Re: [PATCH] skbuff: fix uninit-value in nr_route_frame
From: Eric Dumazet
Date: Sun Mar 03 2024 - 08:53:34 EST
On Sun, Mar 3, 2024 at 2:24 PM Edward Adam Davis <eadavis@xxxxxx> wrote:
>
> [Syzbot reported]
> BUG: KMSAN: uninit-value in nr_route_frame+0x4a9/0xfc0 net/netrom/nr_route.c:787
> nr_route_frame+0x4a9/0xfc0 net/netrom/nr_route.c:787
> nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
> __netdev_start_xmit include/linux/netdevice.h:4980 [inline]
> netdev_start_xmit include/linux/netdevice.h:4994 [inline]
> xmit_one net/core/dev.c:3547 [inline]
> dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
> __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
> dev_queue_xmit include/linux/netdevice.h:3171 [inline]
> raw_sendmsg+0x64e/0xc10 net/ieee802154/socket.c:299
> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg net/socket.c:745 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
> __sys_sendmsg net/socket.c:2667 [inline]
> __do_sys_sendmsg net/socket.c:2676 [inline]
> __se_sys_sendmsg net/socket.c:2674 [inline]
> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Uninit was created at:
> slab_post_alloc_hook mm/slub.c:3819 [inline]
> slab_alloc_node mm/slub.c:3860 [inline]
> kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
> __alloc_skb+0x352/0x790 net/core/skbuff.c:651
> alloc_skb include/linux/skbuff.h:1296 [inline]
> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
> sock_alloc_send_skb include/net/sock.h:1855 [inline]
> raw_sendmsg+0x367/0xc10 net/ieee802154/socket.c:282
> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg net/socket.c:745 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
> __sys_sendmsg net/socket.c:2667 [inline]
> __do_sys_sendmsg net/socket.c:2676 [inline]
> __se_sys_sendmsg net/socket.c:2674 [inline]
> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Fix]
> Let's clear all skb data at alloc time.
This can not be serious.
>
> Reported-and-tested-by: syzbot+f770ce3566e60e5573ac@syzkaller.appspotmailcom
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
Fix net/netrom instead.