All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] KMSAN: uninit-value in ieee80211_sta_tx_notify (2)
@ 2021-11-20 12:17 syzbot
  2021-11-22 11:47 ` [PATCH] mac80211: track only QoS data frames for admission control Johannes Berg
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2021-11-20 12:17 UTC (permalink / raw)
  To: davem, glider, johannes, kuba, linux-kernel, linux-wireless,
	netdev, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    412af9cd936d ioremap.c: move an #include around
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14d990eeb00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2d142cdf4204061
dashboard link: https://syzkaller.appspot.com/bug?extid=614e82b88a1a4973e534
compiler:       clang version 14.0.0 (git@github.com:llvm/llvm-project.git 0996585c8e3b3d409494eb5f1cad714b9e1f7fb5), GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
 ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
 ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_tx_status_ext+0x11f0/0x54d0 net/mac80211/status.c:1147
 ieee80211_tx_status+0x221/0x270 net/mac80211/status.c:1090
 ieee80211_tasklet_handler+0x30d/0x380 net/mac80211/main.c:239
 tasklet_action_common+0x5dd/0x810 kernel/softirq.c:783
 tasklet_action+0x30/0x40 kernel/softirq.c:804
 __do_softirq+0x1c9/0x6ec kernel/softirq.c:558
 do_softirq+0x120/0x1c0 kernel/softirq.c:459
 __local_bh_enable_ip+0xab/0xb0 kernel/softirq.c:383
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 __ieee80211_tx_skb_tid_band+0x297/0x3a0 net/mac80211/tx.c:5672
 ieee80211_tx_skb_tid net/mac80211/ieee80211_i.h:2185 [inline]
 ieee80211_tx_skb net/mac80211/ieee80211_i.h:2194 [inline]
 ieee80211_send_nullfunc+0x535/0x630 net/mac80211/mlme.c:1095
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3227 [inline]
 __kmalloc_node_track_caller+0xa3b/0x13c0 mm/slub.c:4962
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x4db/0xe40 net/core/skbuff.c:427
 __netdev_alloc_skb+0x48f/0x840 net/core/skbuff.c:494
 netdev_alloc_skb include/linux/skbuff.h:2877 [inline]
 dev_alloc_skb include/linux/skbuff.h:2890 [inline]
 ieee80211_nullfunc_get+0x2c1/0x870 net/mac80211/tx.c:5386
 ieee80211_send_nullfunc+0x132/0x630 net/mac80211/mlme.c:1077
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30
=====================================================
=====================================================
BUG: KMSAN: uninit-value in ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
 ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
 ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_tx_status_ext+0x11f0/0x54d0 net/mac80211/status.c:1147
 ieee80211_tx_status+0x221/0x270 net/mac80211/status.c:1090
 ieee80211_tasklet_handler+0x30d/0x380 net/mac80211/main.c:239
 tasklet_action_common+0x5dd/0x810 kernel/softirq.c:783
 tasklet_action+0x30/0x40 kernel/softirq.c:804
 __do_softirq+0x1c9/0x6ec kernel/softirq.c:558
 do_softirq+0x120/0x1c0 kernel/softirq.c:459
 __local_bh_enable_ip+0xab/0xb0 kernel/softirq.c:383
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 __ieee80211_tx_skb_tid_band+0x297/0x3a0 net/mac80211/tx.c:5672
 ieee80211_tx_skb_tid net/mac80211/ieee80211_i.h:2185 [inline]
 ieee80211_tx_skb net/mac80211/ieee80211_i.h:2194 [inline]
 ieee80211_send_nullfunc+0x535/0x630 net/mac80211/mlme.c:1095
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3227 [inline]
 __kmalloc_node_track_caller+0xa3b/0x13c0 mm/slub.c:4962
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x4db/0xe40 net/core/skbuff.c:427
 __netdev_alloc_skb+0x48f/0x840 net/core/skbuff.c:494
 netdev_alloc_skb include/linux/skbuff.h:2877 [inline]
 dev_alloc_skb include/linux/skbuff.h:2890 [inline]
 ieee80211_nullfunc_get+0x2c1/0x870 net/mac80211/tx.c:5386
 ieee80211_send_nullfunc+0x132/0x630 net/mac80211/mlme.c:1077
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30
=====================================================
=====================================================
BUG: KMSAN: uninit-value in ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
BUG: KMSAN: uninit-value in ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_ac_from_tid net/mac80211/ieee80211_i.h:2216 [inline]
 ieee80211_sta_tx_wmm_ac_notify net/mac80211/mlme.c:2450 [inline]
 ieee80211_sta_tx_notify+0x3b8/0x950 net/mac80211/mlme.c:2482
 ieee80211_tx_status_ext+0x11f0/0x54d0 net/mac80211/status.c:1147
 ieee80211_tx_status+0x221/0x270 net/mac80211/status.c:1090
 ieee80211_tasklet_handler+0x30d/0x380 net/mac80211/main.c:239
 tasklet_action_common+0x5dd/0x810 kernel/softirq.c:783
 tasklet_action+0x30/0x40 kernel/softirq.c:804
 __do_softirq+0x1c9/0x6ec kernel/softirq.c:558
 do_softirq+0x120/0x1c0 kernel/softirq.c:459
 __local_bh_enable_ip+0xab/0xb0 kernel/softirq.c:383
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 __ieee80211_tx_skb_tid_band+0x297/0x3a0 net/mac80211/tx.c:5672
 ieee80211_tx_skb_tid net/mac80211/ieee80211_i.h:2185 [inline]
 ieee80211_tx_skb net/mac80211/ieee80211_i.h:2194 [inline]
 ieee80211_send_nullfunc+0x535/0x630 net/mac80211/mlme.c:1095
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3227 [inline]
 __kmalloc_node_track_caller+0xa3b/0x13c0 mm/slub.c:4962
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x4db/0xe40 net/core/skbuff.c:427
 __netdev_alloc_skb+0x48f/0x840 net/core/skbuff.c:494
 netdev_alloc_skb include/linux/skbuff.h:2877 [inline]
 dev_alloc_skb include/linux/skbuff.h:2890 [inline]
 ieee80211_nullfunc_get+0x2c1/0x870 net/mac80211/tx.c:5386
 ieee80211_send_nullfunc+0x132/0x630 net/mac80211/mlme.c:1077
 ieee80211_mgd_probe_ap_send+0x6e7/0xa30 net/mac80211/mlme.c:2544
 ieee80211_mgd_probe_ap+0x4ee/0x6c0 net/mac80211/mlme.c:2620
 ieee80211_beacon_connection_loss_work+0x1a3/0x420 net/mac80211/mlme.c:2753
 process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
 worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
 kthread+0x66b/0x780 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH] mac80211: track only QoS data frames for admission control
  2021-11-20 12:17 [syzbot] KMSAN: uninit-value in ieee80211_sta_tx_notify (2) syzbot
@ 2021-11-22 11:47 ` Johannes Berg
  2021-11-22 11:47   ` syzbot
  0 siblings, 1 reply; 3+ messages in thread
From: Johannes Berg @ 2021-11-22 11:47 UTC (permalink / raw)
  To: linux-wireless; +Cc: Johannes Berg, syzbot+614e82b88a1a4973e534

