* KMSAN: uninit-value in alauda_check_media @ 2019-10-07 19:39 syzbot 2019-10-11 11:23 ` Jaskaran Singh ` (2 more replies) 0 siblings, 3 replies; 19+ messages in thread From: syzbot @ 2019-10-07 19:39 UTC (permalink / raw) To: glider, gregkh, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage Hello, syzbot found the following crash on: HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with kmsan_i.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 kernel config: https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d dashboard link: https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com ===================================================== BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 usb_stor_invoke_transport+0xf5/0x27e0 drivers/usb/storage/transport.c:606 usb_stor_transparent_scsi_command+0x5d/0x70 drivers/usb/storage/protocol.c:108 usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Local variable description: ----status@alauda_check_media Variable was created at: alauda_check_media+0x8e/0x3310 drivers/usb/storage/alauda.c:454 alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 ===================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 12279 Comm: usb-storage Tainted: G B 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 panic+0x3c9/0xc1e kernel/panic.c:219 kmsan_report+0x2a2/0x2b0 mm/kmsan/kmsan_report.c:131 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 usb_stor_invoke_transport+0xf5/0x27e0 drivers/usb/storage/transport.c:606 usb_stor_transparent_scsi_command+0x5d/0x70 drivers/usb/storage/protocol.c:108 usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-07 19:39 KMSAN: uninit-value in alauda_check_media syzbot @ 2019-10-11 11:23 ` Jaskaran Singh 2019-10-11 11:51 ` Alexander Potapenko ` (2 more replies) 2021-12-28 7:47 ` Christophe JAILLET 2021-12-28 8:01 ` Christophe JAILLET 2 siblings, 3 replies; 19+ messages in thread From: Jaskaran Singh @ 2019-10-11 11:23 UTC (permalink / raw) To: syzbot, glider, gregkh, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage On Mon, 2019-10-07 at 12:39 -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with > kmsan_i.. > git tree: https://github.com/google/kmsan.git master > console output: > https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 > kernel config: > https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d > dashboard link: > https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd > compiler: clang version 9.0.0 (/home/glider/llvm/clang > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > syz repro: > https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 > C reproducer: > https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 > > IMPORTANT: if you fix the bug, please add the following tag to the > commit: > Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com > > ===================================================== > BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 > drivers/usb/storage/alauda.c:1137 > CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > usb_stor_invoke_transport+0xf5/0x27e0 > drivers/usb/storage/transport.c:606 > usb_stor_transparent_scsi_command+0x5d/0x70 > drivers/usb/storage/protocol.c:108 > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > > Local variable description: ----status@alauda_check_media > Variable was created at: > alauda_check_media+0x8e/0x3310 drivers/usb/storage/alauda.c:454 > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > ===================================================== > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 12279 Comm: usb-storage Tainted: > G B 5.3.0-rc7+ > #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > panic+0x3c9/0xc1e kernel/panic.c:219 > kmsan_report+0x2a2/0x2b0 mm/kmsan/kmsan_report.c:131 > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > usb_stor_invoke_transport+0xf5/0x27e0 > drivers/usb/storage/transport.c:606 > usb_stor_transparent_scsi_command+0x5d/0x70 > drivers/usb/storage/protocol.c:108 > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches #syz test: https://github.com/google/kmsan.git 1e76a3e5 diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index ddab2cd3d2e7..bb309b9ad65b 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; - unsigned char status[2]; + unsigned char *status = us->iobuf; int rc; rc = alauda_get_media_status(us, status); ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 11:23 ` Jaskaran Singh @ 2019-10-11 11:51 ` Alexander Potapenko 2019-10-11 15:42 ` syzbot 2019-10-11 14:08 ` Alan Stern 2019-10-11 15:24 ` syzbot 2 siblings, 1 reply; 19+ messages in thread From: Alexander Potapenko @ 2019-10-11 11:51 UTC (permalink / raw) To: