Project

General

Profile

Bug #398

Updated by Sven Eckelmann over 5 years ago

<pre>syzbot syzbot found the following crash on: 

 HEAD commit:      61ccdad1 Revert "drm/bochs: Use shadow buffer for bochs fr.. 
 git tree:         https://github.com/google/kmsan.git master 
 console output: https://syzkaller.appspot.com/x/log.txt?x=13d6909c600000 
 kernel config:    https://syzkaller.appspot.com/x/.config?x=27abc558ecb16a3b 
 dashboard link: https://syzkaller.appspot.com/bug?extid=355cab184197dbbfa384 
 compiler:         clang version 9.0.0 (/home/glider/llvm/clang   
 80fee25776c2fb61e74c1ecb1a523375c2500b69) 
 syz repro:        https://syzkaller.appspot.com/x/repro.syz?x=1612b9d2600000 
 C reproducer:     https://syzkaller.appspot.com/x/repro.c?x=11d388ac600000 

 IMPORTANT: if you fix the bug, please add the following tag to the commit: 
 Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com 

 ================================================================== 
 BUG: KMSAN: uninit-value in batadv_iv_ogm_send_to_if   
 net/batman-adv/bat_iv_ogm.c:317 [inline] 
 BUG: KMSAN: uninit-value in batadv_iv_ogm_emit   
 net/batman-adv/bat_iv_ogm.c:383 [inline] 
 BUG: KMSAN: uninit-value in   
 batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0   
 net/batman-adv/bat_iv_ogm.c:1657 
 CPU: 1 PID: 290 Comm: kworker/u4:7 Not tainted 5.3.0-rc3+ #17 
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS   
 Google 01/01/2011 
 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet 
 Call Trace: 
   __dump_stack lib/dump_stack.c:77 [inline] 
   dump_stack+0x191/0x1f0 lib/dump_stack.c:113 
   kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109 
   __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294 
   batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline] 
   batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline] 
   batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0   
 net/batman-adv/bat_iv_ogm.c:1657 
   process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 
   worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 
   kthread+0x4b5/0x4f0 kernel/kthread.c:256 
   ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 
 </pre> 

 ---- 

 The referenced line (317) is the loop header: 

 <pre> 
  311           packet_num = 0; 
  312           buff_pos = 0; 
  313           packet_pos = forw_packet->skb->data; 
  314           batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos; 
  315  
  316           /* adjust all flags and log packets */ 
  317           while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, 
  318                                            batadv_ogm_packet->tvlv_len)) { 
  319                   /* we might have aggregated direct link packets with an 
  320                    * ordinary base packet 
  321                    */ 
 </pre> 

 I would guess (without really knowing it) that there is a too short batadv_ogm_packet which doesn't contain tvlv_len. 

 ---- 

 Full output in https://lore.kernel.org/r/000000000000226dc30590a83a39@google.com

Back