Revision 18bcf2907df935981266532e1e0d052aff2e6fae authored by Alexander Potapenko on 17 July 2017, 10:35:58 UTC, committed by David S. Miller on 18 July 2017, 18:22:51 UTC
KMSAN reported use of uninitialized memory in skb_set_hash_from_sk(),
which originated from the TCP request socket created in
cookie_v6_check():
==================================================================
BUG: KMSAN: use of uninitialized memory in tcp_transmit_skb+0xf77/0x3ec0
CPU: 1 PID: 2949 Comm: syz-execprog Not tainted 4.11.0-rc5+ #2931
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
TCP: request_sock_TCPv6: Possible SYN flooding on port 20028. Sending cookies. Check SNMP counters.
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16
dump_stack+0x172/0x1c0 lib/dump_stack.c:52
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
__msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
skb_set_hash_from_sk ./include/net/sock.h:2011
tcp_transmit_skb+0xf77/0x3ec0 net/ipv4/tcp_output.c:983
tcp_send_ack+0x75b/0x830 net/ipv4/tcp_output.c:3493
tcp_delack_timer_handler+0x9a6/0xb90 net/ipv4/tcp_timer.c:284
tcp_delack_timer+0x1b0/0x310 net/ipv4/tcp_timer.c:309
call_timer_fn+0x240/0x520 kernel/time/timer.c:1268
expire_timers kernel/time/timer.c:1307
__run_timers+0xc13/0xf10 kernel/time/timer.c:1601
run_timer_softirq+0x36/0xa0 kernel/time/timer.c:1614
__do_softirq+0x485/0x942 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364
irq_exit+0x1fa/0x230 kernel/softirq.c:405
exiting_irq+0xe/0x10 ./arch/x86/include/asm/apic.h:657
smp_apic_timer_interrupt+0x5a/0x80 arch/x86/kernel/apic/apic.c:966
apic_timer_interrupt+0x86/0x90 arch/x86/entry/entry_64.S:489
RIP: 0010:native_restore_fl ./arch/x86/include/asm/irqflags.h:36
RIP: 0010:arch_local_irq_restore ./arch/x86/include/asm/irqflags.h:77
RIP: 0010:__msan_poison_alloca+0xed/0x120 mm/kmsan/kmsan_instr.c:440
RSP: 0018:ffff880024917cd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000246 RBX: ffff8800224c0000 RCX: 0000000000000005
RDX: 0000000000000004 RSI: ffff880000000000 RDI: ffffea0000b6d770
RBP: ffff880024917d58 R08: 0000000000000dd8 R09: 0000000000000004
R10: 0000160000000000 R11: 0000000000000000 R12: ffffffff85abf810
R13: ffff880024917dd8 R14: 0000000000000010 R15: ffffffff81cabde4
</IRQ>
poll_select_copy_remaining+0xac/0x6b0 fs/select.c:293
SYSC_select+0x4b4/0x4e0 fs/select.c:653
SyS_select+0x76/0xa0 fs/select.c:634
entry_SYSCALL_64_fastpath+0x13/0x94 arch/x86/entry/entry_64.S:204
RIP: 0033:0x4597e7
RSP: 002b:000000c420037ee0 EFLAGS: 00000246 ORIG_RAX: 0000000000000017
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004597e7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 000000c420037ef0 R08: 000000c420037ee0 R09: 0000000000000059
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000042dc20
R13: 00000000000000f3 R14: 0000000000000030 R15: 0000000000000003
chained origin:
save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
kmsan_save_stack mm/kmsan/kmsan.c:317
kmsan_internal_chain_origin+0x12a/0x1f0 mm/kmsan/kmsan.c:547
__msan_store_shadow_origin_4+0xac/0x110 mm/kmsan/kmsan_instr.c:259
tcp_create_openreq_child+0x709/0x1ae0 net/ipv4/tcp_minisocks.c:472
tcp_v6_syn_recv_sock+0x7eb/0x2a30 net/ipv6/tcp_ipv6.c:1103
tcp_get_cookie_sock+0x136/0x5f0 net/ipv4/syncookies.c:212
cookie_v6_check+0x17a9/0x1b50 net/ipv6/syncookies.c:245
tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:989
tcp_v6_do_rcv+0xdd8/0x1c60 net/ipv6/tcp_ipv6.c:1298
tcp_v6_rcv+0x41a3/0x4f00 net/ipv6/tcp_ipv6.c:1487
ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
NF_HOOK ./include/linux/netfilter.h:257
ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
dst_input ./include/net/dst.h:492
ip6_rcv_finish net/ipv6/ip6_input.c:69
NF_HOOK ./include/linux/netfilter.h:257
ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
__netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
__netif_receive_skb net/core/dev.c:4246
process_backlog+0x667/0xba0 net/core/dev.c:4866
napi_poll net/core/dev.c:5268
net_rx_action+0xc95/0x1590 net/core/dev.c:5333
__do_softirq+0x485/0x942 kernel/softirq.c:284
origin:
save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
kmsan_kmalloc+0x7f/0xe0 mm/kmsan/kmsan.c:337
kmem_cache_alloc+0x1c2/0x1e0 mm/slub.c:2766
reqsk_alloc ./include/net/request_sock.h:87
inet_reqsk_alloc+0xa4/0x5b0 net/ipv4/tcp_input.c:6200
cookie_v6_check+0x4f4/0x1b50 net/ipv6/syncookies.c:169
tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:989
tcp_v6_do_rcv+0xdd8/0x1c60 net/ipv6/tcp_ipv6.c:1298
tcp_v6_rcv+0x41a3/0x4f00 net/ipv6/tcp_ipv6.c:1487
ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
NF_HOOK ./include/linux/netfilter.h:257
ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
dst_input ./include/net/dst.h:492
ip6_rcv_finish net/ipv6/ip6_input.c:69
NF_HOOK ./include/linux/netfilter.h:257
ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
__netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
__netif_receive_skb net/core/dev.c:4246
process_backlog+0x667/0xba0 net/core/dev.c:4866
napi_poll net/core/dev.c:5268
net_rx_action+0xc95/0x1590 net/core/dev.c:5333
__do_softirq+0x485/0x942 kernel/softirq.c:284
==================================================================
Similar error is reported for cookie_v4_check().
Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets")
Signed-off-by: Alexander Potapenko <glider@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent e5dadc6
stv0672_vp4.bin.ihex
:1000000001BCE302E303E304E305E306E3079344EF
:1000100056D4934E5651934E51D6934E4F54934EC1
:10002000924F92A4930592F4931B929291E692368A
:100030009274924A928C928EC8D00B4202A0CA92BD
:100040000902C9100A0A0A81E3B8E3B0E3A8E3A0F1
:10005000E398E390E100CFD70A12CC9508B20A18D2
:10006000E10001EE0C084A12C818F09AC022F31CF5
:100070004A13F314C8A0F214F21CEB13D3A26316B4
:10008000489EF018A403F393C058F713519CE9203D
:10009000CFEF63F9922ED35F63FA922ED36763FB9F
:1000A000922ED36FE91A631648A7F020A406F394A2
:1000B000C027F714F513519DF6136318C420CBEF36
:1000C00063FC922ED37763FD922ED37F63FE922E34
:1000D000D38763FF922ED38F6438922ED3976439DF
:1000E000922ED39FE100F53AF43BF7BFF2BCF23D0C
:1000F000E1008087908051D5022202324BD3F71164
:100100000BDAE1000E0202400DB5E3024855E5129C
:10011000A401E81BE390F018A401E8BF8DB84BD10F
:100120004BD80BCB0BC2E100E302E30352D360597F
:10013000E6930D2252D4E6930D2AE398E390E10072
:10014000025D0263E302C81202CAC85202C2826898
:10015000E302C81402CAC89002C20AD0C9930ADADC
:10016000CCD20AE2631202DA0A980AA00AA8E39043
:10017000E100E3020AD0C9930ADACCD20AE26312A0
:1001800002DA0A980AA00AA84991E56AA404C812EA
:1001900002CAC8528289C81402CAC89002C2E39037
:1001A000E1000860E1004853E897085AE100E302E3
:1001B000E30354D36059E6930D52E398E390E100D2
:1001C000029CE3025513931755139317E390E10034
:1001D0007530E302E30355556059E6930DB2E39899
:1001E000E390E10002AEE792E918EA9AE898E81095
:1001F000E811E851D2DAD2F3E813D2FAE850D2EAA1
:10020000E8D0E8D1D30A03094823E52CA003482409
:10021000EA1C0308D2E3D303D313E10002CB059316
:100220005793F09AAC0BE30792EAE29FE506E3B03E
:10023000A002EB1E82D7EA1EE23B859BE91EC89016
:10024000859402DE05805793F0BAAC0692EAE2BFCD
:10025000E506A001EBBF8588E93EC8908581E93EAF
:10026000F0BAF339F03A6017F03AC090F0BAE10012
:10027000003FE302E30358106059E6930DA25812C1
:10028000E6930DAAE398E390E1000301E100030384
:100290009B7D8B8BE302E30358566059E6930DBABE
:1002A000E398E390E100030F9311E100E3024A11A8
:1002B0000B4291AFE390E100F291F091A3FEE100D7
:1002C0006092C05FF013F013595BE213F0115A19FA
:1002D000E213E10000000327686176616E610006A9
:1002E000032CE302E303E9385915595AF29ABC0B7F
:1002F000A40A591EF311F01AE2BB5915F011192A7C
:10030000E502A401EBBFE398E390E1000342192862
:10031000E100E9306079E100E303E3076079934E9F
:10032000E3B8E398E100E91AF01FE233F091E292BA
:08033000E032F031E1000000B1
:00000001FF
Copyright 2001, STMicrolectronics, Inc.
Contact: steve.miller@st.com
Description:
This file contains patch data for the CPiA2 (stv0672) VP4.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Computing file changes ...
