Re: KMSAN: kernel-usb-infoleak in hif_usb_send
8 views
Skip to first unread message
Pavel Skripkin
Jan 15, 2022, 4:53:42 AM1/15/22
to syzbot+f83a1d...@syzkaller.appspotmail.com, syzkaller-bugs
> Bytes 4-7 of 18 are uninitialized
> Memory access of size 18 starts at ffff888121719400
> =====================================================
I am just wondering how 4-7 bytes can be uninitialized. Alexander said,
that KMSAN was broken for a year, so let's get the newest report to see
what is actually happened
#syz test: https://github.com/google/kmsan.git master
With regards,
Pavel Skripkin
> Memory access of size 18 starts at ffff888121719400
> =====================================================
I am just wondering how 4-7 bytes can be uninitialized. Alexander said,
that KMSAN was broken for a year, so let's get the newest report to see
what is actually happened
#syz test: https://github.com/google/kmsan.git master
With regards,
Pavel Skripkin
syzbot
Jan 15, 2022, 5:08:11 AM1/15/22
to gli...@google.com, paskr...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-usb-infoleak in hif_usb_send
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff888027377e00
CPU: 0 PID: 4012 Comm: kworker/0:8 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 16-17 of 18 are uninitialized
Memory access of size 18 starts at ffff888027377e00
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
usb 3-1: Service connection timeout for: 256
ath9k_htc 3-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 4-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff888027041a00
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 16-17 of 18 are uninitialized
Memory access of size 18 starts at ffff888027041a00
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
ath9k_htc 4-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 1-1: USB disconnect, device number 3
usb 1-1: ath9k_htc: USB layer deinitialized
usb 1-1: new high-speed USB device number 4 using dummy_hcd
Tested on:
commit: fa3879a2 Input: libps2: mark data received in __ps2_co..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14dbcc60700000
kernel config: https://syzkaller.appspot.com/x/.config?x=876559abf9a0cb9d
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-usb-infoleak in hif_usb_send
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
CPU: 0 PID: 4012 Comm: kworker/0:8 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 16-17 of 18 are uninitialized
Memory access of size 18 starts at ffff888027377e00
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
usb 3-1: Service connection timeout for: 256
ath9k_htc 3-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 4-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 16-17 of 18 are uninitialized
Memory access of size 18 starts at ffff888027041a00
CPU: 0 PID: 4012 Comm: kworker/0:8 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
ath9k_htc 4-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 1-1: USB disconnect, device number 3
usb 1-1: ath9k_htc: USB layer deinitialized
usb 1-1: new high-speed USB device number 4 using dummy_hcd
Tested on:
commit: fa3879a2 Input: libps2: mark data received in __ps2_co..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14dbcc60700000
kernel config: https://syzkaller.appspot.com/x/.config?x=876559abf9a0cb9d
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jan 15, 2022, 5:54:11 AM1/15/22
to gli...@google.com, paskr...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-usb-infoleak in hif_usb_send
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x1483/0x19c0 drivers/net/wireless/ath/ath9k/htc_hst.c:279
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-usb-infoleak in hif_usb_send
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:507
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x19c0 drivers/net/wireless/ath/ath9k/htc_hst.c:258
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:507
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff8880266f5e00
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
Workqueue: events request_firmware_work_func
=====================================================
usb 3-1: Service connection timeout for: 256
ath9k_htc 3-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
ath9k_htc 3-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x1483/0x19c0 drivers/net/wireless/ath/ath9k/htc_hst.c:279
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:507
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x19c0 drivers/net/wireless/ath/ath9k/htc_hst.c:258
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
ath9k_wmi_connect+0x177/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_htc_hw_init+0xdd/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:507
ath9k_init_htc_services+0xf6/0xee0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x4f5/0x3db0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
ath9k_hif_usb_firmware_cb+0x42e/0xaa0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff888122750400
request_firmware_work_func+0x1b9/0x2e0 drivers/base/firmware_loader/main.c:1022
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Bytes 4-7 of 18 are uninitialized
CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
=====================================================
usb 1-1: Service connection timeout for: 256
Workqueue: events request_firmware_work_func
=====================================================
ath9k_htc 1-1:1.0: ath9k_htc: Unable to initialize HTC services
ath9k_htc: Failed to initialize the device
usb 2-1: new high-speed USB device number 4 using dummy_hcd
usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 2-1: Product: syz
usb 2-1: Manufacturer: syz
usb 2-1: SerialNumber: syz
usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
Tested on:
commit: fa3879a2 Input: libps2: mark data received in __ps2_co..
