[syzbot] [usb?] KMSAN: uninit-value in bcmp (3)
14 views
Skip to first unread message
syzbot
Aug 12, 2024, 1:40:21 AM8/12/24
Hello,
syzbot found the following issue on:
HEAD commit: 6a0e38264012 Merge tag 'for-6.11-rc2-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bd11c9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=305509ad8eb5f9b8
dashboard link: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/31249d4202ea/disk-6a0e3826.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4b1dd9804fd7/vmlinux-6a0e3826.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a3a8887ee631/bzImage-6a0e3826.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in memcmp lib/string.c:665 [inline]
BUG: KMSAN: uninit-value in bcmp+0xc3/0x1c0 lib/string.c:697
memcmp lib/string.c:665 [inline]
bcmp+0xc3/0x1c0 lib/string.c:697
iowarrior_callback+0x3fe/0xa30 drivers/usb/misc/iowarrior.c:185
__usb_hcd_giveback_urb+0x572/0x840 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1734
dummy_timer+0xd3f/0x6aa0 drivers/usb/gadget/udc/dummy_hcd.c:1987
__run_hrtimer kernel/time/hrtimer.c:1689 [inline]
__hrtimer_run_queues+0x564/0xe40 kernel/time/hrtimer.c:1753
hrtimer_interrupt+0x3ab/0x1490 kernel/time/hrtimer.c:1815
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
__sysvec_apic_timer_interrupt+0xa6/0x3a0 arch/x86/kernel/apic/apic.c:1049
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x7e/0x90 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
native_irq_enable arch/x86/include/asm/irqflags.h:42 [inline]
arch_local_irq_enable arch/x86/include/asm/irqflags.h:97 [inline]
raw_spin_rq_unlock_irq kernel/sched/sched.h:1427 [inline]
finish_lock_switch kernel/sched/core.c:4942 [inline]
finish_task_switch+0x19a/0x8f0 kernel/sched/core.c:5060
context_switch kernel/sched/core.c:5191 [inline]
__schedule+0x2094/0x6580 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x13d/0x380 kernel/sched/core.c:6621
smpboot_thread_fn+0x704/0xa60 kernel/smpboot.c:160
kthread+0x3dd/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3994 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
kmalloc_array_noprof include/linux/slab.h:726 [inline]
iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3679
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3679
usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312
worker_thread+0xea5/0x1520 kernel/workqueue.c:3390
kthread+0x3dd/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc2-syzkaller-00027-g6a0e38264012 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6a0e38264012 Merge tag 'for-6.11-rc2-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bd11c9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=305509ad8eb5f9b8
dashboard link: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/31249d4202ea/disk-6a0e3826.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4b1dd9804fd7/vmlinux-6a0e3826.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a3a8887ee631/bzImage-6a0e3826.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in memcmp lib/string.c:665 [inline]
BUG: KMSAN: uninit-value in bcmp+0xc3/0x1c0 lib/string.c:697
memcmp lib/string.c:665 [inline]
bcmp+0xc3/0x1c0 lib/string.c:697
iowarrior_callback+0x3fe/0xa30 drivers/usb/misc/iowarrior.c:185
__usb_hcd_giveback_urb+0x572/0x840 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1734
dummy_timer+0xd3f/0x6aa0 drivers/usb/gadget/udc/dummy_hcd.c:1987
__run_hrtimer kernel/time/hrtimer.c:1689 [inline]
__hrtimer_run_queues+0x564/0xe40 kernel/time/hrtimer.c:1753
hrtimer_interrupt+0x3ab/0x1490 kernel/time/hrtimer.c:1815
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
__sysvec_apic_timer_interrupt+0xa6/0x3a0 arch/x86/kernel/apic/apic.c:1049
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x7e/0x90 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
native_irq_enable arch/x86/include/asm/irqflags.h:42 [inline]
arch_local_irq_enable arch/x86/include/asm/irqflags.h:97 [inline]
raw_spin_rq_unlock_irq kernel/sched/sched.h:1427 [inline]
finish_lock_switch kernel/sched/core.c:4942 [inline]
finish_task_switch+0x19a/0x8f0 kernel/sched/core.c:5060
context_switch kernel/sched/core.c:5191 [inline]
__schedule+0x2094/0x6580 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x13d/0x380 kernel/sched/core.c:6621
smpboot_thread_fn+0x704/0xa60 kernel/smpboot.c:160
kthread+0x3dd/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3994 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
kmalloc_array_noprof include/linux/slab.h:726 [inline]
iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3679
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3679
usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312
worker_thread+0xea5/0x1520 kernel/workqueue.c:3390
kthread+0x3dd/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc2-syzkaller-00027-g6a0e38264012 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 22, 2024, 12:57:22 PM9/22/24
syzbot has found a reproducer for the following issue on:
HEAD commit: 88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1559dca9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=547de13ee0a4d284
