* KMSAN: uninit-value in nci_rx_work
@ 2023-12-24 1:38 xingwei lee
2023-12-25 13:25 ` Krzysztof Kozlowski
0 siblings, 1 reply; 6+ messages in thread
From: xingwei lee @ 2023-12-24 1:38 UTC (permalink / raw
To: davem, Eric Dumazet, krzysztof.kozlowski, kuba, netdev, pabeni
Cc: horms, jeremy, linux-kernel
Hello I found a bug in net/nfc in the latest upstream mainline titled
KMSAN: uninit-value in nci_rx_work.
I aslo comfirmed in the latest net tree.
If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrivendell7@gmail.com>
kernel: net 7c5e046bdcb2513f9decb3765d8bf92d604279cf
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01
with KMSAN enabled
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
=====================================================
BUG: KMSAN: uninit-value in nci_rx_work+0x31b/0x540 net/nfc/nci/core.c:1516
nci_rx_work+0x31b/0x540 net/nfc/nci/core.c:1516
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2700
worker_thread+0xeca/0x14d0 kernel/workqueue.c:2781
kthread+0x3d1/0x530 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was stored to memory at:
nci_rx_work+0x314/0x540 net/nfc/nci/core.c:1516
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2700
worker_thread+0xeca/0x14d0 kernel/workqueue.c:2781
kthread+0x3d1/0x530 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
virtual_ncidev_write+0x6d/0x280 drivers/nfc/virtual_ncidev.c:120
vfs_write+0x546/0x13f0 fs/read_write.c:582
ksys_write+0x1f3/0x4a0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x97/0xf0 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 68 Comm: kworker/u8:4 Not tainted 6.7.0-rc6-00157-g7c5e046bdcb2 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: nfc2_nci_rx_wq nci_rx_work
=====================================================
=* repro.c =*
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/futex.h>
#include <linux/genetlink.h>
#include <linux/if_addr.h>
#include <linux/if_link.h>
#include <linux/in6.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/veth.h>
#include <net/if.h>
#include <netinet/in.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }
static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg) {
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev) { ev->state = 0; }
static void event_reset(event_t* ev) { ev->state = 0; }
static void event_set(event_t* ev) {
if (ev->state) exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev) {
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev) {
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout) {
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1;
now = current_time_ms();
if (now - start > timeout) return 0;
}
}
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1) return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};
static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size) {
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
int size) {
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0) memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}
static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
int* reply_len, bool dofail) {
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail) exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len) *reply_len = 0;
if (n < 0) {
if (dofail) exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail) exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE) return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail) exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail) exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}
static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
const char* family_name, bool dofail) {
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = CTRL_CMD_GETFAMILY;
netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
strnlen(family_name, GENL_NAMSIZ - 1) + 1);
int n = 0;
int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
if (err < 0) {
return -1;
}
uint16_t id = 0;
struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
NLMSG_ALIGN(sizeof(genlhdr)));
for (; (char*)attr < nlmsg->buf + n;
attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
id = *(uint16_t*)(attr + 1);
break;
}
}
if (!id) {
errno = EINVAL;
return -1;
}
recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
return id;
}
const int kInitNetNsFd = 201;
static long syz_init_net_socket(volatile long domain, volatile long type,
volatile long proto) {
return syscall(__NR_socket, domain, type, proto);
}
static long syz_genetlink_get_family_id(volatile long name,
