From: Takashi Iwai <tiwai@suse.de>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org,
linux-usb@vger.kernel.org, perex@perex.cz,
syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: Re: [PATCH] ALSA: line6: fix uninit-value in line6_pod_process_message
Date: Tue, 02 Apr 2024 08:51:19 +0200 [thread overview]
Message-ID: <87o7ass1eg.wl-tiwai@suse.de> (raw)
In-Reply-To: <tencent_44291B84257ABAB7BB7B33C49E0E1BC74B08@qq.com>
On Tue, 02 Apr 2024 08:47:24 +0200,
Edward Adam Davis wrote:
>
> [Syzbot reported]
> BUG: KMSAN: uninit-value in line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201
> line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201
> line6_data_received+0x5db/0x7e0 sound/usb/line6/driver.c:317
> __usb_hcd_giveback_urb+0x508/0x770 drivers/usb/core/hcd.c:1648
> usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1732
> dummy_timer+0xd93/0x6b10 drivers/usb/gadget/udc/dummy_hcd.c:1987
> call_timer_fn+0x49/0x580 kernel/time/timer.c:1793
> expire_timers kernel/time/timer.c:1844 [inline]
> __run_timers kernel/time/timer.c:2418 [inline]
> __run_timer_base+0x84e/0xe90 kernel/time/timer.c:2429
> run_timer_base kernel/time/timer.c:2438 [inline]
> run_timer_softirq+0x3a/0x70 kernel/time/timer.c:2448
> __do_softirq+0x1c0/0x7d7 kernel/softirq.c:554
> invoke_softirq kernel/softirq.c:428 [inline]
> __irq_exit_rcu kernel/softirq.c:633 [inline]
> irq_exit_rcu+0x6a/0x130 kernel/softirq.c:645
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
> sysvec_apic_timer_interrupt+0x83/0x90 arch/x86/kernel/apic/apic.c:1043
> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
> native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
> arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
> acpi_safe_halt+0x25/0x30 drivers/acpi/processor_idle.c:112
> acpi_idle_do_entry+0x22/0x40 drivers/acpi/processor_idle.c:573
> acpi_idle_enter+0xa1/0xc0 drivers/acpi/processor_idle.c:707
> cpuidle_enter_state+0xcb/0x250 drivers/cpuidle/cpuidle.c:267
> cpuidle_enter+0x7f/0xf0 drivers/cpuidle/cpuidle.c:388
> call_cpuidle kernel/sched/idle.c:155 [inline]
> cpuidle_idle_call kernel/sched/idle.c:236 [inline]
> do_idle+0x551/0x750 kernel/sched/idle.c:332
> cpu_startup_entry+0x65/0x80 kernel/sched/idle.c:430
> rest_init+0x1e8/0x260 init/main.c:732
> start_kernel+0x927/0xa70 init/main.c:1074
> x86_64_start_reservations+0x2e/0x30 arch/x86/kernel/head64.c:507
> x86_64_start_kernel+0x98/0xa0 arch/x86/kernel/head64.c:488
> common_startup_64+0x12c/0x137
>
> Uninit was created at:
> slab_post_alloc_hook mm/slub.c:3804 [inline]
> slab_alloc_node mm/slub.c:3845 [inline]
> kmalloc_trace+0x578/0xba0 mm/slub.c:3992
> kmalloc include/linux/slab.h:628 [inline]
> line6_init_cap_control+0x4f1/0x770 sound/usb/line6/driver.c:700
> line6_probe+0xeae/0x1120 sound/usb/line6/driver.c:797
> pod_probe+0x79/0x90 sound/usb/line6/pod.c:522
> usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
> really_probe+0x4db/0xd90 drivers/base/dd.c:656
> __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798
> driver_probe_device+0x72/0x890 drivers/base/dd.c:828
> __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956
> bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
> __device_attach+0x3c1/0x650 drivers/base/dd.c:1028
> device_initial_probe+0x32/0x40 drivers/base/dd.c:1077
> bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
> device_add+0x1475/0x1c90 drivers/base/core.c:3705
> usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
> usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
> usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
> really_probe+0x4db/0xd90 drivers/base/dd.c:656
> __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798
> driver_probe_device+0x72/0x890 drivers/base/dd.c:828
> __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956
> bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
> __device_attach+0x3c1/0x650 drivers/base/dd.c:1028
> device_initial_probe+0x32/0x40 drivers/base/dd.c:1077
> bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
> device_add+0x1475/0x1c90 drivers/base/core.c:3705
> usb_new_device+0x15ff/0x2470 drivers/usb/core/hub.c:2643
> hub_port_connect drivers/usb/core/hub.c:5512 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5652 [inline]
> port_event drivers/usb/core/hub.c:5812 [inline]
> hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5894
> process_one_work kernel/workqueue.c:3254 [inline]
> process_scheduled_works+0xa81/0x1bd0 kernel/workqueue.c:3335
> worker_thread+0xea5/0x1560 kernel/workqueue.c:3416
> kthread+0x3e2/0x540 kernel/kthread.c:388
> ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
> [Fix]
> Let's clear all the content of the buffer message during alloc.
>
> Reported-and-tested-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
A fix already submitted in https://lore.kernel.org/r/20240402063628.26609-1-tiwai@suse.de
thanks,
Takashi
prev parent reply other threads:[~2024-04-02 6:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 16:51 [syzbot] [usb?] [sound?] KMSAN: uninit-value in line6_pod_process_message syzbot
2024-04-02 2:24 ` Edward Adam Davis
2024-04-02 6:29 ` syzbot
2024-04-02 6:47 ` [PATCH] ALSA: line6: fix " Edward Adam Davis
2024-04-02 6:51 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7ass1eg.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=perex@perex.cz \
--cc=syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.