KMSAN: uninit-value in usb_autopm_put_interface

KMSAN: uninit-value in usb_autopm_put_interface

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e1d1a6e595adbd2458f1@syzkaller.appspotmail.com

==================================================================
BUG: KMSAN: uninit-value in __write_once_size include/linux/compiler.h:235  
[inline]
BUG: KMSAN: uninit-value in pm_runtime_mark_last_busy  
include/linux/pm_runtime.h:107 [inline]
BUG: KMSAN: uninit-value in usb_mark_last_busy include/linux/usb.h:774  
[inline]
BUG: KMSAN: uninit-value in usb_autopm_put_interface+0xf2/0x120  
drivers/usb/core/driver.c:1630
CPU: 0 PID: 11318 Comm: syz-executor549 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x191/0x1f0 lib/dump_stack.c:113
  kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
  __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
  __write_once_size include/linux/compiler.h:235 [inline]
  pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
  usb_mark_last_busy include/linux/usb.h:774 [inline]
  usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1630
  usbhid_power+0x12a/0x170 drivers/hid/usbhid/hid-core.c:1238
  hid_hw_power include/linux/hid.h:1038 [inline]
  drop_ref drivers/hid/hidraw.c:338 [inline]
  hidraw_release+0x4a9/0x6b0 drivers/hid/hidraw.c:356
  __fput+0x4c9/0xba0 fs/file_table.c:280
  ____fput+0x37/0x40 fs/file_table.c:313
  task_work_run+0x22e/0x2a0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
  prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:194
  syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:274
  do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:300
  entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x401b20
Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f  
44 00 00 83 3d ad 5b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00
RSP: 002b:00007ffc46217cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffea RBX: 0000000000000000 RCX: 0000000000401b20
RDX: 0000000000000000 RSI: 000000000010503d RDI: 00007ffc46217cc0
RBP: 6666666666666667 R08: 000000000000000f R09: 000000000000000b
R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000402b40
R13: 0000000000402bd0 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:189 [inline]
  kmsan_internal_poison_shadow+0x58/0xb0 mm/kmsan/kmsan.c:148
  kmsan_slab_free+0x8d/0x100 mm/kmsan/kmsan_hooks.c:195
  slab_free_freelist_hook mm/slub.c:1472 [inline]
  slab_free mm/slub.c:3038 [inline]
  kfree+0x4c1/0x2db0 mm/slub.c:3980
  usb_release_interface+0x105/0x120 drivers/usb/core/message.c:1633
  device_release+0xe2/0x380 drivers/base/core.c:1060
  kobject_cleanup lib/kobject.c:693 [inline]
  kobject_release lib/kobject.c:722 [inline]
  kref_put include/linux/kref.h:65 [inline]
  kobject_put+0x38d/0x480 lib/kobject.c:739
  put_device+0x51/0x70 drivers/base/core.c:2264
  usb_disable_device+0x69a/0x1150 drivers/usb/core/message.c:1248
  usb_disconnect+0x51e/0xd60 drivers/usb/core/hub.c:2199
  hub_port_connect drivers/usb/core/hub.c:4949 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x3fd0/0x72f0 drivers/usb/core/hub.c:5441
  process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
  worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
  kthread+0x4b5/0x4f0 kernel/kthread.c:256
  ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Alan Stern]

On Mon, 16 Sep 2019, syzbot wrote:

> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> git tree:       https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e1d1a6e595adbd2458f1@syzkaller.appspotmail.com
> 
> ==================================================================
> BUG: KMSAN: uninit-value in __write_once_size include/linux/compiler.h:235  
> [inline]
> BUG: KMSAN: uninit-value in pm_runtime_mark_last_busy  
> include/linux/pm_runtime.h:107 [inline]
> BUG: KMSAN: uninit-value in usb_mark_last_busy include/linux/usb.h:774  
> [inline]
> BUG: KMSAN: uninit-value in usb_autopm_put_interface+0xf2/0x120  
> drivers/usb/core/driver.c:1630
> CPU: 0 PID: 11318 Comm: syz-executor549 Not tainted 5.3.0-rc7+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x191/0x1f0 lib/dump_stack.c:113
>   kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
>   __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
>   __write_once_size include/linux/compiler.h:235 [inline]
>   pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
>   usb_mark_last_busy include/linux/usb.h:774 [inline]
>   usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1630
>   usbhid_power+0x12a/0x170 drivers/hid/usbhid/hid-core.c:1238
>   hid_hw_power include/linux/hid.h:1038 [inline]
>   drop_ref drivers/hid/hidraw.c:338 [inline]
>   hidraw_release+0x4a9/0x6b0 drivers/hid/hidraw.c:356
>   __fput+0x4c9/0xba0 fs/file_table.c:280
>   ____fput+0x37/0x40 fs/file_table.c:313
>   task_work_run+0x22e/0x2a0 kernel/task_work.c:113
>   tracehook_notify_resume include/linux/tracehook.h:188 [inline]
>   exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
>   prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:194
>   syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:274
>   do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:300
>   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x401b20
> Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f  
> 44 00 00 83 3d ad 5b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff  
> ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00
> RSP: 002b:00007ffc46217cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
> RAX: ffffffffffffffea RBX: 0000000000000000 RCX: 0000000000401b20
> RDX: 0000000000000000 RSI: 000000000010503d RDI: 00007ffc46217cc0
> RBP: 6666666666666667 R08: 000000000000000f R09: 000000000000000b
> R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000402b40
> R13: 0000000000402bd0 R14: 0000000000000000 R15: 0000000000000000
> 
> Uninit was created at:
>   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:189 [inline]
>   kmsan_internal_poison_shadow+0x58/0xb0 mm/kmsan/kmsan.c:148
>   kmsan_slab_free+0x8d/0x100 mm/kmsan/kmsan_hooks.c:195
>   slab_free_freelist_hook mm/slub.c:1472 [inline]
>   slab_free mm/slub.c:3038 [inline]
>   kfree+0x4c1/0x2db0 mm/slub.c:3980
>   usb_release_interface+0x105/0x120 drivers/usb/core/message.c:1633
>   device_release+0xe2/0x380 drivers/base/core.c:1060
>   kobject_cleanup lib/kobject.c:693 [inline]
>   kobject_release lib/kobject.c:722 [inline]
>   kref_put include/linux/kref.h:65 [inline]
>   kobject_put+0x38d/0x480 lib/kobject.c:739
>   put_device+0x51/0x70 drivers/base/core.c:2264
>   usb_disable_device+0x69a/0x1150 drivers/usb/core/message.c:1248
>   usb_disconnect+0x51e/0xd60 drivers/usb/core/hub.c:2199
>   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
>   port_event drivers/usb/core/hub.c:5359 [inline]
>   hub_event+0x3fd0/0x72f0 drivers/usb/core/hub.c:5441
>   process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
>   worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
>   kthread+0x4b5/0x4f0 kernel/kthread.c:256
>   ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
> ==================================================================
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

This is probably the same problem that was fixed in the Logitech driver
earlier.  The fix still appears to be in linux-next (commit
5f9242775bb6).

Shouldn't syzbot wait until after the merge window before running tests
like this?

Alan Stern

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Dmitry Vyukov]

