[PATCH net] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()

13 views
Skip to first unread message

Eric Dumazet

unread,
May 16, 2023, 10:23:45 AM5/16/23
to David S . Miller, Jakub Kicinski, Paolo Abeni, net...@vger.kernel.org, eric.d...@gmail.com, Eric Dumazet, syzbot
syzbot triggered the following splat [1], sending an empty message
through pppoe_sendmsg().

When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
does not push extra bytes for the VLAN header, because vlan is offloaded.

Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).

We need to swap the two conditions.

[1]
BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
__netdev_start_xmit include/linux/netdevice.h:4883 [inline]
netdev_start_xmit include/linux/netdevice.h:4897 [inline]
xmit_one net/core/dev.c:3580 [inline]
dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
dev_queue_xmit include/linux/netdevice.h:3053 [inline]
pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
slab_alloc_node mm/slub.c:3452 [inline]
kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
alloc_skb include/linux/skbuff.h:1277 [inline]
sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzk...@googlegroups.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
---
net/8021q/vlan_dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 870e4935d6e6e117eec652b6867fc4c53b94350c..b90781b9ece6402664552295e1f07b2fd97c2465 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -109,8 +109,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
* NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING
* OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
*/
- if (veth->h_vlan_proto != vlan->vlan_proto ||
- vlan->flags & VLAN_FLAG_REORDER_HDR) {
+ if (vlan->flags & VLAN_FLAG_REORDER_HDR ||
+ veth->h_vlan_proto != vlan->vlan_proto) {
u16 vlan_tci;
vlan_tci = vlan->vlan_id;
vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority);
--
2.40.1.606.ga4b1b128d6-goog

patchwork-b...@kernel.org

unread,
May 17, 2023, 8:00:22 AM5/17/23
to Eric Dumazet, da...@davemloft.net, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org, eric.d...@gmail.com, syzk...@googlegroups.com
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <da...@davemloft.net>:

On Tue, 16 May 2023 14:23:42 +0000 you wrote:
> syzbot triggered the following splat [1], sending an empty message
> through pppoe_sendmsg().
>
> When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
> does not push extra bytes for the VLAN header, because vlan is offloaded.
>
> Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
> before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).
>
> [...]

Here is the summary with links:
- [net] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
https://git.kernel.org/netdev/net/c/dacab578c7c6

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html


Greg Kroah-Hartman

unread,
May 22, 2023, 3:19:17 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
From: Eric Dumazet <edum...@google.com>

[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ]

syzbot triggered the following splat [1], sending an empty message
through pppoe_sendmsg().

When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
does not push extra bytes for the VLAN header, because vlan is offloaded.

Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
net/8021q/vlan_dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index b6d456c7952ed..3d0f0d0a323b5 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
* NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING
* OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
*/
- if (veth->h_vlan_proto != vlan->vlan_proto ||
- vlan->flags & VLAN_FLAG_REORDER_HDR) {
+ if (vlan->flags & VLAN_FLAG_REORDER_HDR ||
+ veth->h_vlan_proto != vlan->vlan_proto) {
u16 vlan_tci;
vlan_tci = vlan->vlan_id;
vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority);
--
2.39.2



Greg Kroah-Hartman

unread,
May 22, 2023, 3:32:42 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index 07e86d03d4bae..d3e511e1eba8a 100644

Greg Kroah-Hartman

unread,
May 22, 2023, 3:50:48 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index 5920544e93e82..0fa52bcc296bf 100644

Greg Kroah-Hartman

unread,
May 28, 2023, 3:14:25 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index e871d3b27c479..c436c9973455b 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -115,8 +115,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,

Greg Kroah-Hartman

unread,
May 28, 2023, 3:18:51 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index c80add6edf598..ba9b8980f100d 100644

Greg Kroah-Hartman

unread,
May 28, 2023, 3:24:59 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index b10f31f98cb87..0a3a167916218 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -109,8 +109,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,

Greg Kroah-Hartman

unread,
May 28, 2023, 3:44:48 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Eric Dumazet, David S. Miller, Sasha Levin
index 929f85c6cf112..8edac9307868a 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
Reply all
Reply to author
Forward
0 new messages