| Message ID | tencent_44291B84257ABAB7BB7B33C49E0E1BC74B08@qq.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ALSA: line6: fix uninit-value in line6_pod_process_message | expand |
On Tue, 02 Apr 2024 08:47:24 +0200, Edward Adam Davis wrote: > > [Syzbot reported] > BUG: KMSAN: uninit-value in line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201 > line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201 > line6_data_received+0x5db/0x7e0 sound/usb/line6/driver.c:317 > __usb_hcd_giveback_urb+0x508/0x770 drivers/usb/core/hcd.c:1648 > usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1732 > dummy_timer+0xd93/0x6b10 drivers/usb/gadget/udc/dummy_hcd.c:1987 > call_timer_fn+0x49/0x580 kernel/time/timer.c:1793 > expire_timers kernel/time/timer.c:1844 [inline] > __run_timers kernel/time/timer.c:2418 [inline] > __run_timer_base+0x84e/0xe90 kernel/time/timer.c:2429 > run_timer_base kernel/time/timer.c:2438 [inline] > run_timer_softirq+0x3a/0x70 kernel/time/timer.c:2448 > __do_softirq+0x1c0/0x7d7 kernel/softirq.c:554 > invoke_softirq kernel/softirq.c:428 [inline] > __irq_exit_rcu kernel/softirq.c:633 [inline] > irq_exit_rcu+0x6a/0x130 kernel/softirq.c:645 > instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] > sysvec_apic_timer_interrupt+0x83/0x90 arch/x86/kernel/apic/apic.c:1043 > asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702 > native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] > arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] > acpi_safe_halt+0x25/0x30 drivers/acpi/processor_idle.c:112 > acpi_idle_do_entry+0x22/0x40 drivers/acpi/processor_idle.c:573 > acpi_idle_enter+0xa1/0xc0 drivers/acpi/processor_idle.c:707 > cpuidle_enter_state+0xcb/0x250 drivers/cpuidle/cpuidle.c:267 > cpuidle_enter+0x7f/0xf0 drivers/cpuidle/cpuidle.c:388 > call_cpuidle kernel/sched/idle.c:155 [inline] > cpuidle_idle_call kernel/sched/idle.c:236 [inline] > do_idle+0x551/0x750 kernel/sched/idle.c:332 > cpu_startup_entry+0x65/0x80 kernel/sched/idle.c:430 > rest_init+0x1e8/0x260 init/main.c:732 > start_kernel+0x927/0xa70 init/main.c:1074 > x86_64_start_reservations+0x2e/0x30 arch/x86/kernel/head64.c:507 > x86_64_start_kernel+0x98/0xa0 arch/x86/kernel/head64.c:488 > common_startup_64+0x12c/0x137 > > Uninit was created at: > slab_post_alloc_hook mm/slub.c:3804 [inline] > slab_alloc_node mm/slub.c:3845 [inline] > kmalloc_trace+0x578/0xba0 mm/slub.c:3992 > kmalloc include/linux/slab.h:628 [inline] > line6_init_cap_control+0x4f1/0x770 sound/usb/line6/driver.c:700 > line6_probe+0xeae/0x1120 sound/usb/line6/driver.c:797 > pod_probe+0x79/0x90 sound/usb/line6/pod.c:522 > usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399 > really_probe+0x4db/0xd90 drivers/base/dd.c:656 > __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798 > driver_probe_device+0x72/0x890 drivers/base/dd.c:828 > __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956 > bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457 > __device_attach+0x3c1/0x650 drivers/base/dd.c:1028 > device_initial_probe+0x32/0x40 drivers/base/dd.c:1077 > bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532 > device_add+0x1475/0x1c90 drivers/base/core.c:3705 > usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210 > usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254 > usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294 > really_probe+0x4db/0xd90 drivers/base/dd.c:656 > __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798 > driver_probe_device+0x72/0x890 drivers/base/dd.c:828 > __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956 > bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457 > __device_attach+0x3c1/0x650 drivers/base/dd.c:1028 > device_initial_probe+0x32/0x40 drivers/base/dd.c:1077 > bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532 > device_add+0x1475/0x1c90 drivers/base/core.c:3705 > usb_new_device+0x15ff/0x2470 drivers/usb/core/hub.c:2643 > hub_port_connect drivers/usb/core/hub.c:5512 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5652 [inline] > port_event drivers/usb/core/hub.c:5812 [inline] > hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5894 > process_one_work kernel/workqueue.c:3254 [inline] > process_scheduled_works+0xa81/0x1bd0 kernel/workqueue.c:3335 > worker_thread+0xea5/0x1560 kernel/workqueue.c:3416 > kthread+0x3e2/0x540 kernel/kthread.c:388 > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 > [Fix] > Let's clear all the content of the buffer message during alloc. > > Reported-and-tested-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> A fix already submitted in https://lore.kernel.org/r/20240402063628.26609-1-tiwai@suse.de thanks, Takashi
diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c index b67617b68e50..8fd9d42aa8e2 100644 --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -697,7 +697,7 @@ static int line6_init_cap_control(struct usb_line6 *line6) return -ENOMEM; if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { - line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + line6->buffer_message = kzalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); if (!line6->buffer_message) return -ENOMEM;
[Syzbot reported] BUG: KMSAN: uninit-value in line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201 line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201 line6_data_received+0x5db/0x7e0 sound/usb/line6/driver.c:317 __usb_hcd_giveback_urb+0x508/0x770 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1732 dummy_timer+0xd93/0x6b10 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x49/0x580 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x84e/0xe90 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0x3a/0x70 kernel/time/timer.c:2448 __do_softirq+0x1c0/0x7d7 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:633 [inline] irq_exit_rcu+0x6a/0x130 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x83/0x90 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] acpi_safe_halt+0x25/0x30 drivers/acpi/processor_idle.c:112 acpi_idle_do_entry+0x22/0x40 drivers/acpi/processor_idle.c:573 acpi_idle_enter+0xa1/0xc0 drivers/acpi/processor_idle.c:707 cpuidle_enter_state+0xcb/0x250 drivers/cpuidle/cpuidle.c:267 cpuidle_enter+0x7f/0xf0 drivers/cpuidle/cpuidle.c:388 call_cpuidle kernel/sched/idle.c:155 [inline] cpuidle_idle_call kernel/sched/idle.c:236 [inline] do_idle+0x551/0x750 kernel/sched/idle.c:332 cpu_startup_entry+0x65/0x80 kernel/sched/idle.c:430 rest_init+0x1e8/0x260 init/main.c:732 start_kernel+0x927/0xa70 init/main.c:1074 x86_64_start_reservations+0x2e/0x30 arch/x86/kernel/head64.c:507 x86_64_start_kernel+0x98/0xa0 arch/x86/kernel/head64.c:488 common_startup_64+0x12c/0x137 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmalloc_trace+0x578/0xba0 mm/slub.c:3992 kmalloc include/linux/slab.h:628 [inline] line6_init_cap_control+0x4f1/0x770 sound/usb/line6/driver.c:700 line6_probe+0xeae/0x1120 sound/usb/line6/driver.c:797 pod_probe+0x79/0x90 sound/usb/line6/pod.c:522 usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399 really_probe+0x4db/0xd90 drivers/base/dd.c:656 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798 driver_probe_device+0x72/0x890 drivers/base/dd.c:828 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457 __device_attach+0x3c1/0x650 drivers/base/dd.c:1028 device_initial_probe+0x32/0x40 drivers/base/dd.c:1077 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532 device_add+0x1475/0x1c90 drivers/base/core.c:3705 usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254 usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294 really_probe+0x4db/0xd90 drivers/base/dd.c:656 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798 driver_probe_device+0x72/0x890 drivers/base/dd.c:828 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457 __device_attach+0x3c1/0x650 drivers/base/dd.c:1028 device_initial_probe+0x32/0x40 drivers/base/dd.c:1077 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532 device_add+0x1475/0x1c90 drivers/base/core.c:3705 usb_new_device+0x15ff/0x2470 drivers/usb/core/hub.c:2643 hub_port_connect drivers/usb/core/hub.c:5512 [inline] hub_port_connect_change drivers/usb/core/hub.c:5652 [inline] port_event drivers/usb/core/hub.c:5812 [inline] hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5894 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa81/0x1bd0 kernel/workqueue.c:3335 worker_thread+0xea5/0x1560 kernel/workqueue.c:3416 kthread+0x3e2/0x540 kernel/kthread.c:388 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 [Fix] Let's clear all the content of the buffer message during alloc. Reported-and-tested-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- sound/usb/line6/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)