRyc9i8UiLvjhTzaKPBOkQfhStEJaZrdSWuR/7Tt2wZBBoNTsgNAw A+cEu+SWCvdX7vNpsCHMiHtcEmVt5R0Tex1Ky87EfXdnGR2mDi6Iyxi3MQcHez3C61Ga3Baf P8UtXR6zrrrlX22xXtpNJf4I4Z6RaLpB/avIXTFXPbJ8CUUbVD2R2mZ/jyzaTzgiABDZspbS gw17QQUrKqUog0nHXuaGGA1uvreHTnyBWx5P8FP7rhtvYKhw6XdJ06ns+2SFcQv0Bv6PcSDK aRXmnW+OsDthn84x1YkfGIRJEPvvmiOKQsFEiB4OUtTX2pheYmZcZc81KFfJMmE8Z9+LT6Ry uSS5AQ0EXFLNDgEIAL14qAzTMCE1PwRrYJRI/RSQGAGF3HLdYvjbQd9Ozzg02K3mNCF2Phb1 cjsbMk/V6WMxYoZCEtCh4X2GjQG2GDDW4KC9HOa8cTmr9Vcno+f+pUle09TMzWDgtnH92WKx d0FIQev1zDbxU7lk1dIqyOjjpyhmR8Put6vgunvuIjGJ/GapHL/O0yjVlpumtmow6eME2muc TeJjpapPWBGcy/8VU4LM8xMeMWv8DtQML5ogyJxZ0Smt+AntIzcF9miV2SeYXA3OFiojQstF vScN7owL1XiQ3UjJotCp6pUcSVgVv0SgJXbDo5Nv87M2itn68VPfTu2uBBxRYqXQovsR++kA EQEAAYkCPAQYAQoAJhYhBMFAC6CzmJ5vvH1bXCte4hHFiupUBQJcUs0OAhsMBQkB4o0iAAoJ ECte4hHFiupUbioQAJ40bEJmMOF28vFcGvQrpI+lfHJGk9zSrh4F4SlJyOVWV1yWyUAINr8w v1aamg2nAppZ16z4nAnGU/47tWZ4P8blLVG8x4SWzz3D7MCy1FsQBTrWGLqWldPhkBAGp2VH xDOK4rLhuQWx3H5zd3kPXaIgvHI3EliWaQN+u2xmTQSJN75I/V47QsaPvkm4TVe3JlB7l1Fg OmSvYx31YC+3slh89ayjPWt8hFaTLnB9NaW9bLhs3E2ESF9Dei0FRXIt3qnFV/hnETsx3X4h KEnXxhSRDVeURP7V6P/z3+WIfddVKZk5ZLHi39fJpxvsg9YLSfStMJ/cJfiPXk1vKdoa+FjN 7nGAZyF6NHTNhsI7aHnvZMDavmAD3lK6CY+UBGtGQA3QhrUc2cedp1V53lXwor/D/D3Wo9wY iSXKOl4fFCh2Peo7qYmFUaDdyiCxvFm+YcIeMZ8wO5udzkjDtP4lWKAn4tUcdcwMOT5d0I3q WATP4wFI8QktNBqF3VY47HFwF9PtNuOZIqeAquKezywUc5KqKdqEWCPx9pfLxBAh3GW2Zfjp lP6A5upKs2ktDZOC2HZXP4IJ1GTk8hnfS4ade8s9FNcwu9m3JlxcGKLPq5DnIbPVQI1UUR4F QyAqTtIdSpeFYbvH8D7pO4lxLSz2ZyBMk+aKKs6GL5MqEci8OcFW Message-ID: <7f5c4546-0c1a-86ae-581e-0203b5fca446@pengutronix.de> Date: Mon, 18 Nov 2019 22:15:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <7934bc2b-597f-0bb3-be2d-32f3b07b4de9@hartkopp.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GSRNMkB6q7mORL9530vsr7mWeDe0KhvpW" X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GSRNMkB6q7mORL9530vsr7mWeDe0KhvpW Content-Type: multipart/mixed; boundary="nvdRAzj7gUVqtuJtc70X8UCmXxkH6ioAB"; protected-headers="v1" From: Marc Kleine-Budde To: Oliver Hartkopp , syzbot , davem@davemloft.net, glider@google.com, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Message-ID: <7f5c4546-0c1a-86ae-581e-0203b5fca446@pengutronix.de> Subject: Re: KMSAN: uninit-value in can_receive References: <0000000000005c08d10597a3a05d@google.com> <7934bc2b-597f-0bb3-be2d-32f3b07b4de9@hartkopp.net> In-Reply-To: <7934bc2b-597f-0bb3-be2d-32f3b07b4de9@hartkopp.net> --nvdRAzj7gUVqtuJtc70X8UCmXxkH6ioAB Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: quoted-printable On 11/18/19 9:49 