Jaskaran Singh Cc: syzbot, Greg Kroah-Hartman, LKML, USB list, Alan Stern, syzkaller-bugs, usb-storage On Fri, Oct 11, 2019 at 1:23 PM Jaskaran Singh <jaskaransingh7654321@gmail.com> wrote: > > On Mon, 2019-10-07 at 12:39 -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with > > kmsan_i.. > > git tree: https://github.com/google/kmsan.git master > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: > > https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 > > C reproducer: > > https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > commit: > > Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com > > > > ===================================================== > > BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 > > drivers/usb/storage/alauda.c:1137 > > CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > usb_stor_invoke_transport+0xf5/0x27e0 > > drivers/usb/storage/transport.c:606 > > usb_stor_transparent_scsi_command+0x5d/0x70 > > drivers/usb/storage/protocol.c:108 > > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > > > > Local variable description: ----status@alauda_check_media > > Variable was created at: > > alauda_check_media+0x8e/0x3310 drivers/usb/storage/alauda.c:454 > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > ===================================================== > > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 12279 Comm: usb-storage Tainted: > > G B 5.3.0-rc7+ > > #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > panic+0x3c9/0xc1e kernel/panic.c:219 > > kmsan_report+0x2a2/0x2b0 mm/kmsan/kmsan_report.c:131 > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > usb_stor_invoke_transport+0xf5/0x27e0 > > drivers/usb/storage/transport.c:606 > > usb_stor_transparent_scsi_command+0x5d/0x70 > > drivers/usb/storage/protocol.c:108 > > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > > Kernel Offset: disabled > > Rebooting in 86400 seconds.. > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches > > #syz test: https://github.com/google/kmsan.git 1e76a3e5 This didn't work, let's try with the master: #syz test: https://github.com/google/kmsan.git master > > diff --git a/drivers/usb/storage/alauda.c > b/drivers/usb/storage/alauda.c > index ddab2cd3d2e7..bb309b9ad65b 100644 > --- a/drivers/usb/storage/alauda.c > +++ b/drivers/usb/storage/alauda.c > @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) > static int alauda_check_media(struct us_data *us) > { > struct alauda_info *info = (struct alauda_info *) us->extra; > - unsigned char status[2]; > + unsigned char *status = us->iobuf; > int rc; > > rc = alauda_get_media_status(us, status); > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/b8b1e4fef9f3ece63909c38b3302621d76770caa.camel%40gmail.com. -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 11:51 ` Alexander Potapenko @ 2019-10-11 15:42 ` syzbot 0 siblings, 0 replies; 19+ messages in thread From: syzbot @ 2019-10-11 15:42 UTC (permalink / raw) To: glider, gregkh, jaskaransingh7654321, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KMSAN: uninit-value in alauda_check_media ===================================================== BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1138 CPU: 1 PID: 11015 Comm: usb-storage Not tainted 5.4.0-rc2+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x14c/0x2c0 mm/kmsan/kmsan_report.c:110 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:461 alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1138 usb_stor_invoke_transport+0xf5/0x27e0 drivers/usb/storage/transport.c:606 usb_stor_transparent_scsi_command+0x5d/0x70 drivers/usb/storage/protocol.c:108 usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Local variable description: ----status@alauda_check_media Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 11015 Comm: usb-storage Tainted: G B 5.4.0-rc2+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 panic+0x3c9/0xc1e kernel/panic.c:220 kmsan_report+0x2b4/0x2c0 mm/kmsan/kmsan_report.c:133 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:461 alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1138 usb_stor_invoke_transport+0xf5/0x27e0 drivers/usb/storage/transport.c:606 usb_stor_transparent_scsi_command+0x5d/0x70 drivers/usb/storage/protocol.c:108 usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Kernel Offset: disabled Rebooting in 86400 seconds.. Tested on: commit: c40e5c97 kmsan: drop some dead code in kmsan_shadow.c git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=153ba453600000 kernel config: https://syzkaller.appspot.com/x/.config?x=49548798e87d32d7 dashboard link: https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 11:23 ` Jaskaran Singh 2019-10-11 