Message ID | 20170714100329.105604-1-glider@google.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
From: Alexander Potapenko <glider@google.com> Date: Fri, 14 Jul 2017 12:03:29 +0200 > v2: per comment from David Miller, make sure the whole iterator->length > fits into the remaining buffer. Please compile and functionally test your changes: In file included from ./include/linux/compiler.h:58:0, from ./include/uapi/linux/stddef.h:1, from ./include/linux/stddef.h:4, from ./include/uapi/linux/posix_types.h:4, from ./include/uapi/linux/types.h:13, from ./include/linux/types.h:5, from net/sctp/sm_statefuns.c:48: net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^
On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote: > From: Alexander Potapenko <glider@google.com> > Date: Fri, 14 Jul 2017 12:03:29 +0200 > >> v2: per comment from David Miller, make sure the whole iterator->length >> fits into the remaining buffer. > > Please compile and functionally test your changes: > > In file included from ./include/linux/compiler.h:58:0, > from ./include/uapi/linux/stddef.h:1, > from ./include/linux/stddef.h:4, > from ./include/uapi/linux/posix_types.h:4, > from ./include/uapi/linux/types.h:13, > from ./include/linux/types.h:5, > from net/sctp/sm_statefuns.c:48: > net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: > ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ > (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ > ^ Oops. Fixed.
From: Alexander Potapenko <glider@google.com> Date: Fri, 14 Jul 2017 18:33:01 +0200 > On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote: >> From: Alexander Potapenko <glider@google.com> >> Date: Fri, 14 Jul 2017 12:03:29 +0200 >> >>> v2: per comment from David Miller, make sure the whole iterator->length >>> fits into the remaining buffer. >> >> Please compile and functionally test your changes: >> >> In file included from ./include/linux/compiler.h:58:0, >> from ./include/uapi/linux/stddef.h:1, >> from ./include/linux/stddef.h:4, >> from ./include/uapi/linux/posix_types.h:4, >> from ./include/uapi/linux/types.h:13, >> from ./include/linux/types.h:5, >> from net/sctp/sm_statefuns.c:48: >> net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: >> ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ >> (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ >> ^ > Oops. Fixed. Did you functionally test the new version or just do a quick compile check and resubmit? I really want you to test this if the logic has been changed.
On Fri, Jul 14, 2017 at 7:23 PM, David Miller <davem@davemloft.net> wrote: > From: Alexander Potapenko <glider@google.com> > Date: Fri, 14 Jul 2017 18:33:01 +0200 > >> On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote: >>> From: Alexander Potapenko <glider@google.com> >>> Date: Fri, 14 Jul 2017 12:03:29 +0200 >>> >>>> v2: per comment from David Miller, make sure the whole iterator->length >>>> fits into the remaining buffer. >>> >>> Please compile and functionally test your changes: >>> >>> In file included from ./include/linux/compiler.h:58:0, >>> from ./include/uapi/linux/stddef.h:1, >>> from ./include/linux/stddef.h:4, >>> from ./include/uapi/linux/posix_types.h:4, >>> from ./include/uapi/linux/types.h:13, >>> from ./include/linux/types.h:5, >>> from net/sctp/sm_statefuns.c:48: >>> net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: >>> ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ >>> (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ >>> ^ >> Oops. Fixed. > > Did you functionally test the new version or just do a quick compile > check and resubmit? I've checked that the kernel still works, but unfortunately I couldn't check whether or not this affected the uninit memory, as KMSAN currently works on a fixed kernel revision. The compilation error was actually caused by me failing to test the kernel when porting the fix from that revision to upstream. > I really want you to test this if the logic has been changed. Do you mean any specific tests in addition to, say, running the reproducer on which the uninit use was reported? Thanks
From: Alexander Potapenko <glider@google.com> Date: Fri, 14 Jul 2017 19:33:54 +0200 > On Fri, Jul 14, 2017 at 7:23 PM, David Miller <davem@davemloft.net> wrote: >> From: Alexander Potapenko <glider@google.com> >> Date: Fri, 14 Jul 2017 18:33:01 +0200 >> >>> On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote: >>>> From: Alexander Potapenko <glider@google.com> >>>> Date: Fri, 14 Jul 2017 12:03:29 +0200 >>>> >>>>> v2: per comment from David Miller, make sure the whole iterator->length >>>>> fits into the remaining buffer. >>>> >>>> Please compile and functionally test your changes: >>>> >>>> In file included from ./include/linux/compiler.h:58:0, >>>> from ./include/uapi/linux/stddef.h:1, >>>> from ./include/linux/stddef.h:4, >>>> from ./include/uapi/linux/posix_types.h:4, >>>> from ./include/uapi/linux/types.h:13, >>>> from ./include/linux/types.h:5, >>>> from net/sctp/sm_statefuns.c:48: >>>> net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: >>>> ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ >>>> (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ >>>> ^ >>> Oops. Fixed. >> >> Did you functionally test the new version or just do a quick compile >> check and resubmit? > I've checked that the kernel still works, but unfortunately I couldn't > check whether or not this affected the uninit memory, as KMSAN > currently works on a fixed kernel revision. The compilation error was > actually caused by me failing to test the kernel when porting the fix > from that revision to upstream. > >> I really want you to test this if the logic has been changed. > Do you mean any specific tests in addition to, say, running the > reproducer on which the uninit use was reported? I mean the reproducer.
