• Eric Dumazet's avatar
    batman-adv: fix uninit-value in batadv_interface_tx() · 4ffcbfac
    Eric Dumazet authored
    KMSAN reported batadv_interface_tx() was possibly using a
    garbage value [1]
    
    batadv_get_vid() does have a pskb_may_pull() call
    but batadv_interface_tx() does not actually make sure
    this did not fail.
    
    [1]
    BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
    CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x173/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
     __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
     batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
     __netdev_start_xmit include/linux/netdevice.h:4356 [inline]
     netdev_start_xmit include/linux/netdevice.h:4365 [inline]
     xmit_one net/core/dev.c:3257 [inline]
     dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273
     __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843
     dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876
     packet_snd net/packet/af_packet.c:2928 [inline]
     packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953
     sock_sendmsg_nosec net/socket.c:621 [inline]
     sock_sendmsg net/socket.c:631 [inline]
     __sys_sendto+0x8c4/0xac0 net/socket.c:1788
     __do_sys_sendto net/socket.c:1800 [inline]
     __se_sys_sendto+0x107/0x130 net/socket.c:1796
     __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
     do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
     entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x441889
    Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889
    RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
    RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0
    R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000
    
    Uninit was created at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
     kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
     kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
     kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
     slab_post_alloc_hook mm/slab.h:446 [inline]
     slab_alloc_node mm/slub.c:2759 [inline]
     __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
     __kmalloc_reserve net/core/skbuff.c:137 [inline]
     __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
     alloc_skb include/linux/skbuff.h:998 [inline]
     alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220
     sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083
     packet_alloc_skb net/packet/af_packet.c:2781 [inline]
     packet_snd net/packet/af_packet.c:2872 [inline]
     packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953
     sock_sendmsg_nosec net/socket.c:621 [inline]
     sock_sendmsg net/socket.c:631 [inline]
     __sys_sendto+0x8c4/0xac0 net/socket.c:1788
     __do_sys_sendto net/socket.c:1800 [inline]
     __se_sys_sendto+0x107/0x130 net/socket.c:1796
     __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
     do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
     entry_SYSCALL_64_after_hwframe+0x63/0xe7
    
    Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Cc:	Marek Lindner <mareklindner@neomailbox.ch>
    Cc:	Simon Wunderlich <sw@simonwunderlich.de>
    Cc:	Antonio Quartulli <a@unstable.cc>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    4ffcbfac
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
bat_algo.c Loading commit data...
bat_algo.h Loading commit data...
bat_iv_ogm.c Loading commit data...
bat_iv_ogm.h Loading commit data...
bat_v.c Loading commit data...
bat_v.h Loading commit data...
bat_v_elp.c Loading commit data...
bat_v_elp.h Loading commit data...
bat_v_ogm.c Loading commit data...
bat_v_ogm.h Loading commit data...
bitarray.c Loading commit data...
bitarray.h Loading commit data...
bridge_loop_avoidance.c Loading commit data...
bridge_loop_avoidance.h Loading commit data...
debugfs.c Loading commit data...
debugfs.h Loading commit data...
distributed-arp-table.c Loading commit data...
distributed-arp-table.h Loading commit data...
fragmentation.c Loading commit data...
fragmentation.h Loading commit data...
gateway_client.c Loading commit data...
gateway_client.h Loading commit data...
gateway_common.c Loading commit data...
gateway_common.h Loading commit data...
hard-interface.c Loading commit data...
hard-interface.h Loading commit data...
hash.c Loading commit data...
hash.h Loading commit data...
icmp_socket.c Loading commit data...
icmp_socket.h Loading commit data...
log.c Loading commit data...
log.h Loading commit data...
main.c Loading commit data...
main.h Loading commit data...
multicast.c Loading commit data...
multicast.h Loading commit data...
netlink.c Loading commit data...
netlink.h Loading commit data...
network-coding.c Loading commit data...
network-coding.h Loading commit data...
originator.c Loading commit data...
originator.h Loading commit data...
routing.c Loading commit data...
routing.h Loading commit data...
send.c Loading commit data...
send.h Loading commit data...
soft-interface.c Loading commit data...
soft-interface.h Loading commit data...
sysfs.c Loading commit data...
sysfs.h Loading commit data...
tp_meter.c Loading commit data...
tp_meter.h Loading commit data...
trace.c Loading commit data...
trace.h Loading commit data...
translation-table.c Loading commit data...
translation-table.h Loading commit data...
tvlv.c Loading commit data...
tvlv.h Loading commit data...
types.h Loading commit data...