[syzbot] [wireless?] KMSAN: uninit-value in ath9k_hw_init

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 944070199c5e kmsan: add memsetXX tests
git tree: https://github.com/google/kmsan.git master
console+strace: https://syzkaller.appspot.com/x/log.txt?x=172481f2c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=46c642641b9ef616
dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15055432c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1010b19cc80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/055bbd57e905/disk-94407019.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82472690bcfe/vmlinux-94407019.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db3f379532ab/bzImage-94407019.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df61b3...@syzkaller.appspotmail.com

ath9k_htc 6-1:1.0: ath9k_htc: HTC initialized with 33 credits
=====================================================
BUG: KMSAN: uninit-value in ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
BUG: KMSAN: uninit-value in __ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
BUG: KMSAN: uninit-value in ath9k_hw_init+0x11e0/0x2d60 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x11e0/0x2d60 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xf48/0x3b60 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963
ath9k_htc_hw_init+0x4f/0x100 drivers/net/wireless/ath/ath9k/htc_hst.c:521
ath9k_hif_usb_firmware_cb+0x2eb/0x800 drivers/net/wireless/ath/ath9k/hif_usb.c:1243
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0xb0d/0x1410 kernel/workqueue.c:2289
worker_thread+0x107b/0x1d60 kernel/workqueue.c:2436
kthread+0x31f/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Local variable val created at:
ath9k_regread+0x62/0x1b0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:239
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x5be/0x2d60 drivers/net/wireless/ath/ath9k/hw.c:700

CPU: 0 PID: 115 Comm: kworker/0:2 Not tainted 6.2.0-syzkaller-81157-g944070199c5e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Workqueue: events request_firmware_work_func
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in ath9k_hw_init

ath9k_htc 3-1:1.0: ath9k_htc: HTC initialized with 33 credits

=====================================================
BUG: KMSAN: uninit-value in ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
BUG: KMSAN: uninit-value in __ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]

BUG: KMSAN: uninit-value in ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]

ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xf48/0x3b60 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963

ath9k_htc_hw_init+0x4f/0x100 drivers/net/wireless/ath/ath9k/htc_hst.c:523
ath9k_hif_usb_firmware_cb+0x2eb/0x800 drivers/net/wireless/ath/ath9k/hif_usb.c:1256
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0xb0d/0x1410 kernel/workqueue.c:2390
worker_thread+0x107e/0x1d60 kernel/workqueue.c:2537

kthread+0x31f/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Local variable val created at:
ath9k_regread+0x62/0x1b0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:239
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]

ath9k_hw_init+0x5c4/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

CPU: 0 PID: 5569 Comm: kworker/0:4 Not tainted 6.3.0-rc1-syzkaller-00010-ge61893130d87-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: events request_firmware_work_func
=====================================================


Tested on:

commit: e6189313 kmsan: add test_stackdepot_roundtrip

git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1508f12ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ef8f90a9dd9b8eae

dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10cabf24c80000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in ath9k_hw_init

ath9k_htc 2-1:1.0: ath9k_htc: HTC initialized with 33 credits

=====================================================
BUG: KMSAN: uninit-value in ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
BUG: KMSAN: uninit-value in __ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
BUG: KMSAN: uninit-value in ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xf48/0x3b60 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963
ath9k_htc_hw_init+0x4f/0x100 drivers/net/wireless/ath/ath9k/htc_hst.c:523
ath9k_hif_usb_firmware_cb+0x2eb/0x800 drivers/net/wireless/ath/ath9k/hif_usb.c:1256
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0xb0d/0x1410 kernel/workqueue.c:2390
worker_thread+0x107e/0x1d60 kernel/workqueue.c:2537
kthread+0x31f/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Local variable val created at:
ath9k_regread+0x62/0x1b0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:239
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x5c4/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

CPU: 1 PID: 5056 Comm: kworker/1:3 Not tainted 6.3.0-rc1-syzkaller-00010-ge61893130d87-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: events request_firmware_work_func
=====================================================