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c9de9f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d83fc781c223/disk-88264981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ed4c5969fba/vmlinux-88264981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/76a67bd894be/bzImage-88264981.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in memcmp lib/string.c:665 [inline]
BUG: KMSAN: uninit-value in bcmp+0xc3/0x1c0 lib/string.c:697
memcmp lib/string.c:665 [inline]
bcmp+0xc3/0x1c0 lib/string.c:697
iowarrior_callback+0x3fe/0xa30 drivers/usb/misc/iowarrior.c:185
__usb_hcd_giveback_urb+0x572/0x840 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1734
dummy_timer+0xd3f/0x6aa0 drivers/usb/gadget/udc/dummy_hcd.c:1987
__run_hrtimer kernel/time/hrtimer.c:1691 [inline]
__hrtimer_run_queues+0x564/0xe40 kernel/time/hrtimer.c:1755
hrtimer_interrupt+0x3ab/0x1490 kernel/time/hrtimer.c:1817
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1026 [inline]
__sysvec_apic_timer_interrupt+0xa6/0x3a0 arch/x86/kernel/apic/apic.c:1043
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
sysvec_apic_timer_interrupt+0x40/0x90 arch/x86/kernel/apic/apic.c:1037
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
__msan_metadata_ptr_for_store_8+0x34/0x40 mm/kmsan/instrumentation.c:94
___bpf_prog_run+0x7f2a/0xe0f0
__bpf_prog_run32+0xc2/0xf0 kernel/bpf/core.c:2251
bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
__bpf_prog_run include/linux/filter.h:701 [inline]
bpf_prog_run include/linux/filter.h:708 [inline]
bpf_prog_run_pin_on_cpu include/linux/filter.h:725 [inline]
bpf_prog_run_clear_cb include/linux/filter.h:966 [inline]
run_filter+0x150/0x3f0 net/packet/af_packet.c:2148
packet_rcv+0x636/0x2050 net/packet/af_packet.c:2221
deliver_skb net/core/dev.c:2239 [inline]
deliver_ptype_list_skb net/core/dev.c:2254 [inline]
__netif_receive_skb_core+0x53f9/0x6c90 net/core/dev.c:5613
__netif_receive_skb_list_core+0x31e/0x1670 net/core/dev.c:5737
__netif_receive_skb_list net/core/dev.c:5804 [inline]
netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:5895
gro_normal_list include/net/gro.h:515 [inline]
napi_complete_done+0x42e/0x890 net/core/dev.c:6246
virtqueue_napi_complete drivers/net/virtio_net.c:697 [inline]
virtnet_poll+0x5cb8/0x6b30 drivers/net/virtio_net.c:2825
__napi_poll+0xe7/0x980 net/core/dev.c:6771
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa5a/0x19b0 net/core/dev.c:6962
handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x68/0x120 kernel/softirq.c:637
irq_exit_rcu+0x12/0x20 kernel/softirq.c:649
common_interrupt+0x97/0xb0 arch/x86/kernel/irq.c:278
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
kmsan_get_shadow_origin_ptr+0x4d/0xb0 mm/kmsan/shadow.c:102
get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline]
__msan_metadata_ptr_for_store_8+0x27/0x40 mm/kmsan/instrumentation.c:94
unwind_next_frame+0x8d/0x360 arch/x86/kernel/unwind_frame.c:298
arch_stack_walk+0x1ab/0x260 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xaa/0xe0 kernel/stacktrace.c:122
kmsan_save_stack_with_flags mm/kmsan/core.c:73 [inline]
kmsan_internal_chain_origin+0x57/0xd0 mm/kmsan/core.c:182
kmsan_internal_memmove_metadata+0x17b/0x230 mm/kmsan/core.c:138
__msan_memcpy+0x108/0x1c0 mm/kmsan/instrumentation.c:200
sock_write_iter+0x38b/0x3d0 net/socket.c:1167
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xb28/0x1540 fs/read_write.c:683
ksys_write+0x20f/0x4c0 fs/read_write.c:736
__do_sys_write fs/read_write.c:748 [inline]
__se_sys_write fs/read_write.c:745 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:745
x64_sys_call+0x306a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4092 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
kmalloc_array_noprof include/linux/slab.h:923 [inline]
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1559dca9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=547de13ee0a4d284
dashboard link: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b7b080580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c9de9f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d83fc781c223/disk-88264981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ed4c5969fba/vmlinux-88264981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/76a67bd894be/bzImage-88264981.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================================
BUG: KMSAN: uninit-value in memcmp lib/string.c:665 [inline]
BUG: KMSAN: uninit-value in bcmp+0xc3/0x1c0 lib/string.c:697
memcmp lib/string.c:665 [inline]
bcmp+0xc3/0x1c0 lib/string.c:697
iowarrior_callback+0x3fe/0xa30 drivers/usb/misc/iowarrior.c:185
__usb_hcd_giveback_urb+0x572/0x840 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1734
dummy_timer+0xd3f/0x6aa0 drivers/usb/gadget/udc/dummy_hcd.c:1987
__hrtimer_run_queues+0x564/0xe40 kernel/time/hrtimer.c:1755
hrtimer_interrupt+0x3ab/0x1490 kernel/time/hrtimer.c:1817
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1026 [inline]
__sysvec_apic_timer_interrupt+0xa6/0x3a0 arch/x86/kernel/apic/apic.c:1043
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
