[syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct

[syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4774cfe3543a Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10e3f10c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=61539536677af51c
dashboard link: https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0cb38ba04f99/disk-4774cfe3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ff376a7ba200/vmlinux-4774cfe3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/570051315dbf/bzImage-4774cfe3.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com

usb 7-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 7-1: config 0 descriptor??
corsair-cpro 0003:1B1C:0C10.0017: hidraw0: USB HID v4.06 Device [HID 1b1c:0c10] on usb-dummy_hcd.6-1/input0
=====================================================
BUG: KMSAN: uninit-value in get_temp_cnct+0x1f3/0x3b0 drivers/hwmon/corsair-cpro.c:497
 get_temp_cnct+0x1f3/0x3b0 drivers/hwmon/corsair-cpro.c:497
 ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
 __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
 hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
 usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
 usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
 hub_port_connect drivers/usb/core/hub.c:5535 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
 kthread+0xd5c/0xf00 kernel/kthread.c:464
 ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was stored to memory at:
 get_temp_cnct+0x1ec/0x3b0 drivers/hwmon/corsair-cpro.c:496
 ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
 __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
 hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
 usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
 usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
 hub_port_connect drivers/usb/core/hub.c:5535 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
 kthread+0xd5c/0xf00 kernel/kthread.c:464
 ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4154 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_node_track_caller_noprof+0x96d/0x12f0 mm/slub.c:4347
 alloc_dr drivers/base/devres.c:119 [inline]
 devm_kmalloc+0xd7/0x2f0 drivers/base/devres.c:864
 ccp_probe+0x114/0x790 drivers/hwmon/corsair-cpro.c:596
 __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
 hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
 usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
 usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d4/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
 driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
 bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
 __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
 device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
 device_add+0x12a9/0x1c10 drivers/base/core.c:3692
 usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
 hub_port_connect drivers/usb/core/hub.c:5535 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
 kthread+0xd5c/0xf00 kernel/kthread.c:464
 ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

CPU: 0 UID: 0 PID: 5855 Comm: kworker/0:3 Not tainted 6.16.0-rc1-syzkaller-00203-g4774cfe3543a #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct

[Guenter Roeck]

On 6/18/25 21:31, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4774cfe3543a Merge tag 'scsi-fixes' of git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10e3f10c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=61539536677af51c
> dashboard link: https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> userspace arch: i386
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 

It doesn't need one: The problem will be seen if the data returned from the
power supply is shorter than expected. In the example below, the problem will
be seen if less than NUM_TEMP_SENSORS+1 data bytes were received.
One possible fix would be to record the returned data length in ccp_raw_event()
and to have each caller of send_usb_cmd() check if the returned amount of data
is sufficient.

Guenter

> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/0cb38ba04f99/disk-4774cfe3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ff376a7ba200/vmlinux-4774cfe3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/570051315dbf/bzImage-4774cfe3.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com
> 
> usb 7-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> usb 7-1: config 0 descriptor??
> corsair-cpro 0003:1B1C:0C10.0017: hidraw0: USB HID v4.06 Device [HID 1b1c:0c10] on usb-dummy_hcd.6-1/input0
> =====================================================
> BUG: KMSAN: uninit-value in get_temp_cnct+0x1f3/0x3b0 drivers/hwmon/corsair-cpro.c:497
>   get_temp_cnct+0x1f3/0x3b0 drivers/hwmon/corsair-cpro.c:497
>   ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
>   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
>   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
>   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
>   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
>   usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
>   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
>   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
>   port_event drivers/usb/core/hub.c:5835 [inline]
>   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
>   process_one_work kernel/workqueue.c:3238 [inline]
>   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
>   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
>   kthread+0xd5c/0xf00 kernel/kthread.c:464
>   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> 
> Uninit was stored to memory at:
>   get_temp_cnct+0x1ec/0x3b0 drivers/hwmon/corsair-cpro.c:496
>   ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
>   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
>   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
>   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
>   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
>   usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
>   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
>   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
>   port_event drivers/usb/core/hub.c:5835 [inline]
>   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
>   process_one_work kernel/workqueue.c:3238 [inline]
>   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
>   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
>   kthread+0xd5c/0xf00 kernel/kthread.c:464
>   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> 
> Uninit was created at:
>   slab_post_alloc_hook mm/slub.c:4154 [inline]
>   slab_alloc_node mm/slub.c:4197 [inline]
>   __do_kmalloc_node mm/slub.c:4327 [inline]
>   __kmalloc_node_track_caller_noprof+0x96d/0x12f0 mm/slub.c:4347
>   alloc_dr drivers/base/devres.c:119 [inline]
>   devm_kmalloc+0xd7/0x2f0 drivers/base/devres.c:864
>   ccp_probe+0x114/0x790 drivers/hwmon/corsair-cpro.c:596
>   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
>   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
>   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
>   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_set_configuration+0x3493/0x3b70 drivers/usb/core/message.c:2210
>   usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
>   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
>   call_driver_probe drivers/base/dd.c:-1 [inline]
>   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
>   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
>   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
>   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
>   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
>   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
>   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
>   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
>   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
>   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
>   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
>   port_event drivers/usb/core/hub.c:5835 [inline]
>   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
>   process_one_work kernel/workqueue.c:3238 [inline]
>   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
>   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
>   kthread+0xd5c/0xf00 kernel/kthread.c:464
>   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> 
> CPU: 0 UID: 0 PID: 5855 Comm: kworker/0:3 Not tainted 6.16.0-rc1-syzkaller-00203-g4774cfe3543a #0 PREEMPT(undef)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Workqueue: usb_hub_wq hub_event
> =====================================================
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct

[Marius Zachmann]

Am Mittwoch, dem 18.06.2025 um 22:56 -0700 schrieb Guenter Roeck:
> On 6/18/25 21:31, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    4774cfe3543a Merge tag 'scsi-fixes' of
> > git://git.kernel.or..
> > git tree:       upstream
> > console output:
> > https://syzkaller.appspot.com/x/log.txt?x=10e3f10c580000
> > kernel config: 
> > https://syzkaller.appspot.com/x/.config?x=61539536677af51c
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
> > compiler:       Debian clang version 20.1.6
> > (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian
> > LLD 20.1.6
> > userspace arch: i386
> > 
> > Unfortunately, I don't have any reproducer for this issue yet.
> > 
> 
> It doesn't need one: The problem will be seen if the data returned
> from the
> power supply is shorter than expected. In the example below, the
> problem will
> be seen if less than NUM_TEMP_SENSORS+1 data bytes were received.
> One possible fix would be to record the returned data length in
> ccp_raw_event()
> and to have each caller of send_usb_cmd() check if the returned
> amount of data
> is sufficient.
> 
> Guenter

The device should always return the same number of bytes.
I could zero-initialize the buffer at allocation. Then there should
be no uninitialized values.
Also I could check the number of returned bytes in send_usb_cmd()
instead of having each caller checking it, and return -EIO if
it is not correct?