Tested on:

commit: e6189313 kmsan: add test_stackdepot_roundtrip
git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=17107072c80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ef8f90a9dd9b8eae
dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=16cb811ac80000

[Fedor Pchelkin]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -221,6 +221,9 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
if (unlikely(wmi->stopped))
goto free_skb;

+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
+ goto free_skb;
+
hdr = (struct wmi_cmd_hdr *) skb->data;
cmd_id = be16_to_cpu(hdr->command_id);

@@ -308,8 +311,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
unsigned long time_left;
int ret = 0;

- if (ah->ah_flags & AH_UNPLUGGED)
- return 0;
+ if (ah->ah_flags & AH_UNPLUGGED) {
+ ath_dbg(common, WMI, "Device unplugged for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
+ return -ENODEV;
+ }

skb = alloc_skb(headroom + cmd_len, GFP_ATOMIC);
if (!skb)
--

[Fedor Pchelkin]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -243,7 +243,7 @@ static unsigned int ath9k_regread(void *hw_priv, u32 reg_offset)
(u8 *) &reg, sizeof(reg),
(u8 *) &val, sizeof(val),
100);
- if (unlikely(r)) {
+ if (r) {
ath_dbg(common, WMI, "REGISTER READ FAILED: (0x%04x, %d)\n",
reg_offset, r);
return -1;
@@ -259,7 +259,7 @@ static void ath9k_multi_regread(void *hw_priv, u32 *addr,
struct ath_common *common = ath9k_hw_common(ah);
struct ath9k_htc_priv *priv = (struct ath9k_htc_priv *) common->priv;
__be32 tmpaddr[8];
- __be32 tmpval[8];
+ __be32 tmpval[8] = {0};
int i, ret;

for (i = 0; i < count; i++) {
@@ -270,7 +270,7 @@ static void ath9k_multi_regread(void *hw_priv, u32 *addr,
(u8 *)tmpaddr , sizeof(u32) * count,
(u8 *)tmpval, sizeof(u32) * count,
100);
- if (unlikely(ret)) {
+ if (ret) {
ath_dbg(common, WMI,
"Multiple REGISTER READ FAILED (count: %d)\n", count);
}
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -204,6 +204,9 @@ static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb)
{
skb_pull(skb, sizeof(struct wmi_cmd_hdr));

+ if (unlikely(skb->len < wmi->cmd_rsp_len))
+ return;
+
if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);

@@ -221,6 +224,9 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

if (unlikely(wmi->stopped))
goto free_skb;

+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
+ goto free_skb;
+
hdr = (struct wmi_cmd_hdr *) skb->data;
cmd_id = be16_to_cpu(hdr->command_id);

@@ -308,8 +314,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in ath9k_hw_init

ath9k_htc 2-1:1.0: ath9k_htc: HTC initialized with 33 credits
=====================================================
BUG: KMSAN: uninit-value in ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
BUG: KMSAN: uninit-value in __ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
BUG: KMSAN: uninit-value in ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xf48/0x3b60 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963
ath9k_htc_hw_init+0x4f/0x100 drivers/net/wireless/ath/ath9k/htc_hst.c:523
ath9k_hif_usb_firmware_cb+0x2eb/0x800 drivers/net/wireless/ath/ath9k/hif_usb.c:1256
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0xb0d/0x1410 kernel/workqueue.c:2390
worker_thread+0x107e/0x1d60 kernel/workqueue.c:2537
kthread+0x31f/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Local variable val created at:

ath9k_regread+0x62/0x1c0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:239

ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x5c4/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 6.3.0-rc2-syzkaller-00010-g34add094f9de-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: events request_firmware_work_func
=====================================================


Tested on:

commit: 34add094 kmsan: add test_stackdepot_roundtrip

git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1352768ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=76a9330669c37355

dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=15f40c3ac80000

[Fedor Pchelkin]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c

@@ -259,7 +259,7 @@ static void ath9k_multi_regread(void *hw_priv, u32 *addr,
struct ath_common *common = ath9k_hw_common(ah);
struct ath9k_htc_priv *priv = (struct ath9k_htc_priv *) common->priv;
__be32 tmpaddr[8];
- __be32 tmpval[8];
+ __be32 tmpval[8] = {0};
int i, ret;

for (i = 0; i < count; i++) {

--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -204,8 +204,13 @@ static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb)

