KMSAN: uninit-value in batadv_hard_if_event

KMSAN: uninit-value in batadv_hard_if_event

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    c2453450 kmsan: kcov: prettify the code unpoisoning area->..
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10b0c06b600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3684f3c73f43899a
dashboard link: https://syzkaller.appspot.com/bug?extid=0183453ce4de8bdf9214
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0183453ce4de8bdf9214@syzkaller.appspotmail.com

usb 1-1: config 0 has no interface number 0
usb 1-1: New USB device found, idVendor=0411, idProduct=0012,  
bcdDevice=56.5f
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
=====================================================
BUG: KMSAN: uninit-value in batadv_check_known_mac_addr  
net/batman-adv/hard-interface.c:511 [inline]
BUG: KMSAN: uninit-value in batadv_hardif_add_interface  
net/batman-adv/hard-interface.c:942 [inline]
BUG: KMSAN: uninit-value in batadv_hard_if_event+0x23c0/0x3260  
net/batman-adv/hard-interface.c:1032
CPU: 0 PID: 13223 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x191/0x1f0 lib/dump_stack.c:113
  kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
  __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
  batadv_check_known_mac_addr net/batman-adv/hard-interface.c:511 [inline]
  batadv_hardif_add_interface net/batman-adv/hard-interface.c:942 [inline]
  batadv_hard_if_event+0x23c0/0x3260 net/batman-adv/hard-interface.c:1032
  notifier_call_chain kernel/notifier.c:95 [inline]
  __raw_notifier_call_chain kernel/notifier.c:396 [inline]
  raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:403
  call_netdevice_notifiers_info net/core/dev.c:1749 [inline]
  call_netdevice_notifiers_extack net/core/dev.c:1761 [inline]
  call_netdevice_notifiers net/core/dev.c:1775 [inline]
  register_netdevice+0x2126/0x26a0 net/core/dev.c:8810
  register_netdev+0x93/0xd0 net/core/dev.c:8901
  rtl8150_probe+0x11ef/0x14a0 drivers/net/usb/rtl8150.c:916
  usb_probe_interface+0xd19/0x1310 drivers/usb/core/driver.c:361
  really_probe+0xd91/0x1f90 drivers/base/dd.c:552
  driver_probe_device+0x1ba/0x510 drivers/base/dd.c:721
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:828
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:430
  __device_attach+0x489/0x750 drivers/base/dd.c:894
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:941
  bus_probe_device+0x131/0x390 drivers/base/bus.c:490
  device_add+0x25b5/0x2df0 drivers/base/core.c:2201
  usb_set_configuration+0x309f/0x3710 drivers/usb/core/message.c:2027
  generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
  usb_probe_device+0x146/0x200 drivers/usb/core/driver.c:266
  really_probe+0xd91/0x1f90 drivers/base/dd.c:552
  driver_probe_device+0x1ba/0x510 drivers/base/dd.c:721
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:828
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:430
  __device_attach+0x489/0x750 drivers/base/dd.c:894
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:941
  bus_probe_device+0x131/0x390 drivers/base/bus.c:490
  device_add+0x25b5/0x2df0 drivers/base/core.c:2201
  usb_new_device+0x23e5/0x2fb0 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x581d/0x72f0 drivers/usb/core/hub.c:5441
  process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
  worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
  kthread+0x4b5/0x4f0 kernel/kthread.c:256
  ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Uninit was stored to memory at:
  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
  kmsan_internal_chain_origin+0xbd/0x170 mm/kmsan/kmsan.c:317
  kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:253
  kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:273
  __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
  set_ethernet_addr drivers/net/usb/rtl8150.c:282 [inline]
  rtl8150_probe+0x1143/0x14a0 drivers/net/usb/rtl8150.c:912
  usb_probe_interface+0xd19/0x1310 drivers/usb/core/driver.c:361
  really_probe+0xd91/0x1f90 drivers/base/dd.c:552
  driver_probe_device+0x1ba/0x510 drivers/base/dd.c:721
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:828
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:430
  __device_attach+0x489/0x750 drivers/base/dd.c:894
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:941
  bus_probe_device+0x131/0x390 drivers/base/bus.c:490
  device_add+0x25b5/0x2df0 drivers/base/core.c:2201
  usb_set_configuration+0x309f/0x3710 drivers/usb/core/message.c:2027
  generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
  usb_probe_device+0x146/0x200 drivers/usb/core/driver.c:266
  really_probe+0xd91/0x1f90 drivers/base/dd.c:552
  driver_probe_device+0x1ba/0x510 drivers/base/dd.c:721
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:828
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:430
  __device_attach+0x489/0x750 drivers/base/dd.c:894
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:941
  bus_probe_device+0x131/0x390 drivers/base/bus.c:490
  device_add+0x25b5/0x2df0 drivers/base/core.c:2201
  usb_new_device+0x23e5/0x2fb0 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x581d/0x72f0 drivers/usb/core/hub.c:5441
  process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
  worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
  kthread+0x4b5/0x4f0 kernel/kthread.c:256
  ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Local variable description: ----node_id.i@rtl8150_probe
Variable was created at:
  get_registers drivers/net/usb/rtl8150.c:911 [inline]
  set_ethernet_addr drivers/net/usb/rtl8150.c:281 [inline]
  rtl8150_probe+0xdc8/0x14a0 drivers/net/usb/rtl8150.c:912
  get_registers drivers/net/usb/rtl8150.c:911 [inline]
  set_ethernet_addr drivers/net/usb/rtl8150.c:281 [inline]
  rtl8150_probe+0xdc8/0x14a0 drivers/net/usb/rtl8150.c:912
=====================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: KMSAN: uninit-value in batadv_hard_if_event

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 2909 bytes --]

Hi,

not sure whether this is now a bug in batman-adv or in the rtl8150 driver. See 
my comments inline.