From: Johannes Berg <johannes.berg@intel.com>

For admission control, obviously all of that only works for
QoS data frames, otherwise we cannot even access the QoS
field in the header.

Syzbot reported (see below) an uninitialized value here due
to a status of a non-QoS nullfunc packet, which isn't even
long enough to contain the QoS header.

Fix this to only do anything for QoS data packets.

#syz: test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master
Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com
Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/mlme.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 54ab0e1ef6ca..37f7d975f3da 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2452,11 +2452,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
 					   u16 tx_time)
 {
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-	u16 tid = ieee80211_get_tid(hdr);
-	int ac = ieee80211_ac_from_tid(tid);
-	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+	u16 tid;
+	int ac;
+	struct ieee80211_sta_tx_tspec *tx_tspec;
 	unsigned long now = jiffies;
 
+	if (!ieee80211_is_data_qos(hdr->frame_control))
+		return;
+
+	tid = ieee80211_get_tid(hdr);
+	ac = ieee80211_ac_from_tid(tid);
+	tx_tspec = &ifmgd->tx_tspec[ac];
+
 	if (likely(!tx_tspec->admitted_time))
 		return;
 
-- 
2.33.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] mac80211: track only QoS data frames for admission control
  2021-11-22 11:47 ` [PATCH] mac80211: track only QoS data frames for admission control Johannes Berg
@ 2021-11-22 11:47   ` syzbot
  0 siblings, 0 replies; 3+ messages in thread
From: syzbot @ 2021-11-22 11:47 UTC (permalink / raw)
  To: Johannes Berg; +Cc: johannes.berg, johannes, linux-wireless, syzkaller-bugs

> From: Johannes Berg <johannes.berg@intel.com>
>
> For admission control, obviously all of that only works for
> QoS data frames, otherwise we cannot even access the QoS
> field in the header.
>
> Syzbot reported (see below) an uninitialized value here due
> to a status of a non-QoS nullfunc packet, which isn't even
> long enough to contain the QoS header.
>
> Fix this to only do anything for QoS data packets.
>
> #syz: test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master

This crash does not have a reproducer. I cannot test it.

> Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com
> Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
>  net/mac80211/mlme.c | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 54ab0e1ef6ca..37f7d975f3da 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2452,11 +2452,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
>  					   u16 tx_time)
>  {
>  	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
> -	u16 tid = ieee80211_get_tid(hdr);
> -	int ac = ieee80211_ac_from_tid(tid);
> -	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
> +	u16 tid;
> +	int ac;
> +	struct ieee80211_sta_tx_tspec *tx_tspec;
>  	unsigned long now = jiffies;
>  
> +	if (!ieee80211_is_data_qos(hdr->frame_control))
> +		return;
> +
> +	tid = ieee80211_get_tid(hdr);
> +	ac = ieee80211_ac_from_tid(tid);
> +	tx_tspec = &ifmgd->tx_tspec[ac];
> +
>  	if (likely(!tx_tspec->admitted_time))
>  		return;
>  
> -- 
> 2.33.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-22 11:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-20 12:17 [syzbot] KMSAN: uninit-value in ieee80211_sta_tx_notify (2) syzbot
2021-11-22 11:47 ` [PATCH] mac80211: track only QoS data frames for admission control Johannes Berg
2021-11-22 11:47   ` syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.