[PATCH] net/netrom: fix uninit-value in nr_route_frame

From: Edward Adam Davis
Date: Mon Mar 04 2024 - 00:10:16 EST

Next message: Jason Wang: "Re: [PATCH v4 5/5] Documentation: Add reconnect process for VDUSE"
Previous message: Yujie Liu: "Re: [linus:master] [readahead] ab4443fe3c: vm-scalability.throughput -21.4% regression"
In reply to: Eric Dumazet: "Re: [PATCH] skbuff: fix uninit-value in nr_route_frame"
Next in thread: Eric Dumazet: "Re: [PATCH] net/netrom: fix uninit-value in nr_route_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Syzbot reported]
BUG: KMSAN: uninit-value in nr_route_frame+0x4a9/0xfc0 net/netrom/nr_route.c:787
nr_route_frame+0x4a9/0xfc0 net/netrom/nr_route.c:787
nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
__netdev_start_xmit include/linux/netdevice.h:4980 [inline]
netdev_start_xmit include/linux/netdevice.h:4994 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
__dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
raw_sendmsg+0x64e/0xc10 net/ieee802154/socket.c:299
ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x352/0x790 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1296 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
sock_alloc_send_skb include/net/sock.h:1855 [inline]
raw_sendmsg+0x367/0xc10 net/ieee802154/socket.c:282
ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

[Fix]
Let's clear all skb data at alloc time.

Reported-and-tested-by: syzbot+f770ce3566e60e5573ac@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index edbbef563d4d..5ca5a608daec 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -656,6 +656,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
* to allow max possible filling before reallocation.
*/
prefetchw(data + SKB_WITH_OVERHEAD(size));
+ memset(data, 0, size);

/*
* Only clear those fields we need to clear, not those that we will
--
2.43.0

Next message: Jason Wang: "Re: [PATCH v4 5/5] Documentation: Add reconnect process for VDUSE"
Previous message: Yujie Liu: "Re: [linus:master] [readahead] ab4443fe3c: vm-scalability.throughput -21.4% regression"
In reply to: Eric Dumazet: "Re: [PATCH] skbuff: fix uninit-value in nr_route_frame"
Next in thread: Eric Dumazet: "Re: [PATCH] net/netrom: fix uninit-value in nr_route_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]