11:51 ` Alexander Potapenko @ 2019-10-11 14:08 ` Alan Stern 2019-10-11 14:18 ` Andrey Konovalov 2019-10-11 15:24 ` syzbot 2 siblings, 1 reply; 19+ messages in thread From: Alan Stern @ 2019-10-11 14:08 UTC (permalink / raw) To: Jaskaran Singh Cc: syzbot, glider, gregkh, linux-kernel, linux-usb, syzkaller-bugs, usb-storage On Fri, 11 Oct 2019, Jaskaran Singh wrote: > On Mon, 2019-10-07 at 12:39 -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with > > kmsan_i.. > > git tree: https://github.com/google/kmsan.git master > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: > > https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 > > C reproducer: > > https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > commit: > > Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com > > > > ===================================================== > > BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 > > drivers/usb/storage/alauda.c:1137 > > CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > usb_stor_invoke_transport+0xf5/0x27e0 > > drivers/usb/storage/transport.c:606 > > usb_stor_transparent_scsi_command+0x5d/0x70 > > drivers/usb/storage/protocol.c:108 > > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > #syz test: https://github.com/google/kmsan.git 1e76a3e5 > > diff --git a/drivers/usb/storage/alauda.c > b/drivers/usb/storage/alauda.c > index ddab2cd3d2e7..bb309b9ad65b 100644 > --- a/drivers/usb/storage/alauda.c > +++ b/drivers/usb/storage/alauda.c > @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) > static int alauda_check_media(struct us_data *us) > { > struct alauda_info *info = (struct alauda_info *) us->extra; > - unsigned char status[2]; > + unsigned char *status = us->iobuf; > int rc; > > rc = alauda_get_media_status(us, status); That is absolutely not the correct fix. The problem is that after this call, the code does not check rc to see if an error occurred. If there was an error, the value of status is meaningless so there's no point examining it at all. Now yes, it's true that defining status as an array on the stack is also a bug, since USB transfer buffers are not allowed to be stack variables. And the change you made _is_ the right way to fix that bug. But that is a separate bug, not the one that syzbot found. Alan Stern ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 14:08 ` Alan Stern @ 2019-10-11 14:18 ` Andrey Konovalov 2019-10-11 14:53 ` Alan Stern 0 siblings, 1 reply; 19+ messages in thread From: Andrey Konovalov @ 2019-10-11 14:18 UTC (permalink / raw) To: Alan Stern Cc: Jaskaran Singh, syzbot, Alexander Potapenko, Greg Kroah-Hartman, LKML, USB list, syzkaller-bugs, usb-storage On Fri, Oct 11, 2019 at 4:08 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > On Fri, 11 Oct 2019, Jaskaran Singh wrote: > > > On Mon, 2019-10-07 at 12:39 -0700, syzbot wrote: > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with > > > kmsan_i.. > > > git tree: https://github.com/google/kmsan.git master > > > console output: > > > https://syzkaller.appspot.com/x/log.txt?x=1204cc63600000 > > > kernel config: > > > https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd > > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > > syz repro: > > > https://syzkaller.appspot.com/x/repro.syz?x=123c860d600000 > > > C reproducer: > > > https://syzkaller.appspot.com/x/repro.c?x=110631b7600000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > commit: > > > Reported-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com > > > > > > ===================================================== > > > BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 > > > drivers/usb/storage/alauda.c:1137 > > > CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > > BIOS > > > Google 01/01/2011 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > > kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 > > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 > > > alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 > > > alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 > > > usb_stor_invoke_transport+0xf5/0x27e0 > > > drivers/usb/storage/transport.c:606 > > > usb_stor_transparent_scsi_command+0x5d/0x70 > > > drivers/usb/storage/protocol.c:108 > > > usb_stor_control_thread+0xca6/0x11a0 drivers/usb/storage/usb.c:380 > > > kthread+0x4b5/0x4f0 kernel/kthread.c:256 > > > ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 > > > > #syz test: https://github.com/google/kmsan.git 1e76a3e5 > > > > diff --git a/drivers/usb/storage/alauda.c > > b/drivers/usb/storage/alauda.c > > index ddab2cd3d2e7..bb309b9ad65b 100644 > > --- a/drivers/usb/storage/alauda.c > > +++ b/drivers/usb/storage/alauda.c > > @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) > > static int alauda_check_media(struct us_data *us) > > { > > struct alauda_info *info = (struct alauda_info *) us->extra; > > - unsigned char status[2]; > > + unsigned char *status = us->iobuf; > > int rc; > > > > rc = alauda_get_media_status(us, status); [...] > Now yes, it's true that defining status as an array on the stack is > also a bug, since USB transfer buffers are not allowed to be stack > variables. Hi Alan, I'm curious, what is the reason for disallowing that? Should we try to somehow detect such cases automatically? Thanks! ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 14:18 ` Andrey Konovalov @ 2019-10-11 14:53 ` Alan Stern 2019-10-11 15:06 ` Greg Kroah-Hartman 0 siblings, 1 reply; 19+ messages in thread From: Alan Stern @ 2019-10-11 14:53 UTC (permalink / raw) To: Andrey Konovalov Cc: Jaskaran Singh, syzbot, Alexander Potapenko, Greg Kroah-Hartman, LKML, USB list, syzkaller-bugs, usb-storage On Fri, 11 Oct 2019, Andrey Konovalov wrote: > On Fri, Oct 11, 2019 at 4:08 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > Now yes, it's true that defining status as an array on the stack is > > also a bug, since USB transfer buffers are not allowed to be stack > > variables. > > Hi Alan, > > I'm curious, what is the reason for disallowing that? Should we try to > somehow detect such cases automatically? Transfer buffers are read and written by DMA. On systems that don't have cache-coherent DMA controllers, it is essential that the CPU does not access any cache line involved in a DMA transfer while the transfer is in progress. Otherwise the data in the cache would be different from the data in the buffer, leading to corruption. (In theory it would be okay for the CPU to read (not write!) a cache line assigned to a buffer for a DMA write (not read!) transfer. But even doing that isn't really a good idea.) (Also, this isn't an issue for x86 architectures, because x86 has cache-coherent DMA. But it is an issue on other architectures.) In practice, this means transfer buffers have to be allocated by something like kmalloc, so that they occupies their own separate set of cache lines. Buffers on the stack obviously don't satisfy this requirement. At some point there was a discussion about automatically detecting when on-stack (or otherwise invalid) buffers are used for DMA transfers. I don't recall what the outcome was. Alan Stern ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 14:53 ` Alan Stern @ 2019-10-11 15:06 ` Greg Kroah-Hartman 2019-10-14 12:56 ` Andrey Konovalov 0 siblings, 1 reply; 19+ messages in thread From: Greg Kroah-Hartman @ 2019-10-11 15:06 UTC (permalink / raw) To: Alan Stern Cc: Andrey Konovalov, Jaskaran Singh, syzbot, Alexander Potapenko, LKML, USB list, syzkaller-bugs, usb-storage On Fri, Oct 11, 2019 at 10:53:47AM -0400, Alan Stern wrote: > On Fri, 11 Oct 2019, Andrey Konovalov wrote: > > > On Fri, Oct 11, 2019 at 4:08 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > > > Now yes, it's true that defining status as an array on the stack is > > > also a bug, since USB transfer buffers are not allowed to be stack > > > variables. > > > > Hi Alan, > > > > I'm curious, what is the reason for disallowing that? Should we try to > > somehow detect such cases automatically? > > Transfer buffers are read and written by DMA. On systems that don't > have cache-coherent DMA controllers, it is essential that the CPU does > not access any cache line involved in a DMA transfer while the transfer > is in progress. Otherwise the data in the cache would be different > from the data in the buffer, leading to corruption. > > (In theory it would be okay for the CPU to read (not write!) a cache > line assigned to a buffer for a DMA write (not read!) transfer. But > even doing that isn't really a good idea.) > > (Also, this isn't an issue for x86 architectures, because x86 has > cache-coherent DMA. But it is an issue on other architectures.) > > In practice, this means transfer buffers have to be allocated by > something like kmalloc, so that they occupies their own separate set of > cache lines. Buffers on the stack obviously don't satisfy this > requirement. > > At some point there was a discussion about automatically detecting when > on-stack (or otherwise invalid) buffers are used for DMA transfers. I > don't recall what the outcome was. A patchset from Kees was sent, but it needs a bit more work... thanks, greg k-h ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 15:06 ` Greg Kroah-Hartman @ 2019-10-14 12:56 ` Andrey Konovalov 0 siblings, 0 replies; 19+ messages in thread From: Andrey Konovalov @ 2019-10-14 12:56 