PM, Oliver Hartkopp wrote: >=20 >=20 > On 18/11/2019 21.29, Marc Kleine-Budde wrote: >> On 11/18/19 9:25 PM, Oliver Hartkopp wrote: >=20 >>>> IMPORTANT: if you fix the bug, please add the following tag to the c= ommit: >>>> Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com >>>> >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D >>>> BUG: KMSAN: uninit-value in can_receive+0x23c/0x5e0 net/can/af_can.c= :649 >>>> CPU: 1 PID: 3490 Comm: syz-executor.2 Not tainted 5.4.0-rc5+ #0 >=20 >>> >>> In line 649 of 5.4.0-rc5+ we can find a while() statement: >>> >>> while (!(can_skb_prv(skb)->skbcnt)) >>> can_skb_prv(skb)->skbcnt =3D atomic_inc_return(&skbcounter); >>> >>> In linux/include/linux/can/skb.h we see: >>> >>> static inline struct can_skb_priv *can_skb_prv(struct sk_buff *skb) >>> { >>> return (struct can_skb_priv *)(skb->head); >>> } >>> >>> IMO accessing can_skb_prv(skb)->skbcnt at this point is a valid >>> operation which has no uninitialized value. >>> >>> Can this probably be a false positive of KMSAN? >> >> The packet is injected via the packet socket into the kernel. Where do= es >> skb->head point to in this case? When the skb is a proper >> kernel-generated skb containing a CAN-2.0 or CAN-FD frame skb->head is= >> maybe properly initialized? >=20 > The packet is either received via vcan or vxcan which checks via=20 > can_dropped_invalid_skb() if we have a valid ETH_P_CAN type skb. According to the call stack it's injected into the kernel via a packet socket and not via v(x)can. > We additionally might think about introducing a check whether we have a= =20 > can_skb_reserve() created skbuff. >=20 > But even if someone forged a skbuff without this reserved space the=20 > access to can_skb_prv(skb)->skbcnt would point into some CAN frame=20 > content - which is still no access to uninitialized content, right? Marc --=20 Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | --nvdRAzj7gUVqtuJtc70X8UCmXxkH6ioAB-- --GSRNMkB6q7mORL9530vsr7mWeDe0KhvpW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEmvEkXzgOfc881GuFWsYho5HknSAFAl3TCfIACgkQWsYho5Hk nSB19wf+M0JzIsfzRW9GZjE4vTRXrTQPRkpjokJi+ZcdGheUz9E4Euvj5MrWG8RD XXh9msEXTGNNVe8hBB80KLS5TvtkEiCcmMwRI4DXWEnKqjmbUv/W3gSNNzFnIgI4 JEHIzXN+tE37LkS4kGIozh/XLozBELIIWb9x3sr2rdq3SI/6QkV+9qrGi8nLyfDC l18cciXo/0OAKTb7pFBTz0YJkqc4EvLbGvaUhjH7EHFnNKVGqDgjHxLft43vJZLE UB2ylD+ikiFc5vzr3YV62EA/zi6Aa37y6M3kFDuowu8X1jX8djNQ+BLv4+VxZEmh +RCtWrjQBcQlnVitWhCJfxaRVmE05w== =Ui1f -----END PGP SIGNATURE----- --GSRNMkB6q7mORL9530vsr7mWeDe0KhvpW--