sysvec_apic_timer_interrupt+0x40/0x90 arch/x86/kernel/apic/apic.c:1037
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
__msan_metadata_ptr_for_store_8+0x34/0x40 mm/kmsan/instrumentation.c:94
___bpf_prog_run+0x7f2a/0xe0f0
__bpf_prog_run32+0xc2/0xf0 kernel/bpf/core.c:2251
bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
__bpf_prog_run include/linux/filter.h:701 [inline]
bpf_prog_run include/linux/filter.h:708 [inline]
bpf_prog_run_pin_on_cpu include/linux/filter.h:725 [inline]
bpf_prog_run_clear_cb include/linux/filter.h:966 [inline]
run_filter+0x150/0x3f0 net/packet/af_packet.c:2148
packet_rcv+0x636/0x2050 net/packet/af_packet.c:2221
deliver_skb net/core/dev.c:2239 [inline]
deliver_ptype_list_skb net/core/dev.c:2254 [inline]
__netif_receive_skb_core+0x53f9/0x6c90 net/core/dev.c:5613
__netif_receive_skb_list_core+0x31e/0x1670 net/core/dev.c:5737
__netif_receive_skb_list net/core/dev.c:5804 [inline]
netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:5895
gro_normal_list include/net/gro.h:515 [inline]
napi_complete_done+0x42e/0x890 net/core/dev.c:6246
virtqueue_napi_complete drivers/net/virtio_net.c:697 [inline]
virtnet_poll+0x5cb8/0x6b30 drivers/net/virtio_net.c:2825
__napi_poll+0xe7/0x980 net/core/dev.c:6771
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa5a/0x19b0 net/core/dev.c:6962
handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x68/0x120 kernel/softirq.c:637
irq_exit_rcu+0x12/0x20 kernel/softirq.c:649
common_interrupt+0x97/0xb0 arch/x86/kernel/irq.c:278
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
kmsan_get_shadow_origin_ptr+0x4d/0xb0 mm/kmsan/shadow.c:102
get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline]
__msan_metadata_ptr_for_store_8+0x27/0x40 mm/kmsan/instrumentation.c:94
unwind_next_frame+0x8d/0x360 arch/x86/kernel/unwind_frame.c:298
arch_stack_walk+0x1ab/0x260 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xaa/0xe0 kernel/stacktrace.c:122
kmsan_save_stack_with_flags mm/kmsan/core.c:73 [inline]
kmsan_internal_chain_origin+0x57/0xd0 mm/kmsan/core.c:182
kmsan_internal_memmove_metadata+0x17b/0x230 mm/kmsan/core.c:138
__msan_memcpy+0x108/0x1c0 mm/kmsan/instrumentation.c:200
sock_write_iter+0x38b/0x3d0 net/socket.c:1167
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xb28/0x1540 fs/read_write.c:683
ksys_write+0x20f/0x4c0 fs/read_write.c:736
__do_sys_write fs/read_write.c:748 [inline]
__se_sys_write fs/read_write.c:745 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:745
x64_sys_call+0x306a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4092 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
kmalloc_array_noprof include/linux/slab.h:923 [inline]
iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x4ffb/0x72d0 drivers/usb/core/hub.c:5903
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CPU: 0 UID: 0 PID: 5170 Comm: sshd Not tainted 6.11.0-syzkaller-08481-g88264981f208 #0
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Qianqiang Liu
Oct 6, 2024, 7:55:30 PM10/6/24
to syzbot, [email protected], [email protected], [email protected], [email protected]
#syz test
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 6d28467ce352..ad2a9c09987c 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -832,9 +832,8 @@ static int iowarrior_probe(struct usb_interface *interface,
iowarrior_callback, dev,
dev->int_in_endpoint->bInterval);
/* create an internal buffer for interrupt data from the device */
- dev->read_queue =
- kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
- GFP_KERNEL);
+ dev->read_queue = kcalloc(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
+ GFP_KERNEL);
if (!dev->read_queue)
goto error;
/* Get the serial-number of the chip */
--
Best,
Qianqiang Liu
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 6d28467ce352..ad2a9c09987c 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -832,9 +832,8 @@ static int iowarrior_probe(struct usb_interface *interface,
iowarrior_callback, dev,
dev->int_in_endpoint->bInterval);
/* create an internal buffer for interrupt data from the device */
- dev->read_queue =
- kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
- GFP_KERNEL);
+ dev->read_queue = kcalloc(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
+ GFP_KERNEL);
if (!dev->read_queue)
goto error;
/* Get the serial-number of the chip */
--
Best,
Qianqiang Liu
syzbot
Oct 6, 2024, 8:26:05 PM10/6/24
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: [email protected]
Tested-by: [email protected]
Tested on:
commit: 8f602276 Merge tag 'bcachefs-2024-10-05' of git://evil..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116cf307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d302f14701986aa0
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: [email protected]
Tested-by: [email protected]
Tested on:
commit: 8f602276 Merge tag 'bcachefs-2024-10-05' of git://evil..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116cf307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d302f14701986aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=122af380580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages