Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp966490ybp; Fri, 11 Oct 2019 07:08:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqwWY4x4lB+YbGWYo5tIlkxF5qI/j1lM39FdpN9mV3onxyNtk7786e4B0aq07fN6yqMg9n29 X-Received: by 2002:aa7:cf12:: with SMTP id a18mr13879547edy.278.1570802935759; Fri, 11 Oct 2019 07:08:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570802935; cv=none; d=google.com; s=arc-20160816; b=BSniGZLpCy2Jtj/hQKjf3NbWBcxA2SGQ7Zce52GRABuhhnWjyCIuGovHWMScSHmLJb I9PxSSfD+ER9OnR40gNw+gJ+Yyr0uhdKKEiWW9Sf880jxTbz76Apj2XfAK7PU3TXQQO6 g1Z5KxqaiH+9Ai7e7F83psNZp8OBVIB5r88c6RWRgyhEE4z9akOdLl1jIIU6ELAVD9gn uefO1D+8ctA8KGUH6sQ0WHvplBt6gFKVzP1oICm9+o63NAZdaJGIhgdAlnmdoEUq7UGy 0KxapvhdgvsGPrJxGX/uxlnhPU5tZRI9b9FE78eqNqPbQcJPD5Ams+lLVBTbD9l4eTB8 7qvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=q+C3tB8WIewEMAtVNRPI0KhLEVslFhiW8Yz5JB6pxfQ=; b=r4hcyuF0hmTb3sL+AxC+0+93OnWO/dcTvSuAREY68xlZaptv+zV602rDmHL+AELOaq ferRDNnkzvNrHVXhDHmjsE0giEPj8sOWmAkbtfNkLAAKOR4E9JFtt0PHhrEcP70rsL3q 9qZ/VLADjxszPA3ImE96jPtHhAhbedqIB/CwZtqahxSe+/IvL4ljbNpOkcVn6EEiHPSw G4iI7ushOswYQ2cIeF4oEesSnJBQZit7vwjxijFLHM9xQS1ElLMZax/bD2i4s8u0o+AB LtWnGhOySxaPYx+hmaVcxSIQwv3pJzpF3VGIQIjZD9lgESwLalmdurypAh11xN+Lnbf/ ZOBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oh20si5399500ejb.323.2019.10.11.07.08.32; Fri, 11 Oct 2019 07:08:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728279AbfJKOI2 (ORCPT + 99 others); Fri, 11 Oct 2019 10:08:28 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:41596 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728068AbfJKOI2 (ORCPT ); Fri, 11 Oct 2019 10:08:28 -0400 Received: (qmail 1736 invoked by uid 2102); 11 Oct 2019 10:08:27 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2019 10:08:27 -0400 Date: Fri, 11 Oct 2019 10:08:27 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Jaskaran Singh cc: syzbot , , , , , , Subject: Re: KMSAN: uninit-value in alauda_check_media In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 11 Oct 2019, Jaskaran Singh wrote: > On Mon, 2019-10-07 at 12:39 -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with > > kmsan_i.. > > git tree: https://github.com/google/kmsan.git master > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: > > https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 > > C reproducer: > > https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > commit: > > Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com > > > > ===================================================== > > BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 > > drivers/usb/storage/alauda.c:1137 > > CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > usb_stor_invoke_transport+0xf5/0x27e0 > > drivers/usb/storage/transport.c:606 > > usb_stor_transparent_scsi_command+0x5d/0x70 > > drivers/usb/storage/protocol.c:108 > > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > #syz test: https://github.com/google/kmsan.git 1e76a3e5 > > diff --git a/drivers/usb/storage/alauda.c > b/drivers/usb/storage/alauda.c > index ddab2cd3d2e7..bb309b9ad65b 100644 > --- a/drivers/usb/storage/alauda.c > +++ b/drivers/usb/storage/alauda.c > @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) > static int alauda_check_media(struct us_data *us) > { > struct alauda_info *info = (struct alauda_info *) us->extra; > - unsigned char status[2]; > + unsigned char *status = us->iobuf; > int rc; > > rc = alauda_get_media_status(us, status); That is absolutely not the correct fix. The problem is that after this call, the code does not check rc to see if an error occurred. If there was an error, the value of status is meaningless so there's no point examining it at all. Now yes, it's true that defining status as an array on the stack is also a bug, since USB transfer buffers are not allowed to be stack variables. And the change you made _is_ the right way to fix that bug. But that is a separate bug, not the one that syzbot found. Alan Stern