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=876559abf9a0cb9d
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a33717b00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
Pavel Skripkin
Jan 15, 2022, 6:36:15 AM1/15/22
to syzbot, gli...@google.com, syzkall...@googlegroups.com
Hi Syzbot,
On 1/15/22 13:54, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KMSAN: kernel-usb-infoleak in hif_usb_send
>
OK, there are actually 2 problems.
Looks like firmware sets htc_frame_hdr::control by itself [1] on message
send, so we can simply zero it as well to make KMSAN happy.
[1]
https://github.com/qca/open-ath9k-htc-firmware/blob/c5830098717628392ddea2c8397721c3efefb46b/target_firmware/magpie_fw_dev/target/htc/htc.c#L389
With regards,
Pavel Skripkin
On 1/15/22 13:54, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KMSAN: kernel-usb-infoleak in hif_usb_send
>
Looks like firmware sets htc_frame_hdr::control by itself [1] on message
send, so we can simply zero it as well to make KMSAN happy.
[1]
https://github.com/qca/open-ath9k-htc-firmware/blob/c5830098717628392ddea2c8397721c3efefb46b/target_firmware/magpie_fw_dev/target/htc/htc.c#L389
With regards,
Pavel Skripkin
syzbot
Jan 15, 2022, 6:58:08 AM1/15/22
to gli...@google.com, paskr...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in number
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
=====================================================
BUG: KMSAN: uninit-value in number+0x851/0x23d0 lib/vsprintf.c:490
number+0x851/0x23d0 lib/vsprintf.c:490
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x872/0x23d0 lib/vsprintf.c:491
number+0x872/0x23d0 lib/vsprintf.c:491
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x851/0x23d0 lib/vsprintf.c:490
number+0x851/0x23d0 lib/vsprintf.c:490
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x872/0x23d0 lib/vsprintf.c:491
number+0x872/0x23d0 lib/vsprintf.c:491
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x851/0x23d0 lib/vsprintf.c:490
number+0x851/0x23d0 lib/vsprintf.c:490
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x872/0x23d0 lib/vsprintf.c:491
number+0x872/0x23d0 lib/vsprintf.c:491
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x851/0x23d0 lib/vsprintf.c:490
number+0x851/0x23d0 lib/vsprintf.c:490
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
=====================================================
BUG: KMSAN: uninit-value in number+0x872/0x23d0 lib/vsprintf.c:491
number+0x872/0x23d0 lib/vsprintf.c:491
vsnprintf+0x1f0d/0x3650 lib/vsprintf.c:2871
snprintf+0x24a/0x290 lib/vsprintf.c:2938
tomoyo_print_header security/tomoyo/audit.c:165 [inline]
tomoyo_init_log+0xd1f/0x3ad0 security/tomoyo/audit.c:255
tomoyo_supervisor+0x8c0/0x27a0 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_perm+0x949/0xc40 security/tomoyo/file.c:838
tomoyo_path_symlink+0xfc/0x190 security/tomoyo/tomoyo.c:199
security_path_symlink+0x220/0x310 security/security.c:1165
do_symlinkat+0x1f6/0xad0 fs/namei.c:4272
__do_sys_symlink fs/namei.c:4299 [inline]
__se_sys_symlink fs/namei.c:4297 [inline]
__x64_sys_symlink+0x12b/0x170 fs/namei.c:4297
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Local variable digest created at:
fscrypt_match_name+0xb2/0x480 fs/crypto/fname.c:510
ext4_match+0x332/0xa90 fs/ext4/namei.c:1453
CPU: 0 PID: 4237 Comm: syz-executor.1 Tainted: G B 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
Tested on:
commit: fa3879a2 Input: libps2: mark data received in __ps2_co..
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=876559abf9a0cb9d
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1002ac88700000
dashboard link: https://syzkaller.appspot.com/bug?extid=f83a1df1ed4f67e8d8ad
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
Pavel Skripkin
Jan 15, 2022, 7:01:53 AM1/15/22
to syzbot, gli...@google.com, syzkall...@googlegroups.com
Hi Syzbot,
Looks a bit unrelated... :) Anyway, seems like testing is passed, thanks
With regards,
Pavel Skripkin
With regards,
Pavel Skripkin
Reply all
Reply to author
Forward
0 new messages