lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 27 Sep 2022 10:22:39 -0700
From:   Martin KaFai Lau <martin.lau@...ux.dev>
To:     Alexander Potapenko <glider@...gle.com>
Cc:     Networking <netdev@...r.kernel.org>, joannelkoong@...il.com,
        Jakub Kicinski <kuba@...nel.org>
Subject: Re: Use of uninit value in inet_bind2_bucket_find

On 9/27/22 9:34 AM, Alexander Potapenko wrote:
> On Tue, Sep 27, 2022 at 2:33 AM Martin KaFai Lau <martin.lau@...ux.dev> wrote:
>>
>> On 9/19/22 6:41 AM, Alexander Potapenko wrote:
>>> Hi Joanne, Jakub et al.,
>>>
>>> When building next-20220919 with KMSAN I am seeing the following error
>>> at boot time:
>>>
>>> =====================================================
>>> BUG: KMSAN: uninit-value in inet_bind2_bucket_find+0x71f/0x790
>>> net/ipv4/inet_hashtables.c:827
>>>    inet_bind2_bucket_find+0x71f/0x790 net/ipv4/inet_hashtables.c:827
>>>    inet_csk_get_port+0x2415/0x32e0 net/ipv4/inet_connection_sock.c:529
>>>    __inet6_bind+0x1474/0x1a20 net/ipv6/af_inet6.c:406
>>>    inet6_bind+0x176/0x360 net/ipv6/af_inet6.c:465
>>>    __sys_bind+0x5b3/0x750 net/socket.c:1776
>>>    __do_sys_bind net/socket.c:1787
>>>    __se_sys_bind net/socket.c:1785
>>>    __x64_sys_bind+0x8d/0xe0 net/socket.c:1785
>>>    do_syscall_x64 arch/x86/entry/common.c:50
>>>    do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>>>    entry_SYSCALL_64_after_hwframe+0x63/0xcd ??:?
>>>
>>> Uninit was created at:
>>>    slab_post_alloc_hook+0x156/0xb40 mm/slab.h:759
>>>    slab_alloc_node mm/slub.c:3331
>>>    slab_alloc mm/slub.c:3339
>>>    __kmem_cache_alloc_lru mm/slub.c:3346
>>>    kmem_cache_alloc+0x47e/0x9f0 mm/slub.c:3355
>>>    inet_bind2_bucket_create+0x4b/0x3b0 net/ipv4/inet_hashtables.c:128
>>>    inet_csk_get_port+0x2513/0x32e0 net/ipv4/inet_connection_sock.c:533
>>>    __inet_bind+0xbd2/0x1040 net/ipv4/af_inet.c:525
>>>    inet_bind+0x184/0x360 net/ipv4/af_inet.c:456
>>>    __sys_bind+0x5b3/0x750 net/socket.c:1776
>>>    __do_sys_bind net/socket.c:1787
>>>    __se_sys_bind net/socket.c:1785
>>>    __x64_sys_bind+0x8d/0xe0 net/socket.c:1785
>>>    do_syscall_x64 arch/x86/entry/common.c:50
>>>    do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>>>    entry_SYSCALL_64_after_hwframe+0x63/0xcd ??:?
>>>
>>> CPU: 3 PID: 5983 Comm: sshd Not tainted 6.0.0-rc6-next-20220919 #211
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>> 1.16.0-debian-1.16.0-4 04/01/2014
>>> =====================================================
>>>
>>> I think this is related to "net: Add a bhash2 table hashed by port and
>>> address", could you please take a look?
>>> This error is not reported on v6.0-rc5 (note that KMSAN only exists in
>>> -next and as a v6.0-rc5 fork at https://github.com/google/kmsan).
>>
>> Hi Alex, thanks for the report.
>>
>> I have posted a fix [0].  I have problem getting kmsan kernel to boot.
>> Could you help to give the patch a try ?  Thanks.
>>
>> [0]: https://lore.kernel.org/netdev/20220927002544.3381205-1-kafai@fb.com/
> 
> Hi Martin,
> 
> Thanks, I'll give it a shot.
> 
> Could you please share the config you're using to build KMSAN? I am
> really curious about what's wrong.

The config is attached.  My qemu setup has the very first WARN like

[    1.296999] DEBUG_LOCKS_WARN_ON(lockdep_hardirqs_enabled())
[    1.297077] WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:5508 
check_flags+0x63/0x180

and followed by many

[    1.772919] BUG: KMSAN: uninit-value in __init_waitqueue_head+0x110/0x140
[    1.773852]  __init_waitqueue_head+0x110/0x140
[    1.774853]  dup_fd+0x146/0x1080
[    1.775329]  copy_files+0xcd/0x210

and then panic

Download attachment "config.xz" of type "application/x-xz" (22244 bytes)

Powered by blists - more mailing lists