From: Takashi Iwai <tiwai@suse.de>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: alsa-devel@alsa-project.org, wang6495@umn.edu,
yuehaibing@huawei.com, tiwai@suse.com,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
glider@google.com, allison@lohutok.net,
syzbot <syzbot+8f2612936028bfd28f28@syzkaller.appspotmail.com>,
tglx@linutronix.de, benquike@gmail.com, dan.carpenter@oracle.com
Subject: Re: [alsa-devel] KMSAN: uninit-value in get_term_name
Date: Mon, 28 Oct 2019 14:55:52 +0100 [thread overview]
Message-ID: <s5himo9as9j.wl-tiwai@suse.de> (raw)
In-Reply-To: <20191028133050.GA13691@kroah.com>
On Mon, 28 Oct 2019 14:30:50 +0100,
Greg KH wrote:
>
> On Mon, Oct 28, 2019 at 02:13:20PM +0100, Takashi Iwai wrote:
> > On Mon, 28 Oct 2019 11:32:07 +0100,
> > syzbot wrote:
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline]
> > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319
> > > __msan_chain_origin+0x6b/0xd0 mm/kmsan/kmsan_instr.c:179
> > > parse_term_proc_unit+0x73d/0x7e0 sound/usb/mixer.c:896
> > > __check_input_term+0x13ef/0x2360 sound/usb/mixer.c:989
> >
> > So this comes from the invalid descriptor for a processing unit, and
> > it's very likely the same issue as already spotted -- the validator up
> > to 5.3-rc4 had a bug that passed the invalid descriptor falsely.
> > This should have been covered by 5.3-rc5, commit ba8bf0967a15 ("ALSA:
> > usb-audio: Fix copy&paste error in the validator").
>
> SHould we be backporting the validator to any older kernels as well?
Yes, that would be nice. I didn't mark them for stable just because
they are a bit largish and wanted to let them tested for 5.4 for a
while.
The following commits are relevant (from top/old to bottom/new).
57f8770620e9b51c61089751f0b5ad3dbe376ff2
ALSA: usb-audio: More validations of descriptor units
68e9fde245591d18200f8a9054cac22339437adb
ALSA: usb-audio: Simplify parse_audio_unit()
52c3e317a857091fd746e15179a637f32be4d337
ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects
b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a
ALSA: usb-audio: Remove superfluous bLength checks
e0ccdef92653f8867e2d1667facfd3c23699f540
ALSA: usb-audio: Clean up check_input_term()
60849562a5db4a1eee2160167e4dce4590d3eafe
ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()
b39e077fcb283dd96dd251a3abeba585402c61fe
ALSA: usb-audio: remove some dead code
ba8bf0967a154796be15c4983603aad0b05c3138
ALSA: usb-audio: Fix copy&paste error in the validator
thanks,
Takashi
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
WARNING: multiple messages have this Message-ID (diff)
From: Takashi Iwai <tiwai@suse.de>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: syzbot <syzbot+8f2612936028bfd28f28@syzkaller.appspotmail.com>,
allison@lohutok.net, alsa-devel@alsa-project.org,
benquike@gmail.com, dan.carpenter@oracle.com, glider@google.com,
linux-kernel@vger.kernel.org, perex@perex.cz,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
tiwai@suse.com, wang6495@umn.edu, yuehaibing@huawei.com
Subject: Re: KMSAN: uninit-value in get_term_name
Date: Mon, 28 Oct 2019 14:55:52 +0100 [thread overview]
Message-ID: <s5himo9as9j.wl-tiwai@suse.de> (raw)
In-Reply-To: <20191028133050.GA13691@kroah.com>
On Mon, 28 Oct 2019 14:30:50 +0100,
Greg KH wrote:
>
> On Mon, Oct 28, 2019 at 02:13:20PM +0100, Takashi Iwai wrote:
> > On Mon, 28 Oct 2019 11:32:07 +0100,
> > syzbot wrote:
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline]
> > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319
> > > __msan_chain_origin+0x6b/0xd0 mm/kmsan/kmsan_instr.c:179
> > > parse_term_proc_unit+0x73d/0x7e0 sound/usb/mixer.c:896
> > > __check_input_term+0x13ef/0x2360 sound/usb/mixer.c:989
> >
> > So this comes from the invalid descriptor for a processing unit, and
> > it's very likely the same issue as already spotted -- the validator up
> > to 5.3-rc4 had a bug that passed the invalid descriptor falsely.
> > This should have been covered by 5.3-rc5, commit ba8bf0967a15 ("ALSA:
> > usb-audio: Fix copy&paste error in the validator").
>
> SHould we be backporting the validator to any older kernels as well?
Yes, that would be nice. I didn't mark them for stable just because
they are a bit largish and wanted to let them tested for 5.4 for a
while.
The following commits are relevant (from top/old to bottom/new).
57f8770620e9b51c61089751f0b5ad3dbe376ff2
ALSA: usb-audio: More validations of descriptor units
68e9fde245591d18200f8a9054cac22339437adb
ALSA: usb-audio: Simplify parse_audio_unit()
52c3e317a857091fd746e15179a637f32be4d337
ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects
b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a
ALSA: usb-audio: Remove superfluous bLength checks
e0ccdef92653f8867e2d1667facfd3c23699f540
ALSA: usb-audio: Clean up check_input_term()
60849562a5db4a1eee2160167e4dce4590d3eafe
ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()
b39e077fcb283dd96dd251a3abeba585402c61fe
ALSA: usb-audio: remove some dead code
ba8bf0967a154796be15c4983603aad0b05c3138
ALSA: usb-audio: Fix copy&paste error in the validator
thanks,
Takashi
next prev parent reply other threads:[~2019-10-28 13:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 10:32 [alsa-devel] KMSAN: uninit-value in get_term_name syzbot
2019-10-28 10:32 ` syzbot
2019-10-28 13:13 ` [alsa-devel] " Takashi Iwai
2019-10-28 13:13 ` Takashi Iwai
2019-10-28 13:17 ` [alsa-devel] " Alexander Potapenko
2019-10-28 13:17 ` Alexander Potapenko
2019-10-28 13:30 ` [alsa-devel] " Greg KH
2019-10-28 13:30 ` Greg KH
2019-10-28 13:55 ` Takashi Iwai [this message]
2019-10-28 13:55 ` Takashi Iwai
2019-10-28 14:40 ` [alsa-devel] " Greg KH
2019-10-28 14:40 ` Greg KH
2019-11-11 8:57 ` [alsa-devel] " Greg KH
2019-11-11 8:57 ` Greg KH
2019-10-28 13:38 ` [alsa-devel] " Andrey Konovalov
2019-10-28 13:38 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5himo9as9j.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=allison@lohutok.net \
--cc=alsa-devel@alsa-project.org \
--cc=benquike@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+8f2612936028bfd28f28@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=tiwai@suse.com \
--cc=wang6495@umn.edu \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.