Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp319458pxb;
        Sat, 10 Apr 2021 04:03:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzrDnB5zozkI61tzQa0zOiDyDxFWR+mcfk3ce7kbDoBb9iV9JAmE3qeLOsUu7zWaD4YkhQI
X-Received: by 2002:a17:90b:1b52:: with SMTP id nv18mr18247550pjb.182.1618052590664;
        Sat, 10 Apr 2021 04:03:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618052590; cv=none;
        d=google.com; s=arc-20160816;
        b=glKa5lmjteS9KIKzNYaylImeoTGB8lbWweoBs4dZbGP8T0M5pM5upl0G6w9TEkSKHF
         U610weUzt49ZThize6p+ba8ROL5dz712T5TvQUQj8IqN9H1YdHJAy9RFESJ2/aTRZbjM
         Zp4b5DhhTMFUAWs4FXohn5i/lcHL1JrR0nfSyC3Whb4L+VdR4xTH0EjGCIrk2o6xs9MA
         HjIoCYGNsbeLJmSAmbWDbiKvrePmzf/jexL0yUki8cgPQ6jWZM94dzYJWcZ52Y7HyG5k
         Pe8DjVnIm0QZyr85Xs9pOIuqfsVAUtHXUCVcP9U8y2qhS+4fDizp+A8ROBhgSr43HY8H
         7dHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=J8DQJVSaUjQNGe8Y0lpiq/r3H4nNp7NGhGr+XrWaz+c=;
        b=K917zKchI8Lo+RAntotRMFknGVPYbYzhr38oITbDtT0oVTIPsJclEox7ImCZgnaQuK
         Wrbs0AjQFfH4UbYBIkd9yr70nEwsZ/KrJQ5fTXk78AYSrc2fL7Wgl4L7YzoYEWS13imw
         ttM5pAMG23jY72JL4abKAPjAraDee7fPd4Zt6zjoFL0lfLee6cpv3uBq9W0xwJxYmY5i
         2EK0RYdespyqap5xd7EQS9tNAnw/229YB/uGdH3E+oOwGzw2GO6HgFMY/6ry9WbBmKkn
         CdcdlOdJRRzuCDiZnOngY/5wMelem5HcKWCchPee+AGTYPy3A6EEg1dB7eqe2kxXSHDQ
         0f+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VTnHXX+o;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t2si5955086pjw.107.2021.04.10.04.02.58;
        Sat, 10 Apr 2021 04:03:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VTnHXX+o;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234660AbhDJLBC (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Sat, 10 Apr 2021 07:01:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40044 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234180AbhDJLBB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 10 Apr 2021 07:01:01 -0400
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E5D3C061762
        for <linux-kernel@vger.kernel.org>; Sat, 10 Apr 2021 04:00:46 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id l14so3205644ybf.11
        for <linux-kernel@vger.kernel.org>; Sat, 10 Apr 2021 04:00:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=J8DQJVSaUjQNGe8Y0lpiq/r3H4nNp7NGhGr+XrWaz+c=;
        b=VTnHXX+osSuBIin2yn6F5r0CcGi/2W+Iz6nLwwnYQ5ot6ENNNyz5LsdmLgc7uTv9lA
         xdaXlzUBBmkw0v3PAJ1IoFWmMlHiI184t/6q4E6bSuA7LyisSQDLCcE9dy7KsXDCKCWj
         qrR6uGRvjp3z4OuoBhifMB8YpoxjNruKph8YV6VGuydhNuO+RQvIsRe4vDse6HvpNQsF
         d50lR8H57npELrzb0NSvukXpGdoLjdtTX8VGl9SwWRAXUk+b6Eu8x3mOUegs+nVorXns
         zFvAJdHtCfcGwgxgE7CZogwwRH1gNY3t8QIGIWLnF+yf2gOawvpEhrW6ZvpYhwpiq92O
         77jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=J8DQJVSaUjQNGe8Y0lpiq/r3H4nNp7NGhGr+XrWaz+c=;
        b=KaL5zddyApSIBQGpm8h+D2jPDVDCoxKevl+A+uoHYZmtgqdgaPnaR6+UQLW1EtAmZV
         cA7i6AQcE+NqyGQNudXTrxSmLYHWMbYBpWOiS+ijS3jjPd11txscpoSH9HlRILrBHXX5
         0wcxw7qTXAsCQS8CjcpdqhjtNwE1eeQSRiWpAmIIsuBv1OQjORXamMhg47MNw11hLobG
         L2ee0BwbKWMfL6NmXUqTcC6tFSXiJOe9x0zKQVCFkRdHKRejg7GkO8jkVWje63TOLEJp
         IE+OXnYoekJoRnRfAhUDvPHsDZ4U8V4UqkXm9oBMSVP95h/9168c+GYb+8fKk1OImgjQ
         Zg7Q==
X-Gm-Message-State: AOAM533Y/OyA6qm0G4MeMMfL2xKDjSobSR5s27GKVXgHuYxhuDJkDkaK