On Friday, 18 October 2019 16:12:08 CEST syzbot wrote:
[...]
> usb 1-1: config 0 has no interface number 0
> usb 1-1: New USB device found, idVendor=0411, idProduct=0012,  
> bcdDevice=56.5f
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> usb 1-1: config 0 descriptor??
> =====================================================
> BUG: KMSAN: uninit-value in batadv_check_known_mac_addr  
> net/batman-adv/hard-interface.c:511 [inline]
> BUG: KMSAN: uninit-value in batadv_hardif_add_interface  
> net/batman-adv/hard-interface.c:942 [inline]
> BUG: KMSAN: uninit-value in batadv_hard_if_event+0x23c0/0x3260  
> net/batman-adv/hard-interface.c:1032
> CPU: 0 PID: 13223 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x191/0x1f0 lib/dump_stack.c:113
>   kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
>   __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
>   batadv_check_known_mac_addr net/batman-adv/hard-interface.c:511 [inline]
>   batadv_hardif_add_interface net/batman-adv/hard-interface.c:942 [inline]
>   batadv_hard_if_event+0x23c0/0x3260 net/batman-adv/hard-interface.c:1032
>   notifier_call_chain kernel/notifier.c:95 [inline]
[...]

The line in batman-adv is (batadv_check_known_mac_addr):

		if (!batadv_compare_eth(hard_iface->net_dev->dev_addr,
					net_dev->dev_addr))

So it goes through the list of ethernet interfaces (which are currently 
attached to a batadv interface) and compares it with the new device's MAC 
address. And it seems like the new device doesn't have the mac address part 
initialized yet.

Is this allowed in NETDEV_REGISTER/NETDEV_POST_TYPE_CHANGE?

> Uninit was stored to memory at:
>   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
>   kmsan_internal_chain_origin+0xbd/0x170 mm/kmsan/kmsan.c:317
>   kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:253
>   kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:273
>   __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
>   set_ethernet_addr drivers/net/usb/rtl8150.c:282 [inline]
>   rtl8150_probe+0x1143/0x14a0 drivers/net/usb/rtl8150.c:912

This looks like it should store the mac address at this point.

    static inline void set_ethernet_addr(rtl8150_t * dev)
    {
    	u8 node_id[6];
    
    	get_registers(dev, IDR, sizeof(node_id), node_id);
    	memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
    }

But it seems more like get_registers failed and the uninitialized was still 
copied to the mac address. Thus causing the KMSAN error in batman-adv.

Is this interpretation of the KMSAN output correct or do I miss something?

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: KMSAN: uninit-value in batadv_hard_if_event

[Alexander Potapenko]

On Fri, Oct 18, 2019 at 4:32 PM Sven Eckelmann <sven@narfation.org> wrote:
>
> Hi,
>
> not sure whether this is now a bug in batman-adv or in the rtl8150 driver. See
> my comments inline.
>
> On Friday, 18 October 2019 16:12:08 CEST syzbot wrote:
> [...]
> > usb 1-1: config 0 has no interface number 0
> > usb 1-1: New USB device found, idVendor=0411, idProduct=0012,
> > bcdDevice=56.5f
> > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > usb 1-1: config 0 descriptor??
> > =====================================================
> > BUG: KMSAN: uninit-value in batadv_check_known_mac_addr
> > net/batman-adv/hard-interface.c:511 [inline]
> > BUG: KMSAN: uninit-value in batadv_hardif_add_interface
> > net/batman-adv/hard-interface.c:942 [inline]
> > BUG: KMSAN: uninit-value in batadv_hard_if_event+0x23c0/0x3260
> > net/batman-adv/hard-interface.c:1032
> > CPU: 0 PID: 13223 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> >   kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
> >   __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
> >   batadv_check_known_mac_addr net/batman-adv/hard-interface.c:511 [inline]
> >   batadv_hardif_add_interface net/batman-adv/hard-interface.c:942 [inline]
> >   batadv_hard_if_event+0x23c0/0x3260 net/batman-adv/hard-interface.c:1032
> >   notifier_call_chain kernel/notifier.c:95 [inline]
> [...]
>
> The line in batman-adv is (batadv_check_known_mac_addr):
>
>                 if (!batadv_compare_eth(hard_iface->net_dev->dev_addr,
>                                         net_dev->dev_addr))
>
> So it goes through the list of ethernet interfaces (which are currently
> attached to a batadv interface) and compares it with the new device's MAC
> address. And it seems like the new device doesn't have the mac address part
> initialized yet.
>
> Is this allowed in NETDEV_REGISTER/NETDEV_POST_TYPE_CHANGE?
>
> > Uninit was stored to memory at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
> >   kmsan_internal_chain_origin+0xbd/0x170 mm/kmsan/kmsan.c:317
> >   kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:253
> >   kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:273
> >   __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
> >   set_ethernet_addr drivers/net/usb/rtl8150.c:282 [inline]
> >   rtl8150_probe+0x1143/0x14a0 drivers/net/usb/rtl8150.c:912
>
> This looks like it should store the mac address at this point.
>
>     static inline void set_ethernet_addr(rtl8150_t * dev)
>     {
>         u8 node_id[6];
>
>         get_registers(dev, IDR, sizeof(node_id), node_id);
>         memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
>     }
>
> But it seems more like get_registers failed and the uninitialized was still
> copied to the mac address. Thus causing the KMSAN error in batman-adv.
Yes, most of such reports is usually because functions like
get_registers() fail or read 0 bytes.

> Is this interpretation of the KMSAN output correct or do I miss something?
>
> Kind regards,
>         Sven



-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg