2019-07-03 07:20:48

by Lu Shuaibing

[permalink] [raw]
Subject: [PATCH] soc: qcom: msm_bus: initialize cldata->handle field

The initialize cldata->handle in msm_bus_dbg_client_data() or this
field could be used uninitialized in msm_bus_dbg_rec_transaction().
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports this bug.

[ 435.087052] ==================================================================
[ 435.087086] BUG: KUMSAN: uninit-use in msm_bus_dbg_rec_transaction+0x7c/0x50c
[ 435.087106] Read of size 8 at addr ffffffc0d1338008 by task kworker/7:0/3039
[ 435.087119]
[ 435.087141] CPU: 7 PID: 3039 Comm: kworker/7:0 Tainted: G B 4.9.124-dirty #83
[ 435.087157] Hardware name: Google Inc. MSM sdm670 B4 PVT v1.0 (DT)
[ 435.087180] Workqueue: pm pm_runtime_work
[ 435.087193] Call trace:
[ 435.087213] [<ffffff900808eaa0>] dump_backtrace+0x0/0x3b4
[ 435.087234] [<ffffff900808ee70>] show_stack+0x1c/0x24
[ 435.087255] [<ffffff900866b52c>] dump_stack+0xb8/0xe8
[ 435.087276] [<ffffff90082f1398>] kasan_report+0x2a8/0x630
[ 435.087297] [<ffffff90082ef1b4>] __asan_load8+0x190/0x198
[ 435.087317] [<ffffff9008817f1c>] msm_bus_dbg_rec_transaction+0x7c/0x50c
[ 435.087338] [<ffffff900880bfe4>] update_bw_adhoc+0x74/0x2ec
[ 435.087359] [<ffffff9008800e1c>] msm_bus_scale_update_bw+0x44/0x84
[ 435.087382] [<ffffff9009469e84>] geni_se_rmv_ab_ib+0x258/0x3c0
[ 435.087403] [<ffffff900946a0ac>] se_geni_clks_off+0xc0/0x160
[ 435.087425] [<ffffff9008ed9878>] geni_i2c_runtime_suspend+0x40/0x84
[ 435.087446] [<ffffff9008b8bee8>] pm_generic_runtime_suspend+0x58/0x8c
[ 435.087467] [<ffffff9008b8f5fc>] rpm_callback+0x160/0x1bc
[ 435.087488] [<ffffff9008b8f820>] rpm_suspend+0x1c8/0xa04
[ 435.087507] [<ffffff9008b922b0>] pm_runtime_work+0x12c/0x148
[ 435.087527] [<ffffff90080eb7d4>] process_one_work+0x288/0x830
[ 435.087547] [<ffffff90080ebe1c>] worker_thread+0xa0/0x818
[ 435.087566] [<ffffff90080f660c>] kthread+0x128/0x148
[ 435.087585] [<ffffff9008083980>] ret_from_fork+0x10/0x50
[ 435.087597]
[ 435.087611] Allocated by task 1:
[ 435.087631] kasan_kmalloc+0x12c/0x1e0
[ 435.087649] kmem_cache_alloc_trace+0x138/0x290
[ 435.087667] msm_bus_dbg_client_data+0x898/0xad4
[ 435.087687] register_client_adhoc+0x5c0/0x670
[ 435.087705] msm_bus_scale_register_client+0x2c/0x68
[ 435.087725] arm_smmu_init_power_resources+0x43c/0x4cc
[ 435.087743] qsmmuv500_tbu_probe+0x17c/0x1f0
[ 435.087762] platform_drv_probe+0x7c/0x140
[ 435.087781] driver_probe_device+0x170/0x710
[ 435.087800] __device_attach_driver+0x10c/0x1f0
[ 435.087818] bus_for_each_drv+0xbc/0x11c
[ 435.087836] __device_attach+0x174/0x21c
[ 435.087854] device_initial_probe+0x1c/0x24
[ 435.087872] bus_probe_device+0xfc/0x10c
[ 435.087889] device_add+0x718/0x990
[ 435.087909] of_device_add+0x68/0x94
[ 435.087928] of_platform_device_create_pdata+0xe4/0x150
[ 435.087947] of_platform_bus_create+0x1f0/0x62c
[ 435.087966] of_platform_populate+0x8c/0x154
[ 435.087983] qsmmuv500_arch_init+0x40c/0x474
[ 435.088001] arm_smmu_device_dt_probe+0x1b40/0x1ec4
