Actions
Bug #398
closedKMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet
Start date:
08/22/2019
Due date:
% Done:
0%
Estimated time:
Description
syzbot found the following crash on: HEAD commit: 61ccdad1 Revert "drm/bochs: Use shadow buffer for bochs fr.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=13d6909c600000 kernel config: https://syzkaller.appspot.com/x/.config?x=27abc558ecb16a3b dashboard link: https://syzkaller.appspot.com/bug?extid=355cab184197dbbfa384 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1612b9d2600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d388ac600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com ================================================================== BUG: KMSAN: uninit-value in batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline] BUG: KMSAN: uninit-value in batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline] BUG: KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0 net/batman-adv/bat_iv_ogm.c:1657 CPU: 1 PID: 290 Comm: kworker/u4:7 Not tainted 5.3.0-rc3+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0 net/batman-adv/bat_iv_ogm.c:1657 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
The referenced line (317) is the loop header:
311 packet_num = 0; 312 buff_pos = 0; 313 packet_pos = forw_packet->skb->data; 314 batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos; 315 316 /* adjust all flags and log packets */ 317 while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, 318 batadv_ogm_packet->tvlv_len)) { 319 /* we might have aggregated direct link packets with an 320 * ordinary base packet 321 */
I would guess (without really knowing it) that there is a too short batadv_ogm_packet which doesn't contain tvlv_len.
Full output in https://lore.kernel.org/r/000000000000226dc30590a83a39@google.com
Actions