diff mbox

[v2] AF_ALG: Initialize sg_num_bytes in error code path

Message ID 3579823.yyIR4au8HA@positron.chronox.de (mailing list archive)
State Superseded
Delegated to: Herbert Xu
Headers show

Commit Message

Stephan Mueller July 5, 2018, 3:58 p.m. UTC 
Changes v2:
* Addition of syz testing line

---8<---

The RX SGL in processing is already registered with the RX SGL tracking
list to support proper cleanup. The cleanup code path uses the
sg_num_bytes variable which must therefore be always initialized, even
in the error code path.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com
#syz test: https://github.com/google/kmsan.git
---
 crypto/af_alg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

syzbot July 5, 2018, 5:02 p.m. UTC | #1 
Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo https://github.com/google/kmsan.git/---:  
failed to run /usr/bin/git [git fetch https://github.com/google/kmsan.git  
---]: exit status 129
error: unknown option `-'
usage: git fetch [<options>] [<repository> [<refspec>...]]
    or: git fetch [<options>] <group>
    or: git fetch --multiple [<options>] [(<repository> | <group>)...]
    or: git fetch --all [<options>]

     -v, --verbose         be more verbose
     -q, --quiet           be more quiet
     --all                 fetch from all remotes
     -a, --append          append to .git/FETCH_HEAD instead of overwriting
     --upload-pack <path>  path to upload pack on remote end
     -f, --force           force overwrite of local branch
     -m, --multiple        fetch from multiple remotes
     -t, --tags            fetch all tags and associated objects
     -n                    do not fetch all tags (--no-tags)
     -p, --prune           prune remote-tracking branches no longer on remote
     --recurse-submodules[=<on-demand>]
                           control recursive fetching of submodules
     --dry-run             dry run
     -k, --keep            keep downloaded pack
     -u, --update-head-ok  allow updating of HEAD ref
     --progress            force progress reporting
     --depth <depth>       deepen history of shallow clone
     --unshallow           convert to a complete repository
     --update-shallow      accept refs that update .git/shallow
     --refmap <refmap>     specify fetch refmap




Tested on:

commit:         [unknown]
git tree:       https://github.com/google/kmsan.git/---
compiler:       clang version 7.0.0 (trunk 334104)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1207511c400000
Stephan Mueller July 5, 2018, 6:45 p.m. UTC | #2 
Am Donnerstag, 5. Juli 2018, 19:02:01 CEST schrieb syzbot:

Hi Dimitry,

does the syzkaller somehow uses the "---" separator as part of the URL?

Thanks

> Hello,
> 
> syzbot tried to test the proposed patch but build/boot failed:
> 
> failed to checkout kernel repo https://github.com/google/kmsan.git/---:
> failed to run /usr/bin/git [git fetch https://github.com/google/kmsan.git
> ---]: exit status 129
> error: unknown option `-'
> usage: git fetch [<options>] [<repository> [<refspec>...]]
>     or: git fetch [<options>] <group>
>     or: git fetch --multiple [<options>] [(<repository> | <group>)...]
>     or: git fetch --all [<options>]
> 
>      -v, --verbose         be more verbose
>      -q, --quiet           be more quiet
>      --all                 fetch from all remotes
>      -a, --append          append to .git/FETCH_HEAD instead of overwriting
>      --upload-pack <path>  path to upload pack on remote end
>      -f, --force           force overwrite of local branch
>      -m, --multiple        fetch from multiple remotes
>      -t, --tags            fetch all tags and associated objects
>      -n                    do not fetch all tags (--no-tags)
>      -p, --prune           prune remote-tracking branches no longer on
> remote --recurse-submodules[=<on-demand>]
>                            control recursive fetching of submodules
>      --dry-run             dry run
>      -k, --keep            keep downloaded pack
>      -u, --update-head-ok  allow updating of HEAD ref
>      --progress            force progress reporting
>      --depth <depth>       deepen history of shallow clone
>      --unshallow           convert to a complete repository
>      --update-shallow      accept refs that update .git/shallow
>      --refmap <refmap>     specify fetch refmap
> 
> 
> 
> 
> Tested on:
> 
> commit:         [unknown]
> git tree:       https://github.com/google/kmsan.git/---> compiler:       clang version 7.0.0 (trunk 334104)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1207511c400000


Ciao
Stephan
Dmitry Vyukov July 6, 2018, 7:38 a.m. UTC | #3 
On Thu, Jul 5, 2018 at 8:45 PM, Stephan Müller <smueller@chronox.de> wrote:
> Am Donnerstag, 5. Juli 2018, 19:02:01 CEST schrieb syzbot:
>
> Hi Dimitry,
>
> does the syzkaller somehow uses the "---" separator as part of the URL?