[ 435.088020] platform_drv_probe+0x7c/0x140
[ 435.088039] driver_probe_device+0x170/0x710
[ 435.088057] __driver_attach+0x1c4/0x1c8
[ 435.088074] bus_for_each_dev+0xc4/0x124
[ 435.088092] driver_attach+0x34/0x40
[ 435.088110] bus_add_driver+0x260/0x3f4
[ 435.088128] driver_register+0x108/0x214
[ 435.088147] __platform_driver_register+0x84/0x90
[ 435.088168] arm_smmu_init.part.60+0x4c/0x1bc
[ 435.088186] arm_smmu_init+0x24/0x38
[ 435.088203] do_one_initcall+0x64/0x1c0
[ 435.088223] kernel_init_freeable+0x26c/0x344
[ 435.088244] kernel_init+0x18/0x19c
[ 435.088261] ret_from_fork+0x10/0x50
[ 435.088272]
[ 435.088286] Freed by task 0:
[ 435.088298] (stack is not available)
[ 435.088309]
[ 435.088327] The buggy address belongs to the object at ffffffc0d1338000\x0a which belongs to the cache kmalloc-8192 of size 8192
[ 435.088355] The buggy address is located 8 bytes inside of\x0a 8192-byte region [ffffffc0d1338000, ffffffc0d133a000)
[ 435.088378] The buggy address belongs to the page:
[ 435.088397] page:ffffffbf0344ce00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 435.088420] flags: 0x4000000000004080(slab|head)
[ 435.088434] page dumped because: kasan: bad access detected
[ 435.088446]
[ 435.088459] Memory state around the buggy address:
[ 435.088479] ffffffc0d1337fe0: 20 ea 01 05 27 49 04 aa 03 ab 20 46 29 f0 7a fa
[ 435.088497] ffffffc0d1337ff0: 04 98 03 9a a0 f5 fa 60 04 90 d9 f8 04 10 45 ea
[ 435.088516] >ffffffc0d1338000: 18 a3 32 d1 c0 ff ff ff aa aa aa aa aa aa aa aa
[ 435.088531] ________________________________________________________^__________
[ 435.088549] ffffffc0d1338010: ff ff ff ff 06 00 00 00 00 00 00 00 aa aa aa aa
[ 435.088568] ffffffc0d1338020: 00 d4 d3 c7 c0 ff ff ff 28 a1 33 d1 c0 ff ff ff
[ 435.088580]
[ 435.088593] Memory state around the buggy address:
[ 435.088610] ffffffc0d1337f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 435.088629] ffffffc0d1337f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 435.088647] >ffffffc0d1338000: 00 ff 00 0f 00 00 00 ff ff ff ff ff ff ff ff ff
[ 435.088662] _______________________^___________________________________________
[ 435.088680] ffffffc0d1338080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 435.088698] ffffffc0d1338100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 435.088713] ==================================================================

Signed-off-by: Lu Shuaibing <[email protected]>
---
drivers/soc/qcom/msm_bus/msm_bus_dbg.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/soc/qcom/msm_bus/msm_bus_dbg.c b/drivers/soc/qcom/msm_bus/msm_bus_dbg.c
index df292336f08b..7ef82ba997f7 100644
--- a/drivers/soc/qcom/msm_bus/msm_bus_dbg.c
+++ b/drivers/soc/qcom/msm_bus/msm_bus_dbg.c
@@ -446,6 +446,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
cldata->clid = clid;
cldata->file = file;
cldata->size = 0;
+ cldata->handle = NULL;
rt_mutex_lock(&msm_bus_dbg_cllist_lock);
list_add_tail(&cldata->list, &cl_list);
rt_mutex_unlock(&msm_bus_dbg_cllist_lock);
--
2.19.1