KMSAN: uninit-value in hwsim_cloned_frame_received_nl

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: c5a13b33 kmsan: clang-format core
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12a19c03900000
kernel config: https://syzkaller.appspot.com/x/.config?x=20f149ad694ba4be
dashboard link: https://syzkaller.appspot.com/bug?extid=b2645b5bf1512b81fa22
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118689ab900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104fc409900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2645b...@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in hwsim_cloned_frame_received_nl+0x104e/0x13e0 drivers/net/wireless/mac80211_hwsim.c:3553
CPU: 1 PID: 8531 Comm: syz-executor177 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
hwsim_cloned_frame_received_nl+0x104e/0x13e0 drivers/net/wireless/mac80211_hwsim.c:3553
genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:714 [inline]
genl_rcv_msg+0x1703/0x18a0 net/netlink/genetlink.c:731
netlink_rcv_skb+0x6d7/0x7e0 net/netlink/af_netlink.c:2470
genl_rcv+0x63/0x80 net/netlink/genetlink.c:742
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11c8/0x1490 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173a/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
__sys_sendto+0x9dc/0xc80 net/socket.c:1992
__do_sys_sendto net/socket.c:2004 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:2000
__x64_sys_sendto+0x6e/0x90 net/socket.c:2000
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x401a73
Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d bd 8c 2d 00 00 75 17 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 f1 0b 00 00 c3 48 83 ec 08 e8 57 01 00 00
RSP: 002b:00007ffc0c9fdd58 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007ffc0c9fddd0 RCX: 0000000000401a73
RDX: 0000000000000034 RSI: 00007ffc0c9fde20 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffc0c9fdd60 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ffc0c9fde20 R15: 0000000000000003

Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
slab_alloc_node mm/slub.c:2907 [inline]
__kmalloc_node_track_caller+0x9aa/0x12f0 mm/slub.c:4511
__kmalloc_reserve net/core/skbuff.c:142 [inline]
__alloc_skb+0x35f/0xb30 net/core/skbuff.c:210
alloc_skb include/linux/skbuff.h:1094 [inline]
hwsim_cloned_frame_received_nl+0x20e/0x13e0 drivers/net/wireless/mac80211_hwsim.c:3498
genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:714 [inline]
genl_rcv_msg+0x1703/0x18a0 net/netlink/genetlink.c:731
netlink_rcv_skb+0x6d7/0x7e0 net/netlink/af_netlink.c:2470
genl_rcv+0x63/0x80 net/netlink/genetlink.c:742
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11c8/0x1490 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173a/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
__sys_sendto+0x9dc/0xc80 net/socket.c:1992
__do_sys_sendto net/socket.c:2004 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:2000
__x64_sys_sendto+0x6e/0x90 net/socket.c:2000
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in hwsim_cloned_frame_received_nl

=====================================================
BUG: KMSAN: uninit-value in hwsim_cloned_frame_received_nl+0x104e/0x13e0 drivers/net/wireless/mac80211_hwsim.c:3553

CPU: 1 PID: 10057 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122

__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:201

hwsim_cloned_frame_received_nl+0x104e/0x13e0 drivers/net/wireless/mac80211_hwsim.c:3553
genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:714 [inline]
genl_rcv_msg+0x1703/0x18a0 net/netlink/genetlink.c:731
netlink_rcv_skb+0x6d7/0x7e0 net/netlink/af_netlink.c:2470
genl_rcv+0x63/0x80 net/netlink/genetlink.c:742
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11c8/0x1490 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173a/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
__sys_sendto+0x9dc/0xc80 net/socket.c:1992
__do_sys_sendto net/socket.c:2004 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:2000
__x64_sys_sendto+0x6e/0x90 net/socket.c:2000
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9

RIP: 0033:0x417a27
Code: 2c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 81 19 00 00 c3 48 83 ec 08 e8 e7 fa ff ff 48 89 04 24 49 89 ca b8 2c 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 2d fb ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fc60bc54b30 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc60bc54be0 RCX: 0000000000417a27
RDX: 0000000000000034 RSI: 00007fc60bc54c30 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fc60bc54b40 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc60bc54c30 R15: 0000000000000003

Tested on:

commit: 5edb1df2 kmsan: drop the _nosanitize string functions

git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1164595b900000
kernel config: https://syzkaller.appspot.com/x/.config?x=33941614a34daf96

[Kosuke Fujimoto]

Add frame_data_len check and move its conditional check before allocating skb.