Marius

> 
> > Downloadable assets:
> > disk image:
> > https://storage.googleapis.com/syzbot-assets/0cb38ba04f99/disk-4774cfe3.raw.xz
> > vmlinux:
> > https://storage.googleapis.com/syzbot-assets/ff376a7ba200/vmlinux-4774cfe3.xz
> > kernel image:
> > https://storage.googleapis.com/syzbot-assets/570051315dbf/bzImage-4774cfe3.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to
> > the commit:
> > Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com
> > 
> > usb 7-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > usb 7-1: config 0 descriptor??
> > corsair-cpro 0003:1B1C:0C10.0017: hidraw0: USB HID v4.06 Device
> > [HID 1b1c:0c10] on usb-dummy_hcd.6-1/input0
> > =====================================================
> > BUG: KMSAN: uninit-value in get_temp_cnct+0x1f3/0x3b0
> > drivers/hwmon/corsair-cpro.c:497
> >   get_temp_cnct+0x1f3/0x3b0 drivers/hwmon/corsair-cpro.c:497
> >   ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
> >   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
> >   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
> >   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
> >   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_set_configuration+0x3493/0x3b70
> > drivers/usb/core/message.c:2210
> >   usb_generic_driver_probe+0xfc/0x290
> > drivers/usb/core/generic.c:250
> >   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
> >   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
> >   port_event drivers/usb/core/hub.c:5835 [inline]
> >   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
> >   process_one_work kernel/workqueue.c:3238 [inline]
> >   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
> >   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
> >   kthread+0xd5c/0xf00 kernel/kthread.c:464
> >   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
> >   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > 
> > Uninit was stored to memory at:
> >   get_temp_cnct+0x1ec/0x3b0 drivers/hwmon/corsair-cpro.c:496
> >   ccp_probe+0x458/0x790 drivers/hwmon/corsair-cpro.c:622
> >   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
> >   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
> >   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
> >   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_set_configuration+0x3493/0x3b70
> > drivers/usb/core/message.c:2210
> >   usb_generic_driver_probe+0xfc/0x290
> > drivers/usb/core/generic.c:250
> >   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
> >   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
> >   port_event drivers/usb/core/hub.c:5835 [inline]
> >   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
> >   process_one_work kernel/workqueue.c:3238 [inline]
> >   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
> >   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
> >   kthread+0xd5c/0xf00 kernel/kthread.c:464
> >   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
> >   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > 
> > Uninit was created at:
> >   slab_post_alloc_hook mm/slub.c:4154 [inline]
> >   slab_alloc_node mm/slub.c:4197 [inline]
> >   __do_kmalloc_node mm/slub.c:4327 [inline]
> >   __kmalloc_node_track_caller_noprof+0x96d/0x12f0 mm/slub.c:4347
> >   alloc_dr drivers/base/devres.c:119 [inline]
> >   devm_kmalloc+0xd7/0x2f0 drivers/base/devres.c:864
> >   ccp_probe+0x114/0x790 drivers/hwmon/corsair-cpro.c:596
> >   __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
> >   hid_device_probe+0x539/0xab0 drivers/hid/hid-core.c:2761
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   hid_add_device+0x5ed/0x7b0 drivers/hid/hid-core.c:2907
> >   usbhid_probe+0x1fec/0x2660 drivers/hid/usbhid/hid-core.c:1435
> >   usb_probe_interface+0xd04/0x1310 drivers/usb/core/driver.c:396
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_set_configuration+0x3493/0x3b70
> > drivers/usb/core/message.c:2210
> >   usb_generic_driver_probe+0xfc/0x290
> > drivers/usb/core/generic.c:250
> >   usb_probe_device+0x38a/0x690 drivers/usb/core/driver.c:291
> >   call_driver_probe drivers/base/dd.c:-1 [inline]
> >   really_probe+0x4d4/0xd90 drivers/base/dd.c:657
> >   __driver_probe_device+0x268/0x380 drivers/base/dd.c:799
> >   driver_probe_device+0x70/0x8b0 drivers/base/dd.c:829
> >   __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:957
> >   bus_for_each_drv+0x3e0/0x680 drivers/base/bus.c:462
> >   __device_attach+0x3c8/0x5c0 drivers/base/dd.c:1029
> >   device_initial_probe+0x33/0x40 drivers/base/dd.c:1078
> >   bus_probe_device+0x3ba/0x5e0 drivers/base/bus.c:537
> >   device_add+0x12a9/0x1c10 drivers/base/core.c:3692
> >   usb_new_device+0x104b/0x20c0 drivers/usb/core/hub.c:2663
> >   hub_port_connect drivers/usb/core/hub.c:5535 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
> >   port_event drivers/usb/core/hub.c:5835 [inline]
> >   hub_event+0x5588/0x7580 drivers/usb/core/hub.c:5917
> >   process_one_work kernel/workqueue.c:3238 [inline]
> >   process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3321
> >   worker_thread+0xedf/0x1590 kernel/workqueue.c:3402
> >   kthread+0xd5c/0xf00 kernel/kthread.c:464
> >   ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
> >   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > 
> > CPU: 0 UID: 0 PID: 5855 Comm: kworker/0:3 Not tainted 6.16.0-rc1-
> > syzkaller-00203-g4774cfe3543a #0 PREEMPT(undef)
> > Hardware name: Google Google Compute Engine/Google Compute Engine,
> > BIOS Google 05/07/2025
> > Workqueue: usb_hub_wq hub_event
> > =====================================================
> > 
> > 
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > 
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > 
> > If the report is already addressed, let syzbot know by replying
> > with:
> > #syz fix: exact-commit-title
> > 
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> > 
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> > 
> > If you want to undo deduplication, reply with:
> > #syz undup