It used it as branch. Please see:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

for formats. In all formats a git tree is not enough. And it is not
enough to identify code state in any other context too, it's always
git repo + branch or commit hash.


>> syzbot tried to test the proposed patch but build/boot failed:
>>
>> failed to checkout kernel repo https://github.com/google/kmsan.git/---:
>> failed to run /usr/bin/git [git fetch https://github.com/google/kmsan.git
>> ---]: exit status 129
>> error: unknown option `-'
>> usage: git fetch [<options>] [<repository> [<refspec>...]]
>>     or: git fetch [<options>] <group>
>>     or: git fetch --multiple [<options>] [(<repository> | <group>)...]
>>     or: git fetch --all [<options>]
>>
>>      -v, --verbose         be more verbose
>>      -q, --quiet           be more quiet
>>      --all                 fetch from all remotes
>>      -a, --append          append to .git/FETCH_HEAD instead of overwriting
>>      --upload-pack <path>  path to upload pack on remote end
>>      -f, --force           force overwrite of local branch
>>      -m, --multiple        fetch from multiple remotes
>>      -t, --tags            fetch all tags and associated objects
>>      -n                    do not fetch all tags (--no-tags)
>>      -p, --prune           prune remote-tracking branches no longer on
>> remote --recurse-submodules[=<on-demand>]
>>                            control recursive fetching of submodules
>>      --dry-run             dry run
>>      -k, --keep            keep downloaded pack
>>      -u, --update-head-ok  allow updating of HEAD ref
>>      --progress            force progress reporting
>>      --depth <depth>       deepen history of shallow clone
>>      --unshallow           convert to a complete repository
>>      --update-shallow      accept refs that update .git/shallow
>>      --refmap <refmap>     specify fetch refmap
>>
>>
>>
>>
>> Tested on:
>>
>> commit:         [unknown]
>> git tree:       https://github.com/google/kmsan.git/---> compiler:       clang version 7.0.0 (trunk 334104)
>> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1207511c400000
>
>
> Ciao
> Stephan
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1626520.Rx0128ICKU%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.
Stephan Mueller July 6, 2018, 7:41 a.m. UTC | #4 
Am Freitag, 6. Juli 2018, 09:38:41 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> On Thu, Jul 5, 2018 at 8:45 PM, Stephan Müller <smueller@chronox.de> wrote:
> > Am Donnerstag, 5. Juli 2018, 19:02:01 CEST schrieb syzbot:
> > 
> > Hi Dimitry,
> > 
> > does the syzkaller somehow uses the "---" separator as part of the URL?
> 
> It used it as branch. Please see:
> 
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patch
> es
> 
> for formats. In all formats a git tree is not enough. And it is not
> enough to identify code state in any other context too, it's always
> git repo + branch or commit hash.

And which branch should I use for the kmsan.git repo?

Ciao
Stephan
Dmitry Vyukov July 6, 2018, 7:44 a.m. UTC | #5 
On Fri, Jul 6, 2018 at 9:41 AM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Freitag, 6. Juli 2018, 09:38:41 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>> On Thu, Jul 5, 2018 at 8:45 PM, Stephan Müller <smueller@chronox.de> wrote:
>> > Am Donnerstag, 5. Juli 2018, 19:02:01 CEST schrieb syzbot:
>> >
>> > Hi Dimitry,
>> >
>> > does the syzkaller somehow uses the "---" separator as part of the URL?
>>
>> It used it as branch. Please see:
>>
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patch
>> es
>>
>> for formats. In all formats a git tree is not enough. And it is not
>> enough to identify code state in any other context too, it's always
>> git repo + branch or commit hash.
>
> And which branch should I use for the kmsan.git repo?

master, as specified in the original syzbot report. I will add this to
the doc too.
diff mbox

Patch

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 49fa8582138b..bd6795ff406a 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1148,8 +1148,10 @@  int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
 
 		/* make one iovec available as scatterlist */
 		err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen);
-		if (err < 0)
+		if (err < 0) {
+			rsgl->sg_num_bytes = 0;
 			return err;
+		}
 
 		/* chain the new scatterlist with previous one */
 		if (areq->last_rsgl)