volatile long sock_arg) {
int fd = sock_arg;
if (fd < 0) {
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (fd == -1) {
return -1;
}
}
struct nlmsg nlmsg_tmp;
int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
if ((int)sock_arg < 0) close(fd);
if (ret < 0) {
return -1;
}
return ret;
}
static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent) break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg) {
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void) {
int i, call, thread;
for (call = 0; call < 6; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done)) continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0) exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
sleep_ms(1);
if (current_time_ms() - start < 5000) continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[4] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0};
void execute_call(int call) {
intptr_t res = 0;
switch (call) {
case 0:
memcpy((void*)0x20000080, "/dev/virtual_nci\000", 17);
res = syscall(__NR_openat, /*fd=*/0xffffff9cul, /*file=*/0x20000080ul,
/*flags=*/2ul, /*mode=*/0ul);
if (res != -1) r[0] = res;
break;
case 1:
res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0, /*arg=*/0x200000c0ul);
if (res != -1) r[1] = *(uint32_t*)0x200000c0;
break;
case 2:
res = -1;
res = syz_init_net_socket(/*domain=*/0x10, /*type=*/3, /*proto=*/0x10);
if (res != -1) r[2] = res;
break;
case 3:
memcpy((void*)0x20000100, "nfc\000", 4);
res = -1;
res = syz_genetlink_get_family_id(/*name=*/0x20000100, /*fd=*/r[2]);
if (res != -1) r[3] = res;
break;
case 4:
*(uint64_t*)0x20000140 = 0;
*(uint32_t*)0x20000148 = 0;
*(uint64_t*)0x20000150 = 0x20000180;
*(uint64_t*)0x20000180 = 0x200001c0;
*(uint32_t*)0x200001c0 = 0x1c;
*(uint16_t*)0x200001c4 = r[3];
*(uint16_t*)0x200001c6 = 1;
*(uint32_t*)0x200001c8 = 0;
*(uint32_t*)0x200001cc = 0;
*(uint8_t*)0x200001d0 = 2;
*(uint8_t*)0x200001d1 = 0;
*(uint16_t*)0x200001d2 = 0;
*(uint16_t*)0x200001d4 = 8;
*(uint16_t*)0x200001d6 = 1;
*(uint32_t*)0x200001d8 = r[1];
*(uint64_t*)0x20000188 = 0x1c;
*(uint64_t*)0x20000158 = 1;
*(uint64_t*)0x20000160 = 0;
*(uint64_t*)0x20000168 = 0;
*(uint32_t*)0x20000170 = 0;
syscall(__NR_sendmsg, /*fd=*/r[2], /*msg=*/0x20000140ul, /*f=*/0ul);
break;
case 5:
syscall(__NR_write, /*fd=*/r[0], /*data=*/0ul, /*len=*/0ul);
break;
}
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
=* repro.txt =*
r0 = openat$nci(0xffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$IOCTL_GET_NCIDEV_IDX(r0, 0x0, &(0x7f00000000c0)=<r1=>0x0)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r2)
sendmsg$NFC_CMD_DEV_UP(r2, &(0x7f0000000140)={0x0, 0x0,
&(0x7f0000000180)={&(0x7f00000001c0)={0x1c, r3, 0x1, 0x0, 0x0, {},
[@NFC_ATTR_DEVICE_INDEX={0x8, 0x1, r1}]}, 0x1c}}, 0x0)
write$nci(r0, 0x0, 0x0)
See aslo https://gist.github.com/xrivendell7/f5599f7a11ba954f23630a551909455b
I hope it helps.
Best regards.
xingwei Lee
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KMSAN: uninit-value in nci_rx_work
2023-12-24 1:38 KMSAN: uninit-value in nci_rx_work xingwei lee
@ 2023-12-25 13:25 ` Krzysztof Kozlowski
2023-12-25 13:54 ` xingwei lee
0 siblings, 1 reply; 6+ messages in thread
From: Krzysztof Kozlowski @ 2023-12-25 13:25 UTC (permalink / raw
To: xingwei lee, davem, Eric Dumazet, kuba, netdev, pabeni
Cc: horms, jeremy, linux-kernel
On 24/12/2023 02:38, xingwei lee wrote:
> Hello I found a bug in net/nfc in the latest upstream mainline titled
> KMSAN: uninit-value in nci_rx_work.
> I aslo comfirmed in the latest net tree.
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: xingwei lee <xrivendell7@gmail.com>
>
> kernel: net 7c5e046bdcb2513f9decb3765d8bf92d604279cf
> kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01
Isn't this just syzkaller report? If it is not syzkaller report, then
your references are a bit confusing, so short explanation would be nice.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KMSAN: uninit-value in nci_rx_work
2023-12-25 13:25 ` Krzysztof Kozlowski
@ 2023-12-25 13:54 ` xingwei lee
0 siblings, 0 replies; 6+ messages in thread
From: xingwei lee @ 2023-12-25 13:54 UTC (permalink / raw
To: Krzysztof Kozlowski
Cc: davem, Eric Dumazet, kuba, netdev, pabeni, horms, jeremy,
linux-kernel
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> 于2023年12月25日周一 21:25写道:
>
> On 24/12/2023 02:38, xingwei lee wrote:
> > Hello I found a bug in net/nfc in the latest upstream mainline titled
> > KMSAN: uninit-value in nci_rx_work.
> > I aslo comfirmed in the latest net tree.