The original patch was introduced 

https://lists.linuxfoundation.org/pipermail/linux-kernel-mentees/2021-June/006403.html

 

#syz test: https://github.com/google/kmsan.git master 

Best regards,

Kosuke

[syzbot]

> Add frame_data_len check and move its conditional check before allocating
> skb.
>
> The original patch was introduced
> https://lists.linuxfoundation.org/pipermail/linux-kernel-mentees/2021-June/006403.html
>
> #syz test: https://github.com/google/kmsan.git master

I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/6b136d68-4611-4cec-9e8e-f37e356b15fen%40googlegroups.com.

[Kosuke Fujimoto]

Best regards,
Kosuke

[Dmitry Vyukov]

On Wed, 20 Apr 2022 at 12:46, Kosuke Fujimoto <fujimot...@gmail.com> wrote:
>
> On 2022/04/20 19:32, syzbot wrote:
> >> Add frame_data_len check and move its conditional check before allocating
> >> skb.
> >>
> >> The original patch was introduced
> >> https://lists.linuxfoundation.org/pipermail/linux-kernel-mentees/2021-June/006403.html
> >>
> >> #syz test: https://github.com/google/kmsan.git master
> > I see the command but can't find the corresponding bug.
> > Please resend the email to syzbo...@syzkaller.appspotmail.com address
> > that is the sender of the bug report (also present in the Reported-by tag).
> >
> >> Best regards,
> >> Kosuke

Hi Kosuke,

syzkaller-bugs@ mailing list is not read by kernel developers.
If this patch is supposed to fix the reported issue, please post it as
a properly formed patch to kernel mailing lists so that it can be
accepted to the kernel.

Thanks

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/37e23e20-104b-6305-9d13-c453fed1d174%40gmail.com.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b2645b...@syzkaller.appspotmail.com

Tested on:

commit: 33d9269e Revert "kernel: kmsan: don't instrument stack..

git tree: https://github.com/google/kmsan.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=d830111cc3be873
dashboard link: https://syzkaller.appspot.com/bug?extid=b2645b5bf1512b81fa22
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12658592f00000

Note: testing is done by a robot and is best-effort only.

[Dan Carpenter]

On Wed, Apr 20, 2022 at 12:55:48PM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Wed, 20 Apr 2022 at 12:46, Kosuke Fujimoto <fujimot...@gmail.com> wrote:
> >
> > On 2022/04/20 19:32, syzbot wrote:
> > >> Add frame_data_len check and move its conditional check before allocating
> > >> skb.
> > >>
> > >> The original patch was introduced
> > >> https://lists.linuxfoundation.org/pipermail/linux-kernel-mentees/2021-June/006403.html
> > >>
> > >> #syz test: https://github.com/google/kmsan.git master
> > > I see the command but can't find the corresponding bug.
> > > Please resend the email to syzbo...@syzkaller.appspotmail.com address
> > > that is the sender of the bug report (also present in the Reported-by tag).
> > >
> > >> Best regards,
> > >> Kosuke
>
> Hi Kosuke,
>
> syzkaller-bugs@ mailing list is not read by kernel developers.

Unrelated: I think a couple people read it. I've tried to read it but
it's not really useful. :/ It would be easier to get more developers
involved if the list were more useful.