On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 16 Sep 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > git tree:       https://github.com/google/kmsan.git master
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+e1d1a6e595adbd2458f1@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KMSAN: uninit-value in __write_once_size include/linux/compiler.h:235
> > [inline]
> > BUG: KMSAN: uninit-value in pm_runtime_mark_last_busy
> > include/linux/pm_runtime.h:107 [inline]
> > BUG: KMSAN: uninit-value in usb_mark_last_busy include/linux/usb.h:774
> > [inline]
> > BUG: KMSAN: uninit-value in usb_autopm_put_interface+0xf2/0x120
> > drivers/usb/core/driver.c:1630
> > CPU: 0 PID: 11318 Comm: syz-executor549 Not tainted 5.3.0-rc7+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> >   kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
> >   __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
> >   __write_once_size include/linux/compiler.h:235 [inline]
> >   pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
> >   usb_mark_last_busy include/linux/usb.h:774 [inline]
> >   usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1630
> >   usbhid_power+0x12a/0x170 drivers/hid/usbhid/hid-core.c:1238
> >   hid_hw_power include/linux/hid.h:1038 [inline]
> >   drop_ref drivers/hid/hidraw.c:338 [inline]
> >   hidraw_release+0x4a9/0x6b0 drivers/hid/hidraw.c:356
> >   __fput+0x4c9/0xba0 fs/file_table.c:280
> >   ____fput+0x37/0x40 fs/file_table.c:313
> >   task_work_run+0x22e/0x2a0 kernel/task_work.c:113
> >   tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> >   exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
> >   prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:194
> >   syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:274
> >   do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:300
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x401b20
> > Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f
> > 44 00 00 83 3d ad 5b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00
> > RSP: 002b:00007ffc46217cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
> > RAX: ffffffffffffffea RBX: 0000000000000000 RCX: 0000000000401b20
> > RDX: 0000000000000000 RSI: 000000000010503d RDI: 00007ffc46217cc0
> > RBP: 6666666666666667 R08: 000000000000000f R09: 000000000000000b
> > R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000402b40
> > R13: 0000000000402bd0 R14: 0000000000000000 R15: 0000000000000000
> >
> > Uninit was created at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:189 [inline]
> >   kmsan_internal_poison_shadow+0x58/0xb0 mm/kmsan/kmsan.c:148
> >   kmsan_slab_free+0x8d/0x100 mm/kmsan/kmsan_hooks.c:195
> >   slab_free_freelist_hook mm/slub.c:1472 [inline]
> >   slab_free mm/slub.c:3038 [inline]
> >   kfree+0x4c1/0x2db0 mm/slub.c:3980
> >   usb_release_interface+0x105/0x120 drivers/usb/core/message.c:1633
> >   device_release+0xe2/0x380 drivers/base/core.c:1060
> >   kobject_cleanup lib/kobject.c:693 [inline]
> >   kobject_release lib/kobject.c:722 [inline]
> >   kref_put include/linux/kref.h:65 [inline]
> >   kobject_put+0x38d/0x480 lib/kobject.c:739
> >   put_device+0x51/0x70 drivers/base/core.c:2264
> >   usb_disable_device+0x69a/0x1150 drivers/usb/core/message.c:1248
> >   usb_disconnect+0x51e/0xd60 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x3fd0/0x72f0 drivers/usb/core/hub.c:5441
> >   process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
> >   worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
> >   kthread+0x4b5/0x4f0 kernel/kthread.c:256
> >   ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
>
> This is probably the same problem that was fixed in the Logitech driver
> earlier.  The fix still appears to be in linux-next (commit
> 5f9242775bb6).
>
> Shouldn't syzbot wait until after the merge window before running tests
> like this?


Merge window is a weak notion and may be not enough either (all trees
do not necessary update at that point and syzbot does not necessary
rebuild all of them successfully). syzbot uses another criteria: if
you say a bug is fixed by commit X, it will wait until commit X
reaches all of tested trees and will report the same crash signature
again only after that. This procedure was specifically designed to not
produce duplicate reports about the same bug.
So either the bug wasn't really fixed, or this is another bug, or
syzbot was given a wrong commit.

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Andrey Konovalov]

