Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0542C4332F for ; Wed, 29 Dec 2021 09:16:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239505AbhL2JQ1 (ORCPT ); Wed, 29 Dec 2021 04:16:27 -0500 Received: from smtp06.smtpout.orange.fr ([80.12.242.128]:50578 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239492AbhL2JQZ (ORCPT ); Wed, 29 Dec 2021 04:16:25 -0500 Received: from [192.168.1.18] ([86.243.171.122]) by smtp.orange.fr with ESMTPA id 2V4InTzq1MxZu2V4InMidO; Wed, 29 Dec 2021 10:16:24 +0100 X-ME-Helo: [192.168.1.18] X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Wed, 29 Dec 2021 10:16:24 +0100 X-ME-IP: 86.243.171.122 Message-ID: <156fb7f1-cf12-e6cb-63c0-5c0413ce2b2e@wanadoo.fr> Date: Wed, 29 Dec 2021 10:16:22 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 Subject: Re: KMSAN: uninit-value in alauda_check_media Content-Language: en-US To: Alan Stern Cc: glider@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com, usb-storage@lists.one-eyed-alien.net, Kernel Janitors References: <0000000000007d25ff059457342d@google.com> From: Christophe JAILLET In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 28/12/2021 à 23:49, Alan Stern a écrit : > On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote: >> Hi, >> >> (2nd try - text only format - sorry for the noise) >> >> >> first try to use syzbot. I hope I do it right. >> Discussion about the syz report can be found at >> https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ >> >> This patch only test if alauda_get_media_status() (and its embedded >> usb_stor_ctrl_transfer()) before using the data. >> In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. >> >> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git >> master >> >> CJ >> > >> diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c >> index 20b857e97e60..6c486d964911 100644 >> --- a/drivers/usb/storage/alauda.c >> +++ b/drivers/usb/storage/alauda.c >> @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) >> rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, >> command, 0xc0, 0, 1, data, 2); >> >> - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); >> + if (rc == USB_STOR_XFER_GOOD) >> + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); > > Instead of adding this test, you could initialize data[0] and data[1] > to zero before the call to usb_stor_ctrl_transfer. Well, having the test is cleaner, IMHO. If usb_stor_ctrl_transfer() fails, a message explaining the reason is already generated by the same usb_stor_dbg(). Having an error message followed by another one stating that the Media Status is 0x00 0x00 could be confusing I think. Let me know if you have a real preference for a memset(data, 0, 2). If so, I'll add it. > >> >> return rc; >> } >> @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) >> { >> struct alauda_info *info = (struct alauda_info *) us->extra; >> unsigned char status[2]; >> + int rc; >> >> - alauda_get_media_status(us, status); >> + rc = alauda_get_media_status(us, status); >> + if (rc != USB_STOR_TRANSPORT_GOOD) >> + return USB_STOR_TRANSPORT_ERROR; >> >> /* Check for no media or door open */ >> if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) > > In general this looks fine. Let us know when you are ready to submit > the patch. I was unsure that this patch would get any interest because the driver looks old. That's why I first tried to play with syzbot :) In the syzbot history, you also mentioned that 'unsigned char status[2]' should be 'unsigned char *status = us->iobuf;' This is more a blind fix for me, but it looks consistent with other places that call alauda_get_media_status(). So, once you confirm if you prefer my 'if' or a 'memset', I'll resend a small serie for fixing both issues. CJ > > Alan Stern >