{
skb_pull(skb, sizeof(struct wmi_cmd_hdr));

+ if (unlikely(skb->len < wmi->cmd_rsp_len))
+ return;
+
if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);

+ else
+ return;

complete(&wmi->cmd_wait);
}
@@ -221,6 +226,9 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

if (unlikely(wmi->stopped))
goto free_skb;

+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
+ goto free_skb;
+
hdr = (struct wmi_cmd_hdr *) skb->data;
cmd_id = be16_to_cpu(hdr->command_id);

@@ -308,8 +316,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,

unsigned long time_left;
int ret = 0;

- if (ah->ah_flags & AH_UNPLUGGED)
- return 0;
+ if (ah->ah_flags & AH_UNPLUGGED) {
+ ath_dbg(common, WMI, "Device unplugged for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
+ return -ENODEV;
+ }

skb = alloc_skb(headroom + cmd_len, GFP_ATOMIC);
if (!skb)

@@ -342,15 +353,22 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n",
wmi_cmd_to_name(cmd_id));
wmi->last_seq_id = 0;
+ wmi->cmd_rsp_buf = NULL;
+ wmi->cmd_rsp_len = 0;
mutex_unlock(&wmi->op_mutex);
return -ETIMEDOUT;
}

+ wmi->cmd_rsp_buf = NULL;
+ wmi->cmd_rsp_len = 0;
+
mutex_unlock(&wmi->op_mutex);

return 0;

out:
+ wmi->cmd_rsp_buf = NULL;
+ wmi->cmd_rsp_len = 0;
ath_dbg(common, WMI, "WMI failure for: %s\n", wmi_cmd_to_name(cmd_id));
mutex_unlock(&wmi->op_mutex);
kfree_skb(skb);
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor1725951009" "ro...@10.128.0.114:./syz-executor1725951009"]: exit status 1
ssh: connect to host 10.128.0.114 port 22: Connection timed out
lost connection




syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2755527109=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at f8902b574
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f8902b5747fbe3d5b860bd782eec63fc9c7da6e7 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230301-104759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f8902b5747fbe3d5b860bd782eec63fc9c7da6e7 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230301-104759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f8902b5747fbe3d5b860bd782eec63fc9c7da6e7 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230301-104759'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"f8902b5747fbe3d5b860bd782eec63fc9c7da6e7\"

Tested on:

commit: 34add094 kmsan: add test_stackdepot_roundtrip
git tree: https://github.com/google/kmsan.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=76a9330669c37355
dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=150386dcc80000

[Fedor Pchelkin]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor3739450099" "ro...@10.128.0.155:./syz-executor3739450099"]: exit status 1
ssh: connect to host 10.128.0.155 port 22: Connection timed out

GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build388716093=/tmp/go-build -gno-record-gcc-switches"

patch: https://syzkaller.appspot.com/x/patch.diff?x=12969e56c80000

[Fedor Pchelkin]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -200,16 +200,6 @@ void ath9k_fatal_work(struct work_struct *work)
ath9k_htc_reset(priv);
}

-static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb)
-{
- skb_pull(skb, sizeof(struct wmi_cmd_hdr));
-
- if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
- memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);
-
- complete(&wmi->cmd_wait);
-}
-

static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

enum htc_endpoint_id epid)
{
@@ -221,6 +211,9 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

if (unlikely(wmi->stopped))
goto free_skb;

+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
+ goto free_skb;
+
hdr = (struct wmi_cmd_hdr *) skb->data;
cmd_id = be16_to_cpu(hdr->command_id);

@@ -238,10 +231,19 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
spin_unlock_irqrestore(&wmi->wmi_lock, flags);
goto free_skb;
}
- spin_unlock_irqrestore(&wmi->wmi_lock, flags);