Hi Alexander, [auto build test ERROR on net-next/master] [also build test ERROR on next-20170714] [cannot apply to v4.12] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Alexander-Potapenko/sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors/20170715-013318 config: x86_64-rhel (attached as .config) compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All error/warnings (new ones prefixed by >>): In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from net/sctp/sm_statefuns.c:48: net/sctp/sm_statefuns.c: In function 'sctp_sf_do_reconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ >> net/sctp/sm_statefuns.c:3871:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ -- In file included from include/linux/compiler.h:58:0, from arch/x86/include/asm/atomic.h:4, from include/linux/atomic.h:4, from include/linux/crypto.h:20, from include/crypto/hash.h:16, from net/sctp/sm_make_chunk.c:48: net/sctp/sm_make_chunk.c: In function 'sctp_verify_init': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ >> net/sctp/sm_make_chunk.c:2262:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:2285:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_process_init': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:2338:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_verify_asconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:3148:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, addip, addip_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_process_asconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:3248:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, addip, addip_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_verify_reconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:3800:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ -- In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from net/sctp/input.c:44: net/sctp/input.c: In function '__sctp_rcv_init_lookup': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ >> net/sctp/input.c:1076:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(params, init, init_hdr.params) { ^~~~~~~~~~~~~~~~ -- In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from include/net/sctp/sctp.h:58, from net/sctp/stream.c:35: net/sctp/stream.c: In function 'sctp_chunk_lookup_strreset_param': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ >> net/sctp/stream.c:319:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ -- In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from net//sctp/sm_statefuns.c:48: net//sctp/sm_statefuns.c: In function 'sctp_sf_do_reconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_statefuns.c:3871:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ -- In file included from include/linux/compiler.h:58:0, from arch/x86/include/asm/atomic.h:4, from include/linux/atomic.h:4, from include/linux/crypto.h:20, from include/crypto/hash.h:16, from net//sctp/sm_make_chunk.c:48: net//sctp/sm_make_chunk.c: In function 'sctp_verify_init': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:2262:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:2285:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c: In function 'sctp_process_init': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:2338:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c: In function 'sctp_verify_asconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:3148:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, addip, addip_hdr.params) { ^~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c: In function 'sctp_process_asconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:3248:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, addip, addip_hdr.params) { ^~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c: In function 'sctp_verify_reconf': >> include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ >> include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ >> include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net//sctp/sm_make_chunk.c:3800:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ .. vim +/sctp_paramhdr_t +472 include/net/sctp/sctp.h 461 462 /* Walk through a list of TLV parameters. Don't trust the 463 * individual parameter lengths and instead depend on 464 * the chunk length to indicate when to stop. Make sure 465 * there is room for a param header too. 466 */ 467 #define sctp_walk_params(pos, chunk, member)\ > 468 _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) 469 470 #define _sctp_walk_params(pos, chunk, end, member)\ 471 for (pos.v = chunk->member;\ > 472 (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ 473 (void *)chunk + end) &&\ 474 pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ 475 ntohs(pos.p->length) >= sizeof(struct sctp_paramhdr);\ 476 pos.v += SCTP_PAD4(ntohs(pos.p->length))) 477 --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Alexander, [auto build test WARNING on net-next/master] [also build test WARNING on next-20170714] [cannot apply to v4.12] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Alexander-Potapenko/sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors/20170715-013318 reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) include/linux/compiler.h:260:8: sparse: attribute 'no_sanitize_address': unknown attribute net/sctp/sm_statefuns.c:3871:9: sparse: Expected , in __builtin_offset net/sctp/sm_statefuns.c:3871:9: sparse: got sctp_paramhdr_t >> builtin:0:0: sparse: No right hand side of '+'-expression net/sctp/sm_statefuns.c:3871:9: sparse: Expected ) in 'for' net/sctp/sm_statefuns.c:3871:9: sparse: got ; net/sctp/sm_statefuns.c:3871:9: sparse: Expected ; at end of statement net/sctp/sm_statefuns.c:3871:9: sparse: got ) >> net/sctp/sm_statefuns.c:3903:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/sm_statefuns.c:3903:16: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3903:16: sparse: got SCTP_DISPOSITION_CONSUME net/sctp/sm_statefuns.c:3904:1: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3904:1: sparse: got } net/sctp/sm_statefuns.c:3933:13: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3933:13: sparse: got ! >> net/sctp/sm_statefuns.c:3933:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3936:17: sparse: Trying to use reserved word 'return' as identifier net/sctp/sm_statefuns.c:3936:24: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3936:24: sparse: got sctp_sf_pdiscard net/sctp/sm_statefuns.c:3937:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3937:9: sparse: got } net/sctp/sm_statefuns.c:3943:13: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3943:13: sparse: got ! net/sctp/sm_statefuns.c:3943:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3948:14: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3948:14: sparse: got -> net/sctp/sm_statefuns.c:3950:13: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3950:13: sparse: got -= net/sctp/sm_statefuns.c:3951:23: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3951:23: sparse: got -> >> net/sctp/sm_statefuns.c:3954:9: sparse: Trying to use reserved word 'do' as identifier net/sctp/sm_statefuns.c:3954:9: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3954:9: sparse: got { net/sctp/sm_statefuns.c:3954:9: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3954:9: sparse: got ( net/sctp/sm_statefuns.c:3954:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3954:9: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3954:9: sparse: got ( net/sctp/sm_statefuns.c:3954:9: sparse: Trying to use reserved word 'if' as identifier >> net/sctp/sm_statefuns.c:3954:9: sparse: Trying to use reserved word 'else' as identifier net/sctp/sm_statefuns.c:3954:9: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3954:9: sparse: got if >> net/sctp/sm_statefuns.c:3954:9: sparse: Trying to use reserved word 'else' as identifier net/sctp/sm_statefuns.c:3954:9: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3954:9: sparse: got branch net/sctp/sm_statefuns.c:3954:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3954:9: sparse: got } net/sctp/sm_statefuns.c:3954:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3954:9: sparse: got } net/sctp/sm_statefuns.c:3959:30: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3959:30: sparse: got ( net/sctp/sm_statefuns.c:3959:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3963:9: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3963:9: sparse: got ( >> net/sctp/sm_statefuns.c:3963:9: sparse: Trying to use reserved word 'for' as identifier net/sctp/sm_statefuns.c:3963:9: sparse: Expected ) in nested declarator net/sctp/sm_statefuns.c:3963:9: sparse: got * >> net/sctp/sm_statefuns.c:3963:9: sparse: Trying to use reserved word 'void' as identifier net/sctp/sm_statefuns.c:3963:9: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3963:9: sparse: got ++ net/sctp/sm_statefuns.c:3966:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3966:9: sparse: got } net/sctp/sm_statefuns.c:3969:17: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3969:17: sparse: got > net/sctp/sm_statefuns.c:3969:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3974:17: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:3974:17: sparse: got -> net/sctp/sm_statefuns.c:3974:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:3977:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3977:9: sparse: got } net/sctp/sm_statefuns.c:3984:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/sm_statefuns.c:3984:16: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3984:16: sparse: got SCTP_DISPOSITION_CONSUME net/sctp/sm_statefuns.c:3986:16: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:3986:16: sparse: got : net/sctp/sm_statefuns.c:3988:1: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:3988:1: sparse: got } net/sctp/sm_statefuns.c:4004:13: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:4004:13: sparse: got ! net/sctp/sm_statefuns.c:4004:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:4007:17: sparse: Trying to use reserved word 'return' as identifier net/sctp/sm_statefuns.c:4007:24: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:4007:24: sparse: got sctp_sf_pdiscard net/sctp/sm_statefuns.c:4008:9: sparse: Expected ; at the end of type declaration net/sctp/sm_statefuns.c:4008:9: sparse: got } net/sctp/sm_statefuns.c:4014:13: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:4014:13: sparse: got ! net/sctp/sm_statefuns.c:4014:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:4019:14: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:4019:14: sparse: got -> net/sctp/sm_statefuns.c:4021:13: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:4021:13: sparse: got -= net/sctp/sm_statefuns.c:4022:23: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:4022:23: sparse: got -> net/sctp/sm_statefuns.c:4025:9: sparse: Trying to use reserved word 'do' as identifier net/sctp/sm_statefuns.c:4025:9: sparse: Expected ; at end of declaration net/sctp/sm_statefuns.c:4025:9: sparse: got { net/sctp/sm_statefuns.c:4025:9: sparse: Expected ) in function declarator net/sctp/sm_statefuns.c:4025:9: sparse: got ( net/sctp/sm_statefuns.c:4025:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_statefuns.c:4025:9: sparse: Expected ) in function declarator >> net/sctp/sm_statefuns.c:4025:9: sparse: too many errors In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from net/sctp/sm_statefuns.c:48: net/sctp/sm_statefuns.c: In function 'sctp_sf_do_reconf': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_statefuns.c:3871:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ -- include/linux/compiler.h:260:8: sparse: attribute 'no_sanitize_address': unknown attribute net/sctp/sm_make_chunk.c:2262:9: sparse: Expected , in __builtin_offset net/sctp/sm_make_chunk.c:2262:9: sparse: got sctp_paramhdr_t >> builtin:0:0: sparse: No right hand side of '+'-expression net/sctp/sm_make_chunk.c:2262:9: sparse: Expected ) in 'for' net/sctp/sm_make_chunk.c:2262:9: sparse: got ; net/sctp/sm_make_chunk.c:2262:9: sparse: Expected ; at end of statement net/sctp/sm_make_chunk.c:2262:9: sparse: got ) net/sctp/sm_make_chunk.c:2274:18: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2274:18: sparse: got . >> net/sctp/sm_make_chunk.c:2274:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2280:13: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2280:13: sparse: got ( net/sctp/sm_make_chunk.c:2280:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2285:9: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2285:9: sparse: got ( >> net/sctp/sm_make_chunk.c:2285:9: sparse: Trying to use reserved word 'for' as identifier net/sctp/sm_make_chunk.c:2285:9: sparse: Expected ) in nested declarator net/sctp/sm_make_chunk.c:2285:9: sparse: got . net/sctp/sm_make_chunk.c:2285:9: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2285:9: sparse: got . >> net/sctp/sm_make_chunk.c:2288:17: sparse: Trying to use reserved word 'switch' as identifier >> net/sctp/sm_make_chunk.c:2289:17: sparse: not in switch scope net/sctp/sm_make_chunk.c:2290:17: sparse: not in switch scope net/sctp/sm_make_chunk.c:2292:17: sparse: not in switch scope net/sctp/sm_make_chunk.c:2294:17: sparse: not in switch scope net/sctp/sm_make_chunk.c:2295:17: sparse: not in switch scope >> net/sctp/sm_make_chunk.c:2296:25: sparse: break/continue not in iterator scope net/sctp/sm_make_chunk.c:2299:9: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2299:9: sparse: got } net/sctp/sm_make_chunk.c:2302:1: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2302:1: sparse: got } net/sctp/sm_make_chunk.c:2331:13: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2331:13: sparse: got ! net/sctp/sm_make_chunk.c:2331:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2334:32: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2334:32: sparse: got ( net/sctp/sm_make_chunk.c:2334:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2338:9: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2338:9: sparse: got ( net/sctp/sm_make_chunk.c:2338:9: sparse: Trying to use reserved word 'for' as identifier net/sctp/sm_make_chunk.c:2338:9: sparse: Expected ) in nested declarator net/sctp/sm_make_chunk.c:2338:9: sparse: got . net/sctp/sm_make_chunk.c:2338:9: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2338:9: sparse: got . net/sctp/sm_make_chunk.c:2342:27: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2342:27: sparse: got -> net/sctp/sm_make_chunk.c:2344:48: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2344:48: sparse: got ( net/sctp/sm_make_chunk.c:2344:25: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2346:17: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2346:17: sparse: got } net/sctp/sm_make_chunk.c:2350:9: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2350:9: sparse: got } net/sctp/sm_make_chunk.c:2359:17: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2359:17: sparse: got -> net/sctp/sm_make_chunk.c:2359:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2369:13: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2369:13: sparse: got ! net/sctp/sm_make_chunk.c:2369:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2374:21: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2374:21: sparse: got -> >> net/sctp/sm_make_chunk.c:2375:17: sparse: Trying to use reserved word 'goto' as identifier net/sctp/sm_make_chunk.c:2375:22: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2375:22: sparse: got clean_up net/sctp/sm_make_chunk.c:2376:9: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2376:9: sparse: got } net/sctp/sm_make_chunk.c:2379:9: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2379:9: sparse: got != net/sctp/sm_make_chunk.c:2379:9: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2379:9: sparse: got ) net/sctp/sm_make_chunk.c:2380:29: sparse: Expected ) in nested declarator net/sctp/sm_make_chunk.c:2380:29: sparse: got sctp_transport >> net/sctp/sm_make_chunk.c:2380:29: sparse: Trying to use reserved word 'struct' as identifier net/sctp/sm_make_chunk.c:2380:29: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2380:29: sparse: got } net/sctp/sm_make_chunk.c:2381:30: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2381:30: sparse: got -> net/sctp/sm_make_chunk.c:2381:17: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2383:17: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2383:17: sparse: got } net/sctp/sm_make_chunk.c:2391:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2391:13: sparse: got -> net/sctp/sm_make_chunk.c:2393:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2393:13: sparse: got -> net/sctp/sm_make_chunk.c:2395:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2395:13: sparse: got -> net/sctp/sm_make_chunk.c:2397:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2397:13: sparse: got -> net/sctp/sm_make_chunk.c:2400:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2400:13: sparse: got -> net/sctp/sm_make_chunk.c:2405:17: sparse: Expected ) in function declarator net/sctp/sm_make_chunk.c:2405:17: sparse: got -> net/sctp/sm_make_chunk.c:2405:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2409:9: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2409:9: sparse: got } net/sctp/sm_make_chunk.c:2415:9: sparse: Expected ; at the end of type declaration net/sctp/sm_make_chunk.c:2415:9: sparse: got } net/sctp/sm_make_chunk.c:2421:13: sparse: Expected ; at end of declaration net/sctp/sm_make_chunk.c:2421:13: sparse: got -> net/sctp/sm_make_chunk.c:2425:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/sm_make_chunk.c:2435:9: sparse: too many errors In file included from include/linux/compiler.h:58:0, from arch/x86/include/asm/atomic.h:4, from include/linux/atomic.h:4, from include/linux/crypto.h:20, from include/crypto/hash.h:16, from net/sctp/sm_make_chunk.c:48: net/sctp/sm_make_chunk.c: In function 'sctp_verify_init': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:2262:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:2285:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_process_init': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:2338:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, peer_init, init_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_verify_asconf': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c:3148:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, addip, addip_hdr.params) { ^~~~~~~~~~~~~~~~ net/sctp/sm_make_chunk.c: In function 'sctp_process_asconf': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ -- include/linux/compiler.h:260:8: sparse: attribute 'no_sanitize_address': unknown attribute net/sctp/input.c:1076:9: sparse: Expected , in __builtin_offset net/sctp/input.c:1076:9: sparse: got sctp_paramhdr_t >> builtin:0:0: sparse: No right hand side of '+'-expression net/sctp/input.c:1076:9: sparse: Expected ) in 'for' net/sctp/input.c:1076:9: sparse: got ; net/sctp/input.c:1076:9: sparse: Expected ; at end of statement net/sctp/input.c:1076:9: sparse: got ) >> net/sctp/input.c:1081:25: sparse: break/continue not in iterator scope net/sctp/input.c:1090:16: sparse: Expected ) in function declarator net/sctp/input.c:1090:16: sparse: got ( >> net/sctp/input.c:1090:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/input.c:1091:1: sparse: Expected ; at the end of type declaration net/sctp/input.c:1091:1: sparse: got } net/sctp/input.c:1123:13: sparse: Expected ) in function declarator net/sctp/input.c:1123:13: sparse: got ( >> net/sctp/input.c:1123:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1126:11: sparse: Expected ; at end of declaration net/sctp/input.c:1126:11: sparse: got -> net/sctp/input.c:1128:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/input.c:1128:16: sparse: Expected ; at end of declaration net/sctp/input.c:1128:16: sparse: got __sctp_lookup_association net/sctp/input.c:1129:1: sparse: Expected ; at the end of type declaration net/sctp/input.c:1129:1: sparse: got } >> net/sctp/input.c:1156:9: sparse: Trying to use reserved word 'do' as identifier net/sctp/input.c:1156:12: sparse: Expected ; at end of declaration net/sctp/input.c:1156:12: sparse: got { net/sctp/input.c:1162:28: sparse: Expected ) in function declarator net/sctp/input.c:1162:28: sparse: got > net/sctp/input.c:1162:17: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1165:27: sparse: Expected ) in function declarator net/sctp/input.c:1165:27: sparse: got -> >> net/sctp/input.c:1165:17: sparse: Trying to use reserved word 'switch' as identifier >> net/sctp/input.c:1168:25: sparse: Trying to use reserved word 'break' as identifier >> net/sctp/input.c:1170:17: sparse: Trying to use reserved word 'case' as identifier net/sctp/input.c:1170:22: sparse: Expected ; at end of declaration net/sctp/input.c:1170:22: sparse: got SCTP_CID_COOKIE_ECHO net/sctp/input.c:1180:25: sparse: Trying to use reserved word 'break' as identifier net/sctp/input.c:1182:17: sparse: Trying to use reserved word 'case' as identifier net/sctp/input.c:1182:22: sparse: Expected ; at end of declaration net/sctp/input.c:1182:22: sparse: got SCTP_CID_ASCONF >> net/sctp/input.c:1188:17: sparse: Trying to use reserved word 'default' as identifier net/sctp/input.c:1188:24: sparse: Expected ; at end of declaration net/sctp/input.c:1188:24: sparse: got : net/sctp/input.c:1190:17: sparse: Expected ; at the end of type declaration net/sctp/input.c:1190:17: sparse: got } net/sctp/input.c:1196:26: sparse: Expected ; at end of declaration net/sctp/input.c:1196:26: sparse: got ++ net/sctp/input.c:1197:9: sparse: Expected ; at the end of type declaration net/sctp/input.c:1197:9: sparse: got } net/sctp/input.c:1199:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/input.c:1199:16: sparse: Expected ; at end of declaration net/sctp/input.c:1199:16: sparse: got asoc net/sctp/input.c:1200:1: sparse: Expected ; at the end of type declaration net/sctp/input.c:1200:1: sparse: got } net/sctp/input.c:1220:13: sparse: Expected ) in function declarator net/sctp/input.c:1220:13: sparse: got ( net/sctp/input.c:1220:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1230:13: sparse: Expected ) in function declarator net/sctp/input.c:1230:13: sparse: got ( net/sctp/input.c:1230:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1234:15: sparse: Expected ) in function declarator net/sctp/input.c:1234:15: sparse: got -> net/sctp/input.c:1234:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1237:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/input.c:1237:16: sparse: Expected ; at end of declaration net/sctp/input.c:1237:16: sparse: got __sctp_rcv_walk_lookup net/sctp/input.c:1238:1: sparse: Expected ; at the end of type declaration net/sctp/input.c:1238:1: sparse: got } net/sctp/input.c:1250:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1251:17: sparse: Expected ; at end of declaration net/sctp/input.c:1251:17: sparse: got goto net/sctp/input.c:1258:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1259:17: sparse: Expected ; at end of declaration net/sctp/input.c:1259:17: sparse: got goto net/sctp/input.c:1261:18: sparse: Expected ) in function declarator net/sctp/input.c:1261:18: sparse: got -> net/sctp/input.c:1261:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1262:17: sparse: Expected ) in function declarator net/sctp/input.c:1262:17: sparse: got ( net/sctp/input.c:1262:17: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1262:17: sparse: Expected ) in function declarator net/sctp/input.c:1262:17: sparse: got ( net/sctp/input.c:1262:17: sparse: Trying to use reserved word 'if' as identifier >> net/sctp/input.c:1262:17: sparse: Trying to use reserved word 'else' as identifier net/sctp/input.c:1262:17: sparse: Expected ; at end of declaration net/sctp/input.c:1262:17: sparse: got if >> net/sctp/input.c:1262:17: sparse: Trying to use reserved word 'else' as identifier net/sctp/input.c:1262:17: sparse: Expected ; at end of declaration net/sctp/input.c:1262:17: sparse: got branch net/sctp/input.c:1262:17: sparse: Expected ; at the end of type declaration net/sctp/input.c:1262:17: sparse: got } net/sctp/input.c:1262:17: sparse: Expected ; at the end of type declaration net/sctp/input.c:1262:17: sparse: got } net/sctp/input.c:1265:9: sparse: Trying to use reserved word 'else' as identifier net/sctp/input.c:1266:17: sparse: Expected ; at end of declaration net/sctp/input.c:1266:17: sparse: got do net/sctp/input.c:1266:17: sparse: Expected ) in function declarator net/sctp/input.c:1266:17: sparse: got ( net/sctp/input.c:1266:17: sparse: Trying to use reserved word 'if' as identifier net/sctp/input.c:1266:17: sparse: Expected ) in function declarator >> net/sctp/input.c:1266:17: sparse: too many errors In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from net/sctp/input.c:44: net/sctp/input.c: In function '__sctp_rcv_init_lookup': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/input.c:1076:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(params, init, init_hdr.params) { ^~~~~~~~~~~~~~~~ -- include/linux/compiler.h:260:8: sparse: attribute 'no_sanitize_address': unknown attribute net/sctp/stream.c:319:9: sparse: Expected , in __builtin_offset net/sctp/stream.c:319:9: sparse: got sctp_paramhdr_t >> builtin:0:0: sparse: No right hand side of '+'-expression net/sctp/stream.c:319:9: sparse: Expected ) in 'for' net/sctp/stream.c:319:9: sparse: got ; net/sctp/stream.c:319:9: sparse: Expected ; at end of statement net/sctp/stream.c:319:9: sparse: got ) net/sctp/stream.c:331:16: sparse: Expected ) in function declarator net/sctp/stream.c:331:16: sparse: got ( >> net/sctp/stream.c:331:9: sparse: Trying to use reserved word 'return' as identifier net/sctp/stream.c:332:1: sparse: Expected ; at the end of type declaration net/sctp/stream.c:332:1: sparse: got } net/sctp/stream.c:338:13: sparse: Expected ; at end of declaration net/sctp/stream.c:338:13: sparse: got -> net/sctp/stream.c:339:1: sparse: Expected ; at the end of type declaration net/sctp/stream.c:339:1: sparse: got } net/sctp/stream.c:354:13: sparse: Expected ) in function declarator net/sctp/stream.c:354:13: sparse: got ( >> net/sctp/stream.c:354:9: sparse: Trying to use reserved word 'if' as identifier >> net/sctp/stream.c:357:17: sparse: Trying to use reserved word 'goto' as identifier net/sctp/stream.c:357:22: sparse: Expected ; at end of declaration net/sctp/stream.c:357:22: sparse: got err net/sctp/stream.c:358:9: sparse: Expected ; at the end of type declaration net/sctp/stream.c:358:9: sparse: got } net/sctp/stream.c:360:13: sparse: Expected ) in function declarator net/sctp/stream.c:360:13: sparse: got & >> net/sctp/stream.c:360:13: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:360:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:360:13: sparse: got 1 net/sctp/stream.c:360:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:360:13: sparse: got } net/sctp/stream.c:360:13: sparse: Expected ) in function declarator net/sctp/stream.c:360:13: sparse: got & >> net/sctp/stream.c:360:13: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:360:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:360:13: sparse: got 1 net/sctp/stream.c:360:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:360:13: sparse: got } net/sctp/stream.c:361:13: sparse: Expected ) in function declarator net/sctp/stream.c:361:13: sparse: got & net/sctp/stream.c:361:13: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:361:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:361:13: sparse: got 1 net/sctp/stream.c:361:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:361:13: sparse: got } net/sctp/stream.c:361:13: sparse: Expected ) in function declarator net/sctp/stream.c:361:13: sparse: got & net/sctp/stream.c:361:13: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:361:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:361:13: sparse: got 1 net/sctp/stream.c:361:13: sparse: Expected ; at the end of type declaration net/sctp/stream.c:361:13: sparse: got } net/sctp/stream.c:363:17: sparse: Trying to use reserved word 'goto' as identifier net/sctp/stream.c:363:22: sparse: Expected ; at end of declaration net/sctp/stream.c:363:22: sparse: got err net/sctp/stream.c:364:9: sparse: Expected ; at the end of type declaration net/sctp/stream.c:364:9: sparse: got } net/sctp/stream.c:364:20: sparse: Expected ) in function declarator net/sctp/stream.c:364:20: sparse: got & net/sctp/stream.c:364:20: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:364:20: sparse: Expected ; at the end of type declaration net/sctp/stream.c:364:20: sparse: got 1 net/sctp/stream.c:364:20: sparse: Expected ; at the end of type declaration net/sctp/stream.c:364:20: sparse: got } net/sctp/stream.c:364:20: sparse: Expected ) in function declarator net/sctp/stream.c:364:20: sparse: got & net/sctp/stream.c:364:20: sparse: Trying to use reserved word 'void' as identifier net/sctp/stream.c:364:20: sparse: Expected ; at the end of type declaration net/sctp/stream.c:364:20: sparse: got 1 net/sctp/stream.c:364:20: sparse: Expected ; at the end of type declaration net/sctp/stream.c:364:20: sparse: got } net/sctp/stream.c:367:17: sparse: Trying to use reserved word 'goto' as identifier net/sctp/stream.c:367:22: sparse: Expected ; at end of declaration net/sctp/stream.c:367:22: sparse: got err net/sctp/stream.c:368:9: sparse: Expected ; at the end of type declaration net/sctp/stream.c:368:9: sparse: got } net/sctp/stream.c:375:13: sparse: Expected ) in function declarator net/sctp/stream.c:375:13: sparse: got ! net/sctp/stream.c:375:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/stream.c:378:17: sparse: Expected ) in function declarator net/sctp/stream.c:378:17: sparse: got -> net/sctp/stream.c:378:9: sparse: Trying to use reserved word 'if' as identifier net/sctp/stream.c:384:25: sparse: Trying to use reserved word 'goto' as identifier net/sctp/stream.c:384:30: sparse: Expected ; at end of declaration net/sctp/stream.c:384:30: sparse: got out net/sctp/stream.c:385:17: sparse: Expected ; at the end of type declaration net/sctp/stream.c:385:17: sparse: got } net/sctp/stream.c:388:21: sparse: Expected ; at end of declaration net/sctp/stream.c:388:21: sparse: got -> net/sctp/stream.c:390:21: sparse: Expected ) in function declarator net/sctp/stream.c:390:21: sparse: got ! net/sctp/stream.c:390:17: sparse: Trying to use reserved word 'if' as identifier net/sctp/stream.c:394:38: sparse: Expected ) in function declarator net/sctp/stream.c:394:38: sparse: got ( net/sctp/stream.c:394:25: sparse: Trying to use reserved word 'if' as identifier net/sctp/stream.c:397:44: sparse: Expected ) in function declarator net/sctp/stream.c:397:44: sparse: got -> net/sctp/stream.c:398:29: sparse: Expected ; at end of declaration net/sctp/stream.c:398:29: sparse: got -> net/sctp/stream.c:399:17: sparse: Expected ; at the end of type declaration >> net/sctp/stream.c:399:17: sparse: too many errors In file included from include/linux/compiler.h:58:0, from include/uapi/linux/stddef.h:1, from include/linux/stddef.h:4, from include/uapi/linux/posix_types.h:4, from include/uapi/linux/types.h:13, from include/linux/types.h:5, from include/net/sctp/sctp.h:58, from net/sctp/stream.c:35: net/sctp/stream.c: In function 'sctp_chunk_lookup_strreset_param': include/net/sctp/sctp.h:472:24: error: unknown type name 'sctp_paramhdr_t' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^ include/linux/compiler-gcc.h:161:21: note: in definition of macro '__compiler_offsetof' __builtin_offsetof(a, b) ^ include/net/sctp/sctp.h:472:15: note: in expansion of macro 'offsetof' (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ ^~~~~~~~ include/net/sctp/sctp.h:468:1: note: in expansion of macro '_sctp_walk_params' _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) ^~~~~~~~~~~~~~~~~ net/sctp/stream.c:319:2: note: in expansion of macro 'sctp_walk_params' sctp_walk_params(param, hdr, params) { ^~~~~~~~~~~~~~~~ --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
