From patchwork Thu Mar 8 13:37:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Potapenko X-Patchwork-Id: 883153 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="ktVbSvX7"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zxs5927jtz9sb5 for ; Fri, 9 Mar 2018 00:37:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933489AbeCHNha (ORCPT ); Thu, 8 Mar 2018 08:37:30 -0500 Received: from mail-wr0-f195.google.com ([209.85.128.195]:45213 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754491AbeCHNh2 (ORCPT ); Thu, 8 Mar 2018 08:37:28 -0500 Received: by mail-wr0-f195.google.com with SMTP id p104so5687008wrc.12 for ; Thu, 08 Mar 2018 05:37:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2a0Xt/iZ4f7BdptAzrScAVsnDydI1gLjAwe+IcW1euo=; b=ktVbSvX7BQHGxSqT44wgvwZE6Z60DZjSJG//2wNA0CD1ClHQUQlDizv3hZ/3IXy1lS 7e9Ggl5SQBfj7PoOvmYAFCgP7ohWAcDTo1+CNWLgUAVBpJ7lQDZzgrE0wvKGdmHMhJKi O91vP7NHCjaL8V9qXbMXYY8aTsSLpUadp4XEDwqyGPC+mDgXoXZJPuPLu0UU3H3824iY GRi5BLtbmrZa3SoQiaPRrtHvvGP1hxP0RpUhYA9+gWo4b81WOEiyg85+TwPp5IZK/C+A 556/BIlCubmmwCJyvj9c/crSMoMnt2Ch5D/avK4pkliLqliyec5F2hz3GC3opCRwKpSQ Ofjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2a0Xt/iZ4f7BdptAzrScAVsnDydI1gLjAwe+IcW1euo=; b=GnsbJXcgnrAt51JAX8Bd8xPfCSe4Ee1M3mJ84c9KPMl6NTpmX2An2lvur2pauBrRmJ tYhZme7Ut5usj8FS+aWhxwZl2q7uBqcefBl58yCf9EgfYO6Za2YkMJxJB2+FhhQpg+JE nErLRTgc87TL1YtTnrpmLf6aMkhp8e/p/+now2B45AWBOAgJAWuvC4VfSpFY5lwjk0/2 BV+/jiU1Mhrk0u/eCLu4zj14T1vtLmRh/42fWdxT93qwLItmpPHj95j3me92ybfqtCQP slHTi7UohjTk7kvjxle9+buZLTiSTVRYAx0HsIUiwPkaB82fWob5zyHc762uGFk5VYdu 3w8A== X-Gm-Message-State: APf1xPCpdaAb37nyEfRO1cmo/+rwaFjPmFZOQdUu0As2Lih5UFCrFTQJ KREd2i1LfuxbDuDLN8PpaMyBhA== X-Google-Smtp-Source: AG47ELtxh14HCASvy1AiuJ07aLMe2vCE6ZwG8IjKbNWKwhiFh/A/QORd4sT+DO8HmmrEgIN3rHQ5DQ== X-Received: by 10.223.174.247 with SMTP id y110mr22764913wrc.68.1520516246857; Thu, 08 Mar 2018 05:37:26 -0800 (PST) Received: from glider0.muc.corp.google.com ([2a00:79e0:15:10:e0c7:92b9:c022:f69b]) by smtp.gmail.com with ESMTPSA id f206sm6894923wmf.26.2018.03.08.05.37.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Mar 2018 05:37:25 -0800 (PST) From: Alexander Potapenko To: dvyukov@google.com, jasowang@redhat.com, mst@redhat.com Cc: kvm@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH] vhost_net: initialize rx_ring in vhost_net_open() Date: Thu, 8 Mar 2018 14:37:17 +0100 Message-Id: <20180308133717.149524-1-glider@google.com> X-Mailer: git-send-email 2.16.2.395.g2e18187dfd-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org KMSAN reported a use of uninit memory in vhost_net_buf_unproduce() while trying to access n->vqs[VHOST_NET_VQ_TX].rx_ring: Signed-off-by: Michael S. Tsirkin ================================================================== BUG: KMSAN: use of uninitialized memory in vhost_net_buf_unproduce+0x7bb/0x9a0 drivers/vho et.c:170 CPU: 0 PID: 3021 Comm: syz-fuzzer Not tainted 4.16.0-rc4+ #3853 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x1f0 mm/kmsan/kmsan.c:1093 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 vhost_net_buf_unproduce+0x7bb/0x9a0 drivers/vhost/net.c:170 vhost_net_stop_vq drivers/vhost/net.c:974 [inline] vhost_net_stop+0x146/0x380 drivers/vhost/net.c:982 vhost_net_release+0xb1/0x4f0 drivers/vhost/net.c:1015 __fput+0x49f/0xa00 fs/file_table.c:209 ____fput+0x37/0x40 fs/file_table.c:243 task_work_run+0x243/0x2c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop arch/x86/entry/common.c:166 [inline] prepare_exit_to_usermode+0x349/0x3b0 arch/x86/entry/common.c:196 syscall_return_slowpath+0xf3/0x6d0 arch/x86/entry/common.c:265 do_syscall_64+0x34d/0x450 arch/x86/entry/common.c:292 ... origin: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:303 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:213 kmsan_kmalloc_large+0x6f/0xd0 mm/kmsan/kmsan.c:392 kmalloc_large_node_hook mm/slub.c:1366 [inline] kmalloc_large_node mm/slub.c:3808 [inline] __kmalloc_node+0x100e/0x1290 mm/slub.c:3818 kmalloc_node include/linux/slab.h:554 [inline] kvmalloc_node+0x1a5/0x2e0 mm/util.c:419 kvmalloc include/linux/mm.h:541 [inline] vhost_net_open+0x64/0x5f0 drivers/vhost/net.c:921 misc_open+0x7b5/0x8b0 drivers/char/misc.c:154 chrdev_open+0xc28/0xd90 fs/char_dev.c:417 do_dentry_open+0xccb/0x1430 fs/open.c:752 vfs_open+0x272/0x2e0 fs/open.c:866 do_last fs/namei.c:3378 [inline] path_openat+0x49ad/0x6580 fs/namei.c:3519 do_filp_open+0x267/0x640 fs/namei.c:3553 do_sys_open+0x6ad/0x9c0 fs/open.c:1059 SYSC_openat+0xc7/0xe0 fs/open.c:1086 SyS_openat+0x63/0x90 fs/open.c:1080 do_syscall_64+0x2f1/0x450 arch/x86/entry/common.c:287 ================================================================== Signed-off-by: Alexander Potapenko --- drivers/vhost/net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 610cba276d47..60f1080bffc7 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -948,6 +948,7 @@ static int vhost_net_open(struct inode *inode, struct file *f) n->vqs[i].done_idx = 0; n->vqs[i].vhost_hlen = 0; n->vqs[i].sock_hlen = 0; + n->vqs[i].rx_ring = NULL; vhost_net_buf_init(&n->vqs[i].rxq); } vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);