- /* WMI command response */
- ath9k_wmi_rsp_callback(wmi, skb);
+ skb_pull(skb, sizeof(struct wmi_cmd_hdr));
+

+ if (unlikely(skb->len < wmi->cmd_rsp_len)) {

+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+ goto free_skb;
+ }
+

+ if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)

+ memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);
+
+ complete(&wmi->cmd_wait);
+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);

free_skb:
kfree_skb(skb);
@@ -308,8 +310,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,

unsigned long time_left;
int ret = 0;

- if (ah->ah_flags & AH_UNPLUGGED)
- return 0;
+ if (ah->ah_flags & AH_UNPLUGGED) {
+ ath_dbg(common, WMI, "Device unplugged for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
+ return -ENODEV;
+ }

skb = alloc_skb(headroom + cmd_len, GFP_ATOMIC);
if (!skb)

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in ath9k_hw_init

ath9k_htc 2-1:1.0: ath9k_htc: HTC initialized with 33 credits
=====================================================
BUG: KMSAN: uninit-value in ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
BUG: KMSAN: uninit-value in __ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
BUG: KMSAN: uninit-value in ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:289 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x119e/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xf48/0x3b60 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963
ath9k_htc_hw_init+0x4f/0x100 drivers/net/wireless/ath/ath9k/htc_hst.c:523
ath9k_hif_usb_firmware_cb+0x2eb/0x800 drivers/net/wireless/ath/ath9k/hif_usb.c:1256
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0xb0d/0x1410 kernel/workqueue.c:2390
worker_thread+0x107e/0x1d60 kernel/workqueue.c:2537
kthread+0x31f/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Local variable val created at:

ath9k_regread+0x62/0x1b0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:239

ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0x5c4/0x2ba0 drivers/net/wireless/ath/ath9k/hw.c:700

CPU: 1 PID: 5549 Comm: kworker/1:5 Not tainted 6.3.0-rc2-syzkaller-00010-g34add094f9de-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: events request_firmware_work_func
=====================================================

Tested on:

commit: 34add094 kmsan: add test_stackdepot_roundtrip
git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13196aecc80000

kernel config: https://syzkaller.appspot.com/x/.config?x=76a9330669c37355
dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17a0437cc80000

[Fedor Pchelkin]

@@ -234,14 +227,24 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

/* Check if there has been a timeout. */
spin_lock_irqsave(&wmi->wmi_lock, flags);
- if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id) {
+ if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id ||
+ be16_to_cpu(hdr->seq_no) == 0) {

spin_unlock_irqrestore(&wmi->wmi_lock, flags);
goto free_skb;
}
- spin_unlock_irqrestore(&wmi->wmi_lock, flags);

- /* WMI command response */
- ath9k_wmi_rsp_callback(wmi, skb);
+ skb_pull(skb, sizeof(struct wmi_cmd_hdr));
+
+ if (unlikely(skb->len < wmi->cmd_rsp_len)) {
+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+ goto free_skb;
+ }
+
+ if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
+ memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);
+
+ complete(&wmi->cmd_wait);
+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);

free_skb:
kfree_skb(skb);

@@ -279,7 +282,8 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,

static int ath9k_wmi_cmd_issue(struct wmi *wmi,
struct sk_buff *skb,
- enum wmi_cmd_id cmd, u16 len)
+ enum wmi_cmd_id cmd, u16 len,
+ u8 *rsp_buf, u32 rsp_len)
{
struct wmi_cmd_hdr *hdr;
unsigned long flags;
@@ -289,6 +293,10 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,
hdr->seq_no = cpu_to_be16(++wmi->tx_seq_id);

spin_lock_irqsave(&wmi->wmi_lock, flags);
+ /* record the rsp buffer and length */
+ wmi->cmd_rsp_buf = rsp_buf;
+ wmi->cmd_rsp_len = rsp_len;
+
wmi->last_seq_id = wmi->tx_seq_id;
spin_unlock_irqrestore(&wmi->wmi_lock, flags);

@@ -308,8 +316,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,

unsigned long time_left;
int ret = 0;

