Re: KMSAN: uninit-value in __dev_mc_add

From: Vladis Dronov
Date: Thu Sep 27 2018 - 19:10:16 EST

Next message: Tetsuo Handa: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Previous message: Bart Van Assche: "Re: [PATCH] IB/mlx4: Avoid implicit enumerated type conversion"
In reply to: Eric Dumazet: "Re: KMSAN: uninit-value in __dev_mc_add"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Eric, all,

> I dunno, your patch looks quite not the right fix.

I agree, it looks more like a dirty hack. Unfortunately, I lack the deep
expertise in the network stack subsystem, so I've posted the patch to,
sort of, start a discussion and probably get some hints.

> If TUN is able to change dev->type, how comes it does not set the
> appropriate dev->addr_len at the same time ?

Well,... probably, nobody cared to do so:

[drivers/net/tun.c]
case TUNSETLINK:
...
tun->dev->type = (int) arg; //<--- that's all!
tun_debug(KERN_INFO, tun, "linktype set to %d\n",
tun->dev->type);
ret = 0;
}
break;

> Really the bug seems to be deeper, and without setting proper
> dev->addr_len, we'll need more 'fixes' like yours.

Absolutely. Unfortunately, I wasn't able to just write such deeper patch.
Let me share what I have found and let me hope to get an advise.

- So setting just the tun->dev->type makes the dev struct inconsistent.

- There are more field to adjust, at least dev->broadcast. Also, there are
a number of *_ops fields which are all set for the Ethernet type, most
probably they must be adjusted also.

- There is no get_addr_len_by_link_type() or a simple way to get link layer
properties by dev->type. Such settings are scattered in *_setup and
*_init functions, like ipgre_tunnel_init() { ... dev->addr_len = 4; ...}

Having these, I can imagine 2 ways for a proper fix.

1) Destroy the net_device in question and recreate it when changing a link
type. This way all the dev fields are set right. Create it in a similar way
as rtnl_newlink() does. Again, we do not have get_X_by_link_type(), so it
probably will be some large switch()/case:

$ grep '^#define ARPHRD_' include/uapi/linux/if_arp.h | wc -l
59

2) Leave tun an Ethernet device, add some tun->pretend_to_be_this_link_type
field and change only it on TUNSETLINK. And use this field in cases for which
TUNSETLINK was invented in the first place. Unfortunately, I do not have such
a list. The initial the commit ff4cc3ac93e1 says:

For use with
wireless and other networking types it should be possible to set the
ARP type via an ioctl.

Surely, there can be something else which I do not see. Could anyone suggest
an advice on this?

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Next message: Tetsuo Handa: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Previous message: Bart Van Assche: "Re: [PATCH] IB/mlx4: Avoid implicit enumerated type conversion"
In reply to: Eric Dumazet: "Re: KMSAN: uninit-value in __dev_mc_add"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]