On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 16 Sep 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > git tree:       https://github.com/google/kmsan.git master
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+e1d1a6e595adbd2458f1@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KMSAN: uninit-value in __write_once_size include/linux/compiler.h:235
> > [inline]
> > BUG: KMSAN: uninit-value in pm_runtime_mark_last_busy
> > include/linux/pm_runtime.h:107 [inline]
> > BUG: KMSAN: uninit-value in usb_mark_last_busy include/linux/usb.h:774
> > [inline]
> > BUG: KMSAN: uninit-value in usb_autopm_put_interface+0xf2/0x120
> > drivers/usb/core/driver.c:1630
> > CPU: 0 PID: 11318 Comm: syz-executor549 Not tainted 5.3.0-rc7+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> >   kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
> >   __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
> >   __write_once_size include/linux/compiler.h:235 [inline]
> >   pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
> >   usb_mark_last_busy include/linux/usb.h:774 [inline]
> >   usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1630
> >   usbhid_power+0x12a/0x170 drivers/hid/usbhid/hid-core.c:1238
> >   hid_hw_power include/linux/hid.h:1038 [inline]
> >   drop_ref drivers/hid/hidraw.c:338 [inline]
> >   hidraw_release+0x4a9/0x6b0 drivers/hid/hidraw.c:356
> >   __fput+0x4c9/0xba0 fs/file_table.c:280
> >   ____fput+0x37/0x40 fs/file_table.c:313
> >   task_work_run+0x22e/0x2a0 kernel/task_work.c:113
> >   tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> >   exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
> >   prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:194
> >   syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:274
> >   do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:300
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x401b20
> > Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f
> > 44 00 00 83 3d ad 5b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00
> > RSP: 002b:00007ffc46217cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
> > RAX: ffffffffffffffea RBX: 0000000000000000 RCX: 0000000000401b20
> > RDX: 0000000000000000 RSI: 000000000010503d RDI: 00007ffc46217cc0
> > RBP: 6666666666666667 R08: 000000000000000f R09: 000000000000000b
> > R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000402b40
> > R13: 0000000000402bd0 R14: 0000000000000000 R15: 0000000000000000
> >
> > Uninit was created at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:189 [inline]
> >   kmsan_internal_poison_shadow+0x58/0xb0 mm/kmsan/kmsan.c:148
> >   kmsan_slab_free+0x8d/0x100 mm/kmsan/kmsan_hooks.c:195
> >   slab_free_freelist_hook mm/slub.c:1472 [inline]
> >   slab_free mm/slub.c:3038 [inline]
> >   kfree+0x4c1/0x2db0 mm/slub.c:3980
> >   usb_release_interface+0x105/0x120 drivers/usb/core/message.c:1633
> >   device_release+0xe2/0x380 drivers/base/core.c:1060
> >   kobject_cleanup lib/kobject.c:693 [inline]
> >   kobject_release lib/kobject.c:722 [inline]
> >   kref_put include/linux/kref.h:65 [inline]
> >   kobject_put+0x38d/0x480 lib/kobject.c:739
> >   put_device+0x51/0x70 drivers/base/core.c:2264
> >   usb_disable_device+0x69a/0x1150 drivers/usb/core/message.c:1248
> >   usb_disconnect+0x51e/0xd60 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x3fd0/0x72f0 drivers/usb/core/hub.c:5441
> >   process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
> >   worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
> >   kthread+0x4b5/0x4f0 kernel/kthread.c:256
> >   ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
>
> This is probably the same problem that was fixed in the Logitech driver
> earlier.  The fix still appears to be in linux-next (commit
> 5f9242775bb6).

Yes, this looks like a different manifestation of the same issue, let's dup it:

#syz dup: general protection fault in __pm_runtime_resume

> Shouldn't syzbot wait until after the merge window before running tests
> like this?

Syzbot just keeps on fuzzing and reports any new issues that it finds.
The reason this one got reported separately is because syzbot has no
way to know whether this report is caused by the same issue as some
other one that got marked as fixed. I'll keep looking out for more and
keep duping them until the fix is in the USB tree.

Thanks!

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Alan Stern]

On Tue, 17 Sep 2019, Dmitry Vyukov wrote:

> On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Mon, 16 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > > git tree:       https://github.com/google/kmsan.git master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000

> > This is probably the same problem that was fixed in the Logitech driver
> > earlier.  The fix still appears to be in linux-next (commit
> > 5f9242775bb6).
> >
> > Shouldn't syzbot wait until after the merge window before running tests
> > like this?
> 
> 
> Merge window is a weak notion and may be not enough either (all trees
> do not necessary update at that point and syzbot does not necessary
> rebuild all of them successfully). syzbot uses another criteria: if
> you say a bug is fixed by commit X, it will wait until commit X
> reaches all of tested trees and will report the same crash signature
> again only after that. This procedure was specifically designed to not
> produce duplicate reports about the same bug.
> So either the bug wasn't really fixed, or this is another bug, or
> syzbot was given a wrong commit.

Hmmm.  Which are the "tested trees"?

This bug (e1d1a6e595adbd2458f1) is marked as a duplicate of 
3cbe5cd105d2ad56a1df.  The dashboard link says that bug was fixed by 
commit "HID: logitech: Fix general protection fault caused by Logitech 
driver" -- which is correct, as far as I know.

That commit is present in linux-next, as mentioned above.  As of 10:44 
EDT today, it is not present in Linus's tree, according to

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/hid/hid-lg.c

(in fact, no commits affecting drivers/hid/hid-lg.c in that tree are 
dated after 2019-07-10).