Re: [syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct

[Guenter Roeck]

On 6/19/25 01:01, Marius Zachmann wrote:
> Am Mittwoch, dem 18.06.2025 um 22:56 -0700 schrieb Guenter Roeck:
>> On 6/18/25 21:31, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    4774cfe3543a Merge tag 'scsi-fixes' of
>>> git://git.kernel.or..
>>> git tree:       upstream
>>> console output:
>>> https://syzkaller.appspot.com/x/log.txt?x=10e3f10c580000
>>> kernel config:
>>> https://syzkaller.appspot.com/x/.config?x=61539536677af51c
>>> dashboard link:
>>> https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
>>> compiler:       Debian clang version 20.1.6
>>> (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian
>>> LLD 20.1.6
>>> userspace arch: i386
>>>
>>> Unfortunately, I don't have any reproducer for this issue yet.
>>>
>>
>> It doesn't need one: The problem will be seen if the data returned
>> from the
>> power supply is shorter than expected. In the example below, the
>> problem will
>> be seen if less than NUM_TEMP_SENSORS+1 data bytes were received.
>> One possible fix would be to record the returned data length in
>> ccp_raw_event()
>> and to have each caller of send_usb_cmd() check if the returned
>> amount of data
>> is sufficient.
>>
>> Guenter
> 
> The device should always return the same number of bytes.

The term is "should". That doesn't mean it always _does_ return the
expected number of bytes, only that it is expected to do so.

> I could zero-initialize the buffer at allocation. Then there should
> be no uninitialized values.

As long as the values are usable, sure. That would not really fix the
protocol error, though, it would just hide it.

> Also I could check the number of returned bytes in send_usb_cmd()
> instead of having each caller checking it, and return -EIO if
> it is not correct?
> 

Yes, that would be an even better fix, though I would suggest to return
-EPROTO in that case to distinguish it from an actual i/o error.

Thanks,
Guenter

[PATCH] hwmon: fill it with 0 when data size is insufficient

[Edward Adam Davis]

When the data size returned by the sensor is less than IN_BUFFER_SIZE,
it is padded with 0.

Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/hwmon/corsair-cpro.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
index e1a7f7aa7f80..274864e8a8e7 100644
--- a/drivers/hwmon/corsair-cpro.c
+++ b/drivers/hwmon/corsair-cpro.c
@@ -157,6 +157,8 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
 	spin_lock(&ccp->wait_input_report_lock);
 	if (!completion_done(&ccp->wait_input_report)) {
 		memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
+		if (size < IN_BUFFER_SIZE)
+			memset(ccp->buffer + size, 0, IN_BUFFER_SIZE - size);
 		complete_all(&ccp->wait_input_report);
 	}
 	spin_unlock(&ccp->wait_input_report_lock);
-- 
2.43.0

Re: [PATCH] hwmon: fill it with 0 when data size is insufficient

[Guenter Roeck]

On 6/19/25 06:37, Edward Adam Davis wrote:
> When the data size returned by the sensor is less than IN_BUFFER_SIZE,
> it is padded with 0.
> 

The subject is missing the affected driver, and I really very much prefer
actually validating the return data instead of just assuming that it is
ok to fill the buffer with 0. So I'll take Marius' patch instead.

On a side note, please don't send patches as reply to some other e-mail.
That only asks for it to get lost.

Thanks,
Guenter


> Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   drivers/hwmon/corsair-cpro.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
> index e1a7f7aa7f80..274864e8a8e7 100644
> --- a/drivers/hwmon/corsair-cpro.c
> +++ b/drivers/hwmon/corsair-cpro.c
> @@ -157,6 +157,8 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
>   	spin_lock(&ccp->wait_input_report_lock);
>   	if (!completion_done(&ccp->wait_input_report)) {
>   		memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
> +		if (size < IN_BUFFER_SIZE)
> +			memset(ccp->buffer + size, 0, IN_BUFFER_SIZE - size);
>   		complete_all(&ccp->wait_input_report);
>   	}
>   	spin_unlock(&ccp->wait_input_report_lock);