On 13/09/20 4:33 pm, Anant Thazhemadam wrote: > The crash report indicated that there was a local variable; > ----iovstack.i@__sys_sendmmsg created at: > ___sys_sendmsg net/socket.c:2388 [inline] > __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480 > > that was left uninitialized. > > Initializing this stack to 0s prevents this bug from happening. > Since the memory pointed to by *iov is freed at the end of the function > call, memory leaks are not likely to be an issue. > > syzbot seems to have triggered this error by passing an array of 0's as > a parameter while making the system call. > > Reported-by: syzbot+09a5d591c1f98cf5e...@syzkaller.appspotmail.com > Tested-by: syzbot+09a5d591c1f98cf5e...@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam <anant.thazhema...@gmail.com> > --- > Changes from v1: > * Fixed the build warning that v1 had introduced > net/socket.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/socket.c b/net/socket.c > index 0c0144604f81..1e6f9b54982c 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -2398,6 +2398,7 @@ static int ___sys_sendmsg(struct socket *sock, struct > user_msghdr __user *msg, > struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; > ssize_t err; > > + memset(iov, 0, UIO_FASTIOV); > msg_sys->msg_name = &address; > > err = sendmsg_copy_msghdr(msg_sys, msg, flags, &iov); It has since been determined that this patch is incorrect, and even if it were correct, provides a huge performance overhead, that is not welcome. Kindly ignore this patch. Sorry.
Thanks, Anant