On Fri, Jul 14, 2017 at 7:54 PM, David Miller <davem@davemloft.net> wrote: > From: Alexander Potapenko <glider@google.com> > Date: Fri, 14 Jul 2017 19:33:54 +0200 > >> On Fri, Jul 14, 2017 at 7:23 PM, David Miller <davem@davemloft.net> wrote: >>> From: Alexander Potapenko <glider@google.com> >>> Date: Fri, 14 Jul 2017 18:33:01 +0200 >>> >>>> On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote: >>>>> From: Alexander Potapenko <glider@google.com> >>>>> Date: Fri, 14 Jul 2017 12:03:29 +0200 >>>>> >>>>>> v2: per comment from David Miller, make sure the whole iterator->length >>>>>> fits into the remaining buffer. >>>>> >>>>> Please compile and functionally test your changes: >>>>> >>>>> In file included from ./include/linux/compiler.h:58:0, >>>>> from ./include/uapi/linux/stddef.h:1, >>>>> from ./include/linux/stddef.h:4, >>>>> from ./include/uapi/linux/posix_types.h:4, >>>>> from ./include/uapi/linux/types.h:13, >>>>> from ./include/linux/types.h:5, >>>>> from net/sctp/sm_statefuns.c:48: >>>>> net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’: >>>>> ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’ >>>>> (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ >>>>> ^ >>>> Oops. Fixed. >>> >>> Did you functionally test the new version or just do a quick compile >>> check and resubmit? >> I've checked that the kernel still works, but unfortunately I couldn't >> check whether or not this affected the uninit memory, as KMSAN >> currently works on a fixed kernel revision. The compilation error was >> actually caused by me failing to test the kernel when porting the fix >> from that revision to upstream. >> >>> I really want you to test this if the logic has been changed. >> Do you mean any specific tests in addition to, say, running the >> reproducer on which the uninit use was reported? > > I mean the reproducer. Yes, I've ran the reproducer, and just double-checked that. Sorry for the delay.
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index a9519a06a23b..9f6164a15715 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -469,6 +469,8 @@ _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) #define _sctp_walk_params(pos, chunk, end, member)\ for (pos.v = chunk->member;\ + (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ + (void *)chunk + end) &&\ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ ntohs(pos.p->length) >= sizeof(struct sctp_paramhdr);\ pos.v += SCTP_PAD4(ntohs(pos.p->length))) @@ -479,6 +481,8 @@ _sctp_walk_errors((err), (chunk_hdr), ntohs((chunk_hdr)->length)) #define _sctp_walk_errors(err, chunk_hdr, end)\ for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ sizeof(struct sctp_chunkhdr));\ + ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\ + (void *)chunk_hdr + end) &&\ (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ ntohs(err->length) >= sizeof(sctp_errhdr_t); \ err = (sctp_errhdr_t *)((void *)err + SCTP_PAD4(ntohs(err->length))))
If the length field of the iterator (|pos.p| or |err|) is past the end of the chunk, we shouldn't access it. This bug has been detected by KMSAN. For the following pair of system calls: socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3 sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 1 the tool has reported a use of uninitialized memory: ================================================================== BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0 CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:16 dump_stack+0x172/0x1c0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927 __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469 __sctp_rcv_init_lookup net/sctp/input.c:1074 __sctp_rcv_lookup_harder net/sctp/input.c:1233 __sctp_rcv_lookup net/sctp/input.c:1255 sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170 sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984 ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279 NF_HOOK ./include/linux/netfilter.h:257 ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322 dst_input ./include/net/dst.h:492 ip6_rcv_finish net/ipv6/ip6_input.c:69 NF_HOOK ./include/linux/netfilter.h:257 ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203 __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208 __netif_receive_skb net/core/dev.c:4246 process_backlog+0x667/0xba0 net/core/dev.c:4866 napi_poll net/core/dev.c:5268 net_rx_action+0xc95/0x1590 net/core/dev.c:5333 __do_softirq+0x485/0x942 kernel/softirq.c:284 do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902 </IRQ> do_softirq kernel/softirq.c:328 __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181 local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31 rcu_read_unlock_bh ./include/linux/rcupdate.h:931 ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124 ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149 NF_HOOK_COND ./include/linux/netfilter.h:246 ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163 dst_output ./include/net/dst.h:486 NF_HOOK ./include/linux/netfilter.h:257 ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261 sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225 sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x401133 RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133 RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003 RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000 origin: save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211 slab_alloc_node mm/slub.c:2743 __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x26b/0x840 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570 sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 sctp_side_effects net/sctp/sm_sideeffect.c:1773 sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== Signed-off-by: Alexander Potapenko <glider@google.com> --- v2: per comment from David Miller, make sure the whole iterator->length fits into the remaining buffer. --- include/net/sctp/sctp.h | 4 ++++ 1 file changed, 4 insertions(+)