        E95Ujx/mBKMq3ttGktBGK0N0vgS3/SySrUF/AHyZ/w==
X-Received: by 2002:a25:b906:: with SMTP id x6mr23305699ybj.504.1618052445594;
 Sat, 10 Apr 2021 04:00:45 -0700 (PDT)
MIME-Version: 1.0
References: <20210410095149.3708143-1-phil@philpotter.co.uk> <CANn89iJdoaC9P_Nd=BrXVRyMS43YOg-DX=VciDO89mH_JPVRTg@mail.gmail.com>
In-Reply-To: <CANn89iJdoaC9P_Nd=BrXVRyMS43YOg-DX=VciDO89mH_JPVRTg@mail.gmail.com>
From:   Eric Dumazet <edumazet@google.com>
Date:   Sat, 10 Apr 2021 13:00:34 +0200
Message-ID: <CANn89iK4HuKv4AgY5PPWGEEihNEFxGhhqpBp7zv-FfCcJyboDg@mail.gmail.com>
Subject: Re: [PATCH] net: core: sk_buff: zero-fill skb->data in __alloc_skb function
To:     Phillip Potter <phil@philpotter.co.uk>
Cc:     David Miller <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Willem de Bruijn <willemb@google.com>,
        linmiaohe <linmiaohe@huawei.com>,
        Yunsheng Lin <linyunsheng@huawei.com>,
        Alexander Lobakin <alobakin@pm.me>,
        Marco Elver <elver@google.com>,
        Guillaume Nault <gnault@redhat.com>,
        Dongseok Yi <dseok.yi@samsung.com>,
        Al Viro <viro@zeniv.linux.org.uk>, vladimir.oltean@nxp.com,
        netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Apr 10, 2021 at 12:12 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Sat, Apr 10, 2021 at 11:51 AM Phillip Potter <phil@philpotter.co.uk> wrote:
> >
> > Zero-fill skb->data in __alloc_skb function of net/core/skbuff.c,
> > up to start of struct skb_shared_info bytes. Fixes a KMSAN-found
> > uninit-value bug reported by syzbot at:
> > https://syzkaller.appspot.com/bug?id=abe95dc3e3e9667fc23b8d81f29ecad95c6f106f
> >
> > Reported-by: syzbot+2e406a9ac75bb71d4b7a@syzkaller.appspotmail.com
> > Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
> > ---
> >  net/core/skbuff.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 785daff48030..9ac26cdb5417 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -215,6 +215,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
> >          * to allow max possible filling before reallocation.
> >          */
> >         size = SKB_WITH_OVERHEAD(ksize(data));
> > +       memset(data, 0, size);
> >         prefetchw(data + size);
>
>
> Certainly not.
>
> There is a difference between kmalloc() and kzalloc()
>
> Here you are basically silencing KMSAN and make it useless.
>
> Please fix the real issue, or stop using KMSAN if it bothers you.

My understanding of the KMSAN bug (when I released it months ago) was
that it was triggered by some invalid assumptions in geneve_xmit()

The syzbot repro sends a packet with a very small size (Ethernet
header only) and no IP/IPv6 header

Fix for ipv4 part (sorry, not much time during week end to test all this)

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index e3b2375ac5eb55f544bbc1f309886cc9be189fd1..0a72779bc74bc50c20c34c05b2c525cca829f33c
100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -892,6 +892,9 @@ static int geneve_xmit_skb(struct sk_buff *skb,
struct net_device *dev,
        __be16 sport;
        int err;

+       if (!pskb_network_may_pull(skb, sizeof(struct iphdr))
+               return -EINVAL;
+
        sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
        rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
                              geneve->cfg.info.key.tp_dst, sport);