For example, when syzbot tests a patch it would help if people posted
the commit instead of just the tree or if they wrote a commit, it would
help if they wrote a commit message.

regards,
dan carpenter

[Dmitry Vyukov]

On Wed, 20 Apr 2022 at 13:23, Dan Carpenter <dan.ca...@oracle.com> wrote:
>
> On Wed, Apr 20, 2022 at 12:55:48PM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> > On Wed, 20 Apr 2022 at 12:46, Kosuke Fujimoto <fujimot...@gmail.com> wrote:
> > >
> > > On 2022/04/20 19:32, syzbot wrote:
> > > >> Add frame_data_len check and move its conditional check before allocating
> > > >> skb.
> > > >>
> > > >> The original patch was introduced
> > > >> https://lists.linuxfoundation.org/pipermail/linux-kernel-mentees/2021-June/006403.html
> > > >>
> > > >> #syz test: https://github.com/google/kmsan.git master
> > > > I see the command but can't find the corresponding bug.
> > > > Please resend the email to syzbo...@syzkaller.appspotmail.com address
> > > > that is the sender of the bug report (also present in the Reported-by tag).
> > > >
> > > >> Best regards,
> > > >> Kosuke
> >
> > Hi Kosuke,
> >
> > syzkaller-bugs@ mailing list is not read by kernel developers.
>
> Unrelated: I think a couple people read it. I've tried to read it but
> it's not really useful. :/ It would be easier to get more developers
> involved if the list were more useful.

Hi Dan,

It's designed to be not read/archive-only.
There is syzkaller@ mailing list to reach syzkaller developers.
There are kernel mailing lists to reach kernel developers.
If there is another topic that is interesting to another group of
people and that is different enough from the previous topics, then we
need another mailing list (or just CC them manually) rather than
re-purpose syzkaller-bugs@, which will contain 99% of irrelevant for
that group of people content (since syzbot will continue to CC
everything there), so it won't work well anyway.

> For example, when syzbot tests a patch it would help if people posted
> the commit instead of just the tree or if they wrote a commit, it would
> help if they wrote a commit message.

This looks like an unrelated improvement.
Recipients for patch testing requests are chosen by the requestor.
Normally one uses Reply-all and the results will be sent to all CCed
developers as well.
But a requestor can send a semi-private request and reply will be
semi-private as well.

What commit do you mean?
syzbot posts the commit it tested on, see e.g. the reply above in this thread:

Tested on:
commit: 33d9269e Revert "kernel: kmsan: don't instrument stack..

git tree: https://github.com/google/kmsan.git master

...
patch: https://syzkaller.appspot.com/x/patch.diff?x=12658592f00000

[Dan Carpenter]

Hm... I could probably figure out something with lei since this is
all going to LKML. Only the latest version of my distro has lei packaged
so let me kick off the upgrade...

https://people.kernel.org/monsieuricon/lore-lei-part-1-getting-started

>
>
> > For example, when syzbot tests a patch it would help if people posted
> > the commit instead of just the tree or if they wrote a commit, it would
> > help if they wrote a commit message.
>
> This looks like an unrelated improvement.
> Recipients for patch testing requests are chosen by the requestor.
> Normally one uses Reply-all and the results will be sent to all CCed
> developers as well.
> But a requestor can send a semi-private request and reply will be
> semi-private as well.
>
> What commit do you mean?
> syzbot posts the commit it tested on, see e.g. the reply above in this thread:
>
> Tested on:
> commit: 33d9269e Revert "kernel: kmsan: don't instrument stack..
> git tree: https://github.com/google/kmsan.git master
> ...
> patch: https://syzkaller.appspot.com/x/patch.diff?x=12658592f00000
>

Oh. I just saw the commit and the tree but hadn't noticed the patch
URL.

I feel like I'm being unreasonable now, but the truth is that I'm not
click on URLs but I do read patches that come in email. I wish that
it had a `git show 33d9269e` right in the email. But maybe I'm the
only person... Not sure.

regards,
dan carpenter

[Dmitry Vyukov]

Ah, I see.

Inline patch is discussable. But with so many users with their own
preferences it's hard to satisfy all parties :)
I can also imagine that no crash report + a small patch case will look
nice inline, but if there is a large crash report + a large patch, it
may look not so nice. But maybe kernel developers are used to large
patches inline + long commit descriptions, so it will look fine even
in that case?

[Dan Carpenter]

Yes. Large inline patches are fine. I doubt it can be larger than the
add driver patches we commonly deal with.

regards,
dan carpenter