Furthermore, according to

https://github.com/google/kmsan/blob/master/drivers/hid/hid-lg.c?h=014077b5

the source code actually used by syzbot for this test doesn't have that 
commit either.  (BTW, is there any way to get a git log out of github?  
It would be nice not to have to download the whole source file -- and 
I'm not certain that this URL really does point to the version of the 
file that syzbot used.)

So what's really going on?

Alan Stern

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Andrey Konovalov]

On Tue, Sep 17, 2019 at 4:51 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 17 Sep 2019, Dmitry Vyukov wrote:
>
> > On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > >
> > > On Mon, 16 Sep 2019, syzbot wrote:
> > >
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > > > git tree:       https://github.com/google/kmsan.git master
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > > > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
>
> > > This is probably the same problem that was fixed in the Logitech driver
> > > earlier.  The fix still appears to be in linux-next (commit
> > > 5f9242775bb6).
> > >
> > > Shouldn't syzbot wait until after the merge window before running tests
> > > like this?
> >
> >
> > Merge window is a weak notion and may be not enough either (all trees
> > do not necessary update at that point and syzbot does not necessary
> > rebuild all of them successfully). syzbot uses another criteria: if
> > you say a bug is fixed by commit X, it will wait until commit X
> > reaches all of tested trees and will report the same crash signature
> > again only after that. This procedure was specifically designed to not
> > produce duplicate reports about the same bug.
> > So either the bug wasn't really fixed, or this is another bug, or
> > syzbot was given a wrong commit.
>
> Hmmm.  Which are the "tested trees"?
>
> This bug (e1d1a6e595adbd2458f1) is marked as a duplicate of
> 3cbe5cd105d2ad56a1df.  The dashboard link says that bug was fixed by
> commit "HID: logitech: Fix general protection fault caused by Logitech
> driver" -- which is correct, as far as I know.
>
> That commit is present in linux-next, as mentioned above.  As of 10:44
> EDT today, it is not present in Linus's tree, according to
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/hid/hid-lg.c
>
> (in fact, no commits affecting drivers/hid/hid-lg.c in that tree are
> dated after 2019-07-10).
>
> Furthermore, according to
>
> https://github.com/google/kmsan/blob/master/drivers/hid/hid-lg.c?h=014077b5
>
> the source code actually used by syzbot for this test doesn't have that
> commit either.  (BTW, is there any way to get a git log out of github?
> It would be nice not to have to download the whole source file -- and
> I'm not certain that this URL really does point to the version of the
> file that syzbot used.)
>
> So what's really going on?

Please see my response. This report is a different manifestation of
the same Logitech bug.

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Alan Stern]

On Tue, 17 Sep 2019, Andrey Konovalov wrote:

> On Tue, Sep 17, 2019 at 4:51 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Tue, 17 Sep 2019, Dmitry Vyukov wrote:
> >
> > > On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > > >
> > > > On Mon, 16 Sep 2019, syzbot wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > > > > git tree:       https://github.com/google/kmsan.git master
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > > > > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
> >
> > > > This is probably the same problem that was fixed in the Logitech driver
> > > > earlier.  The fix still appears to be in linux-next (commit
> > > > 5f9242775bb6).
> > > >
> > > > Shouldn't syzbot wait until after the merge window before running tests
> > > > like this?
> > >
> > >
> > > Merge window is a weak notion and may be not enough either (all trees
> > > do not necessary update at that point and syzbot does not necessary
> > > rebuild all of them successfully). syzbot uses another criteria: if
> > > you say a bug is fixed by commit X, it will wait until commit X
> > > reaches all of tested trees and will report the same crash signature
> > > again only after that. This procedure was specifically designed to not
> > > produce duplicate reports about the same bug.
> > > So either the bug wasn't really fixed, or this is another bug, or
> > > syzbot was given a wrong commit.
> >
> > Hmmm.  Which are the "tested trees"?
> >
> > This bug (e1d1a6e595adbd2458f1) is marked as a duplicate of
> > 3cbe5cd105d2ad56a1df.  The dashboard link says that bug was fixed by
> > commit "HID: logitech: Fix general protection fault caused by Logitech
> > driver" -- which is correct, as far as I know.
> >
> > That commit is present in linux-next, as mentioned above.  As of 10:44
> > EDT today, it is not present in Linus's tree, according to
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/hid/hid-lg.c
> >
> > (in fact, no commits affecting drivers/hid/hid-lg.c in that tree are
> > dated after 2019-07-10).
> >
> > Furthermore, according to
> >
> > https://github.com/google/kmsan/blob/master/drivers/hid/hid-lg.c?h=014077b5
> >
> > the source code actually used by syzbot for this test doesn't have that
> > commit either.  (BTW, is there any way to get a git log out of github?
> > It would be nice not to have to download the whole source file -- and
> > I'm not certain that this URL really does point to the version of the
> > file that syzbot used.)
> >
> > So what's really going on?
> 
> Please see my response. This report is a different manifestation of
> the same Logitech bug.

