Re: KMSAN: uninit-value in ath9k_htc_rx_msg

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phillip Potter <phil@philpotter.co.uk>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Alexander Potapenko <glider@google.com>,
	ath9k-devel@qca.qualcomm.com, David Miller <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Kalle Valo <kvalo@kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-wireless <linux-wireless@vger.kernel.org>,
	Networking <netdev@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KMSAN: uninit-value in ath9k_htc_rx_msg
Date: Sun, 28 Aug 2022 11:44:24 +0100	[thread overview]
Message-ID: <YwtHCDTRMtXe/VTt@equinox> (raw)
In-Reply-To: <46fee955-a5fa-fbd6-bcc4-d9344e6801d9@I-love.SAKURA.ne.jp>

On Fri, Aug 26, 2022 at 10:35:43AM +0900, Tetsuo Handa wrote:
> On 2022/08/26 0:09, Alexander Potapenko wrote:
> > On Thu, Aug 25, 2022 at 4:34 PM Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >>
> >> Hello.
> > Hi Tetsuo,
> > 
> >> I found that your patch was applied. But since the reproducer tested only 0 byte
> >> case, I think that rejecting only less than sizeof(struct htc_frame_hdr) bytes
> >> is not sufficient.
> >>
> >> More complete patch with Ack from Toke is waiting at
> >> https://lkml.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp .
> > 
> > Thanks for letting me know! I just checked that your patch indeed
> > fixes the issue I am facing.
> > If it is more complete, I think we'd indeed better use yours.
> 
> I recognized that "ath9k: fix an uninit value use in ath9k_htc_rx_msg()" is
> local to KMSAN tree.
> https://github.com/google/kmsan/commit/d891e35583bf2e81ccc7a2ea548bf7cf47329f40
> 
> That patch needs to be dropped, for I confirmed that passing pad_len == 8 below
> still triggers uninit value at ath9k_htc_fw_panic_report(). (My patch does not
> trigger at ath9k_htc_fw_panic_report().)
> 
>         fd = syz_usb_connect_ath9k(3, 0x5a, 0x20000800, 0);
>         *(uint16_t*)0x20000880 = 0 + pad_len;
>         *(uint16_t*)0x20000882 = 0x4e00;
>         memmove((uint8_t*)0x20000884, "\x99\x11\x22\x33\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 16);
>         syz_usb_ep_write(fd, 0x82, 4 + pad_len, 0x20000880);
> 
> 
> 
> Also, that patch has a skb leak bug; according to comment for ath9k_htc_rx_msg()
> 
>  * Service messages (Data, WMI) passed to the corresponding
>  * endpoint RX handlers, which have to free the SKB.
> 
> , I think that this function is supposed to free skb if skb != NULL.
> 
> If dev_kfree_skb_any(skb) needs to be used when epid is invalid and pipe_id != USB_REG_IN_PIPE,
> why it is OK to use kfree_skb(skb) if epid == 0x99 and pipe_id != USB_REG_IN_PIPE ?
> 
> We don't call kfree_skb(skb) if 0 < epid < ENDPOINT_MAX and endpoint->ep_callbacks.rx == NULL.
> Why it is OK not to call kfree_skb(skb) in that case?
> 
> Callers can't pass such combinations? I leave these questions to ath9k developers...
>

Hi Tetsuo,

Thank you for this improved patch. My original one was somewhat naive
attempt at a resolution.

Regards,
Phil

     prev parent reply	other threads:[~2022-08-28 10:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-09 16:27 KMSAN: uninit-value in ath9k_htc_rx_msg syzbot
2020-08-13  3:32 ` syzbot
     [not found]   ` <a142d63c-7810-40ff-9c24-7160c63bafebn@googlegroups.com>
2022-08-24 13:30     ` Alexander Potapenko
2022-08-25 14:34       ` Tetsuo Handa
2022-08-25 15:09         ` Alexander Potapenko
2022-08-25 15:55           ` Toke Høiland-Jørgensen
2022-08-29  5:36             ` Kalle Valo
2022-08-26  1:35           ` Tetsuo Handa
2022-08-26  8:38             ` Alexander Potapenko
2022-08-28 10:44             ` Phillip Potter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YwtHCDTRMtXe/VTt@equinox \
    --to=phil@philpotter.co.uk \
    --cc=ath9k-devel@qca.qualcomm.com \
    --cc=davem@davemloft.net \
    --cc=glider@google.com \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).