> >
> > If you fix this issue, please add the following tag to the commit:
> > Reported-by: xingwei lee <xrivendell7@gmail.com>
> >
> > kernel: net 7c5e046bdcb2513f9decb3765d8bf92d604279cf
> > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01
>
Hi Krzysztof. Thanks for your prompt response!
> Isn't this just syzkaller report? If it is not syzkaller report, then
However, I'm really careful to check sybot and lkml to make sure that
my report is not duplicated. Can you provide specific information on
with syzbot dashboard or maybe this one is duplicated with another bug
that I do not notice?
> your references are a bit confusing, so short explanation would be nice.
>
> Best regards,
> Krzysztof
>
BTW, I'm doing some research on reproducing non-reproduction bugs on
syzbot. This one is another not on the dashboard but when I reproduced
and triggered it on the last net tree, I think it is still necessary
to report for helping fix it.
Merry Christmas~~~
Best regards
xingwei Lee
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KMSAN: uninit-value in nci_rx_work
[not found] <CAF+Nbmaes3th4TE693Ryo2QE1psuBvKnLxOvPsuKjYL0EbSNoA@mail.gmail.com>
@ 2024-06-23 20:14 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2024-06-23 20:14 UTC (permalink / raw
To: jain.abhinav177; +Cc: jain.abhinav177, syzkaller-bugs, linux-kernel
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
want either no args or 2 args (repo, branch), got 1
> 614da38e2f7a
>
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1510,6 +1510,8 @@ static void nci_rx_work(struct work_struct *work)
> struct sk_buff *skb;
>
> for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
> + if (!skb)
> + return;
> kcov_remote_start_common(skb_get_kcov_handle(skb));
>
> /* Send copy to sniffer */
> --diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
> index b133dc55304c..507b92e4978c 100644
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1510,6 +1510,8 @@ static void nci_rx_work(struct work_struct *work)
> struct sk_buff *skb;
>
> for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
> + if (!skb)
> + return;
> kcov_remote_start_common(skb_get_kcov_handle(skb));
>
> /* Send copy to sniffer */
> --
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KMSAN: uninit-value in nci_rx_work
[not found] <CAF+NbmYxG-PC9tTrwDV0uFwB+1Ubrbqut=ywk4JDKC2ATAaW=g@mail.gmail.com>
@ 2024-06-23 20:18 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2024-06-23 20:18 UTC (permalink / raw
To: jain.abhinav177; +Cc: jain.abhinav177, syzkaller-bugs, linux-kernel
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
want either no args or 2 args (repo, branch), got 1
> 614da38e2f7a
>
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1510,6 +1510,8 @@ static void nci_rx_work(struct work_struct *work)
> struct sk_buff *skb;
>
> for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
> + if (!skb)
> + return;
> kcov_remote_start_common(skb_get_kcov_handle(skb));
>
> /* Send copy to sniffer */
> --
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KMSAN: uninit-value in nci_rx_work
[not found] <ae58eac2-003f-4d29-a228-ea9219ab24b8@gmail.com>
@ 2024-06-23 20:25 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2024-06-23 20:25 UTC (permalink / raw
To: jain.abhinav177; +Cc: jain.abhinav177, syzkaller-bugs, linux-kernel
> #syz
unknown command "testhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"
> testhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git614da38e2f7a>614da38e2f7a
>
>
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1510,6 +1510,8 @@ static void nci_rx_work(struct work_struct *work)
> struct sk_buff *skb;
>
> for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
> + if (!skb)
> + return;
> kcov_remote_start_common(skb_get_kcov_handle(skb));
>
> /* Send copy to sniffer */
> --
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-06-23 20:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-24 1:38 KMSAN: uninit-value in nci_rx_work xingwei lee
2023-12-25 13:25 ` Krzysztof Kozlowski
2023-12-25 13:54 ` xingwei lee
[not found] <CAF+Nbmaes3th4TE693Ryo2QE1psuBvKnLxOvPsuKjYL0EbSNoA@mail.gmail.com>
2024-06-23 20:14 ` syzbot
[not found] <CAF+NbmYxG-PC9tTrwDV0uFwB+1Ubrbqut=ywk4JDKC2ATAaW=g@mail.gmail.com>
2024-06-23 20:18 ` syzbot
[not found] <ae58eac2-003f-4d29-a228-ea9219ab24b8@gmail.com>
2024-06-23 20:25 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.