Hmmm.  Does syzbot have any conception of which drivers are exercised 
by a particular test script?  If it doesn't, there's no way to avoid 
getting these duplicate reports.  Still, it is a little annoying for 
the developers.

Alan Stern

Re: KMSAN: uninit-value in usb_autopm_put_interface

[Andrey Konovalov]

On Tue, Sep 17, 2019 at 5:28 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 17 Sep 2019, Andrey Konovalov wrote:
>
> > On Tue, Sep 17, 2019 at 4:51 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > >
> > > On Tue, 17 Sep 2019, Dmitry Vyukov wrote:
> > >
> > > > On Mon, Sep 16, 2019 at 10:31 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > > > >
> > > > > On Mon, 16 Sep 2019, syzbot wrote:
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit:    014077b5 DO-NOT-SUBMIT: usb-fuzzer: main usb gadget fuzzer..
> > > > > > git tree:       https://github.com/google/kmsan.git master
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16a7dde1600000
> > > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e1d1a6e595adbd2458f1
> > > > > > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > > > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=176303e1600000
> > > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e8f23e600000
> > >
> > > > > This is probably the same problem that was fixed in the Logitech driver
> > > > > earlier.  The fix still appears to be in linux-next (commit
> > > > > 5f9242775bb6).
> > > > >
> > > > > Shouldn't syzbot wait until after the merge window before running tests
> > > > > like this?
> > > >
> > > >
> > > > Merge window is a weak notion and may be not enough either (all trees
> > > > do not necessary update at that point and syzbot does not necessary
> > > > rebuild all of them successfully). syzbot uses another criteria: if
> > > > you say a bug is fixed by commit X, it will wait until commit X
> > > > reaches all of tested trees and will report the same crash signature
> > > > again only after that. This procedure was specifically designed to not
> > > > produce duplicate reports about the same bug.
> > > > So either the bug wasn't really fixed, or this is another bug, or
> > > > syzbot was given a wrong commit.
> > >
> > > Hmmm.  Which are the "tested trees"?
> > >
> > > This bug (e1d1a6e595adbd2458f1) is marked as a duplicate of
> > > 3cbe5cd105d2ad56a1df.  The dashboard link says that bug was fixed by
> > > commit "HID: logitech: Fix general protection fault caused by Logitech
> > > driver" -- which is correct, as far as I know.
> > >
> > > That commit is present in linux-next, as mentioned above.  As of 10:44
> > > EDT today, it is not present in Linus's tree, according to
> > >
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/hid/hid-lg.c
> > >
> > > (in fact, no commits affecting drivers/hid/hid-lg.c in that tree are
> > > dated after 2019-07-10).
> > >
> > > Furthermore, according to
> > >
> > > https://github.com/google/kmsan/blob/master/drivers/hid/hid-lg.c?h=014077b5
> > >
> > > the source code actually used by syzbot for this test doesn't have that
> > > commit either.  (BTW, is there any way to get a git log out of github?
> > > It would be nice not to have to download the whole source file -- and
> > > I'm not certain that this URL really does point to the version of the
> > > file that syzbot used.)
> > >
> > > So what's really going on?
> >
> > Please see my response. This report is a different manifestation of
> > the same Logitech bug.
>
> Hmmm.  Does syzbot have any conception of which drivers are exercised
> by a particular test script?  If it doesn't, there's no way to avoid
> getting these duplicate reports.  Still, it is a little annoying for
> the developers.

Yeah, syzbot only looks at reports titles. I'll try to take care of
duplicate USB reports.