* KMSAN: uninit-value in digitv_rc_query @ 2019-11-08 17:04 syzbot 2019-12-03 0:41 ` [PATCH] media: dvb: check return value digitv_ctrl_msg Phong Tran 0 siblings, 1 reply; 5+ messages in thread From: syzbot @ 2019-11-08 17:04 UTC (permalink / raw) To: glider, linux-kernel, linux-media, mchehab, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with kmsan_i.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=16860a63600000 kernel config: https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d dashboard link: https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c1101b600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15db3cfd600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com dvb-usb: schedule remote query interval to 1000 msecs. dvb-usb: Nebula Electronics uDigiTV DVB-T USB2.0) successfully initialized and connected. dvb-usb: bulk message failed: -22 (7/0) dvb-usb: bulk message failed: -22 (7/0) dvb-usb: bulk message failed: -22 (7/-30591) dvb-usb: bulk message failed: -22 (7/0) ===================================================== BUG: KMSAN: uninit-value in legacy_dvb_usb_read_remote_control+0x106/0x790 drivers/media/usb/dvb-usb/dvb-usb-remote.c:123 CPU: 1 PID: 3844 Comm: kworker/1:2 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events legacy_dvb_usb_read_remote_control Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 digitv_rc_query+0x76a/0x890 drivers/media/usb/dvb-usb/digitv.c:259 legacy_dvb_usb_read_remote_control+0x106/0x790 drivers/media/usb/dvb-usb/dvb-usb-remote.c:123 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Local variable description: ----key@digitv_rc_query Variable was created at: digitv_rc_query+0x78/0x890 drivers/media/usb/dvb-usb/digitv.c:234 legacy_dvb_usb_read_remote_control+0x106/0x790 drivers/media/usb/dvb-usb/dvb-usb-remote.c:123 ===================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3844 Comm: kworker/1:2 Tainted: G B 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events legacy_dvb_usb_read_remote_control Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 panic+0x3c9/0xc1e kernel/panic.c:219 kmsan_report+0x2a2/0x2b0 mm/kmsan/kmsan_report.c:131 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 digitv_rc_query+0x76a/0x890 drivers/media/usb/dvb-usb/digitv.c:259 legacy_dvb_usb_read_remote_control+0x106/0x790 drivers/media/usb/dvb-usb/dvb-usb-remote.c:123 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] media: dvb: check return value digitv_ctrl_msg 2019-11-08 17:04 KMSAN: uninit-value in digitv_rc_query syzbot @ 2019-12-03 0:41 ` Phong Tran 2020-01-15 17:32 ` Sean Young 0 siblings, 1 reply; 5+ messages in thread From: Phong Tran @ 2019-12-03 0:41 UTC (permalink / raw) To: mchehab, gregkh, allison, tglx, syzbot+6bf9606ee955b646c0e1 Cc: linux-media, linux-kernel, glider, syzkaller-bugs, Phong Tran For fixing syzbot "KMSAN: uninit-value in digitv_rc_query" In scenario testing for syzbot, failure reading from digitv_ctrl_msg() [1]. Eg: [ 91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0) digitv_rc_query() always return 0. But in this case a wrong thing happens. Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com Tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com [1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000 [2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ Signed-off-by: Phong Tran <tranmanphong@gmail.com> --- drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c index dd5bb230cec1..61bc8945e6b9 100644 --- a/drivers/media/usb/dvb-usb/digitv.c +++ b/drivers/media/usb/dvb-usb/digitv.c @@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = { static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) { int i; - u8 key[5]; + u8 key[5] = { 0 }; u8 b[4] = { 0 }; + int ret; *event = 0; *state = REMOTE_NO_KEY_PRESSED; - digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4); - + ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4); + if (ret < 0) + return ret; /* Tell the device we've read the remote. Not sure how necessary this is, but the Nebula SDK does it. */ - digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0); + ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0); + if (ret < 0) + return ret; /* if something is inside the buffer, simulate key press */ if (key[1] != 0) -- 2.20.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] media: dvb: check return value digitv_ctrl_msg 2019-12-03 0:41 ` [PATCH] media: dvb: check return value digitv_ctrl_msg Phong Tran @ 2020-01-15 17:32 ` Sean Young 2020-01-15 18:01 ` Dan Carpenter 0 siblings, 1 reply; 5+ messages in thread From: Sean Young @ 2020-01-15 17:32 UTC (permalink / raw) To: Phong Tran Cc: mchehab, gregkh, allison, tglx, syzbot+6bf9606ee955b646c0e1, linux-media, linux-kernel, glider, syzkaller-bugs Hello, On Tue, Dec 03, 2019 at 07:41:38AM +0700, Phong Tran wrote: > For fixing syzbot "KMSAN: uninit-value in digitv_rc_query" > > In scenario testing for syzbot, failure reading from > digitv_ctrl_msg() [1]. > > Eg: > [ 91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0) > > digitv_rc_query() always return 0. But in this case a wrong thing happens. > > Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com > Tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com A fix for this was already merged I'm afraid, see commit eecc70d22ae5 ("media: digitv: don't continue if remote control state can't be read"). > [1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000 > [2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > --- > drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c > index dd5bb230cec1..61bc8945e6b9 100644 > --- a/drivers/media/usb/dvb-usb/digitv.c > +++ b/drivers/media/usb/dvb-usb/digitv.c > @@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = { > static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) > { > int i; > - u8 key[5]; > + u8 key[5] = { 0 }; The merged commit does not change this line. Why was this changed? Thanks Sean > u8 b[4] = { 0 }; > + int ret; > > *event = 0; > *state = REMOTE_NO_KEY_PRESSED; > > - digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4); > - > + ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4); > + if (ret < 0) > + return ret; > /* Tell the device we've read the remote. Not sure how necessary > this is, but the Nebula SDK does it. */ > - digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0); > + ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0); > + if (ret < 0) > + return ret; > > /* if something is inside the buffer, simulate key press */ > if (key[1] != 0) > -- > 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] media: dvb: check return value digitv_ctrl_msg 2020-01-15 17:32 ` Sean Young @ 2020-01-15 18:01 ` Dan Carpenter 2020-01-15 18:15 ` Dan Carpenter 0 siblings, 1 reply; 5+ messages in thread From: Dan Carpenter @ 2020-01-15 18:01 UTC (permalink / raw) To: Sean Young Cc: Phong Tran, mchehab, gregkh, allison, tglx, syzbot+6bf9606ee955b646c0e1, linux-media, linux-kernel, glider, syzkaller-bugs On Wed, Jan 15, 2020 at 05:32:26PM +0000, Sean Young wrote: > Hello, > > On Tue, Dec 03, 2019 at 07:41:38AM +0700, Phong Tran wrote: > > For fixing syzbot "KMSAN: uninit-value in digitv_rc_query" > > > > In scenario testing for syzbot, failure reading from > > digitv_ctrl_msg() [1]. > > > > Eg: > > [ 91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0) > > > > digitv_rc_query() always return 0. But in this case a wrong thing happens. > > > > Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com > > Tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com > > A fix for this was already merged I'm afraid, see commit eecc70d22ae5 > ("media: digitv: don't continue if remote control state can't be read"). > > > [1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000 > > [2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ > > > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > > --- > > drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++---- > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c > > index dd5bb230cec1..61bc8945e6b9 100644 > > --- a/drivers/media/usb/dvb-usb/digitv.c > > +++ b/drivers/media/usb/dvb-usb/digitv.c > > @@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = { > > static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) > > { > > int i; > > - u8 key[5]; > > + u8 key[5] = { 0 }; > > The merged commit does not change this line. Why was this changed? > It would fix the problem that key[0] is never initialized... But the correct fix is to make key 4 elements long and delete key[0]. regards, dan carpenter ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] media: dvb: check return value digitv_ctrl_msg 2020-01-15 18:01 ` Dan Carpenter @ 2020-01-15 18:15 ` Dan Carpenter 0 siblings, 0 replies; 5+ messages in thread From: Dan Carpenter @ 2020-01-15 18:15 UTC (permalink / raw) To: Sean Young Cc: Phong Tran, mchehab, gregkh, allison, tglx, syzbot+6bf9606ee955b646c0e1, linux-media, linux-kernel, glider, syzkaller-bugs On Wed, Jan 15, 2020 at 09:01:17PM +0300, Dan Carpenter wrote: > On Wed, Jan 15, 2020 at 05:32:26PM +0000, Sean Young wrote: > > Hello, > > > > On Tue, Dec 03, 2019 at 07:41:38AM +0700, Phong Tran wrote: > > > For fixing syzbot "KMSAN: uninit-value in digitv_rc_query" > > > > > > In scenario testing for syzbot, failure reading from > > > digitv_ctrl_msg() [1]. > > > > > > Eg: > > > [ 91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0) > > > > > > digitv_rc_query() always return 0. But in this case a wrong thing happens. > > > > > > Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com > > > Tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com > > > > A fix for this was already merged I'm afraid, see commit eecc70d22ae5 > > ("media: digitv: don't continue if remote control state can't be read"). > > > > > [1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000 > > > [2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ > > > > > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > > > --- > > > drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++---- > > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > > > diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c > > > index dd5bb230cec1..61bc8945e6b9 100644 > > > --- a/drivers/media/usb/dvb-usb/digitv.c > > > +++ b/drivers/media/usb/dvb-usb/digitv.c > > > @@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = { > > > static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) > > > { > > > int i; > > > - u8 key[5]; > > > + u8 key[5] = { 0 }; > > > > The merged commit does not change this line. Why was this changed? > > > > It would fix the problem that key[0] is never initialized... But the > correct fix is to make key 4 elements long and delete key[0]. Phong, Presumably you can fix this? You will have to renumber key[1] to key[0] and key[2] to key[1] etc... Add a fixes tag. Fixes: 774c0de4aed4 ("V4L/DVB (4616): [PATCH] Nebula DigiTV USB RC support") Otherwise if you want I can send the patch. regards, dan carpenter ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-01-15 18:15 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-08 17:04 KMSAN: uninit-value in digitv_rc_query syzbot 2019-12-03 0:41 ` [PATCH] media: dvb: check return value digitv_ctrl_msg Phong Tran 2020-01-15 17:32 ` Sean Young 2020-01-15 18:01 ` Dan Carpenter 2020-01-15 18:15 ` Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).