- if (ah->ah_flags & AH_UNPLUGGED)
- return 0;
+ if (ah->ah_flags & AH_UNPLUGGED) {
+ ath_dbg(common, WMI, "Device unplugged for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
+ return -ENODEV;
+ }

skb = alloc_skb(headroom + cmd_len, GFP_ATOMIC);
if (!skb)

@@ -329,11 +340,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
goto out;
}

- /* record the rsp buffer and length */
- wmi->cmd_rsp_buf = rsp_buf;
- wmi->cmd_rsp_len = rsp_len;
-
- ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len);
+ ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len, rsp_buf, rsp_len);
if (ret)
goto out;

--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df61b3...@syzkaller.appspotmail.com

Tested on:

commit: 34add094 kmsan: add test_stackdepot_roundtrip
git tree: https://github.com/google/kmsan.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=14bfc58ac80000

kernel config: https://syzkaller.appspot.com/x/.config?x=76a9330669c37355
dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1727a63ac80000

Note: testing is done by a robot and is best-effort only.

[Fedor Pchelkin]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c

@@ -200,20 +200,6 @@ void ath9k_fatal_work(struct work_struct *work)

ath9k_htc_reset(priv);
}

-static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb)
-{
- skb_pull(skb, sizeof(struct wmi_cmd_hdr));
-

- /* Once again validate the SKB. */
- if (unlikely(skb->len < wmi->cmd_rsp_len))
- return;

-
- if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
- memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);
-
- complete(&wmi->cmd_wait);
-}
-
static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
enum htc_endpoint_id epid)
{

@@ -242,14 +228,26 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,

/* Check if there has been a timeout. */
spin_lock_irqsave(&wmi->wmi_lock, flags);
- if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id) {
+ if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id ||
+ be16_to_cpu(hdr->seq_no) == 0) {

+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+ goto free_skb;
+ }
+

+ /* Next, process WMI command response */

+ skb_pull(skb, sizeof(struct wmi_cmd_hdr));
+

+ /* Once again validate the SKB. */

+ if (unlikely(skb->len < wmi->cmd_rsp_len)) {

spin_unlock_irqrestore(&wmi->wmi_lock, flags);
goto free_skb;
}
- spin_unlock_irqrestore(&wmi->wmi_lock, flags);

- /* WMI command response */
- ath9k_wmi_rsp_callback(wmi, skb);

+ if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
+ memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);
+
+ complete(&wmi->cmd_wait);
+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);

free_skb:
kfree_skb(skb);

@@ -287,7 +285,8 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,

static int ath9k_wmi_cmd_issue(struct wmi *wmi,
struct sk_buff *skb,
- enum wmi_cmd_id cmd, u16 len)
+ enum wmi_cmd_id cmd, u16 len,
+ u8 *rsp_buf, u32 rsp_len)
{
struct wmi_cmd_hdr *hdr;
unsigned long flags;

@@ -297,6 +296,11 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,

hdr->seq_no = cpu_to_be16(++wmi->tx_seq_id);

spin_lock_irqsave(&wmi->wmi_lock, flags);
+
+ /* record the rsp buffer and length */
+ wmi->cmd_rsp_buf = rsp_buf;
+ wmi->cmd_rsp_len = rsp_len;
+
wmi->last_seq_id = wmi->tx_seq_id;
spin_unlock_irqrestore(&wmi->wmi_lock, flags);

@@ -337,11 +341,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/net/wireless/ath/ath9k/wmi.c
Hunk #1 FAILED at 200.
Hunk #2 succeeded at 234 (offset -8 lines).
Hunk #3 succeeded at 291 (offset -8 lines).
Hunk #4 succeeded at 302 (offset -8 lines).
Hunk #5 succeeded at 347 (offset -8 lines).
1 out of 5 hunks FAILED

Tested on:

commit: 34add094 kmsan: add test_stackdepot_roundtrip
git tree: https://github.com/google/kmsan.git master

dashboard link: https://syzkaller.appspot.com/bug?extid=df61b36319e045c00a08
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=124d82a4c80000

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.