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Alan Stern, Jaskaran Singh, syzbot, Alexander Potapenko, LKML, USB list, syzkaller-bugs, usb-storage On Fri, Oct 11, 2019 at 5:06 PM Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > > On Fri, Oct 11, 2019 at 10:53:47AM -0400, Alan Stern wrote: > > On Fri, 11 Oct 2019, Andrey Konovalov wrote: > > > > > On Fri, Oct 11, 2019 at 4:08 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > > > > > Now yes, it's true that defining status as an array on the stack is > > > > also a bug, since USB transfer buffers are not allowed to be stack > > > > variables. > > > > > > Hi Alan, > > > > > > I'm curious, what is the reason for disallowing that? Should we try to > > > somehow detect such cases automatically? > > > > Transfer buffers are read and written by DMA. On systems that don't > > have cache-coherent DMA controllers, it is essential that the CPU does > > not access any cache line involved in a DMA transfer while the transfer > > is in progress. Otherwise the data in the cache would be different > > from the data in the buffer, leading to corruption. > > > > (In theory it would be okay for the CPU to read (not write!) a cache > > line assigned to a buffer for a DMA write (not read!) transfer. But > > even doing that isn't really a good idea.) > > > > (Also, this isn't an issue for x86 architectures, because x86 has > > cache-coherent DMA. But it is an issue on other architectures.) > > > > In practice, this means transfer buffers have to be allocated by > > something like kmalloc, so that they occupies their own separate set of > > cache lines. Buffers on the stack obviously don't satisfy this > > requirement. > > > > At some point there was a discussion about automatically detecting when > > on-stack (or otherwise invalid) buffers are used for DMA transfers. I > > don't recall what the outcome was. > > A patchset from Kees was sent, but it needs a bit more work... Hi Greg, Could you send a link to the patchset? Thanks! ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-11 11:23 ` Jaskaran Singh 2019-10-11 11:51 ` Alexander Potapenko 2019-10-11 14:08 ` Alan Stern @ 2019-10-11 15:24 ` syzbot 2 siblings, 0 replies; 19+ messages in thread From: syzbot @ 2019-10-11 15:24 UTC (permalink / raw) To: glider, gregkh, jaskaransingh7654321, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KMSAN: uninit-value in sd_revalidate_disk ===================================================== BUG: KMSAN: uninit-value in check_disk_change+0x423/0x4b0 fs/block_dev.c:1499 CPU: 1 PID: 23508 Comm: scsi_id Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 media_not_present drivers/scsi/sd.c:1527 [inline] sd_spinup_disk drivers/scsi/sd.c:2096 [inline] sd_revalidate_disk+0x4d2/0xbef0 drivers/scsi/sd.c:3114 check_disk_change+0x423/0x4b0 fs/block_dev.c:1499 sd_open+0x471/0x8e0 drivers/scsi/sd.c:1356 __blkdev_get+0x4a8/0x2480 fs/block_dev.c:1569 blkdev_get+0x228/0x6d0 fs/block_dev.c:1707 blkdev_open+0x36b/0x490 fs/block_dev.c:1846 do_dentry_open+0xda7/0x1810 fs/open.c:797 vfs_open+0xaf/0xe0 fs/open.c:906 do_last fs/namei.c:3416 [inline] path_openat+0x17f4/0x6bb0 fs/namei.c:3533 do_filp_open+0x2b8/0x710 fs/namei.c:3563 do_sys_open+0x642/0xa30 fs/open.c:1089 __do_sys_open fs/open.c:1107 [inline] __se_sys_open+0xad/0xc0 fs/open.c:1102 __x64_sys_open+0x4a/0x70 fs/open.c:1102 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x7f7c9e529120 Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24 RSP: 002b:00007fff97dee0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007fff97dee5c0 RCX: 00007f7c9e529120 RDX: 00007fff97dee3c0 RSI: 0000000000000800 RDI: 00007fff97dee3c0 RBP: 00000000017ac010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff97dee5c0 R13: 00007fff97dee3c0 R14: 00000000017ac010 R15: 0000000000000000 Local variable description: ----sshdr.i@sd_revalidate_disk Variable was created at: sd_spinup_disk drivers/scsi/sd.c:3108 [inline] sd_revalidate_disk+0x2d3/0xbef0 drivers/scsi/sd.c:3114 check_disk_change+0x423/0x4b0 fs/block_dev.c:1499 ===================================================== Tested on: commit: 1e76a3e5 kmsan: replace __GFP_NO_KMSAN_SHADOW with kmsan_i.. git tree: https://github.com/google/kmsan.git console output: https://syzkaller.appspot.com/x/log.txt?x=144fd0a0e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=f03c659d0830ab8d dashboard link: https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) patch: https://syzkaller.appspot.com/x/patch.diff?x=110434ab600000 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-07 19:39 KMSAN: uninit-value in alauda_check_media syzbot 2019-10-11 11:23 ` Jaskaran Singh @ 2021-12-28 7:47 ` Christophe JAILLET 2021-12-28 7:47 ` syzbot 2021-12-28 22:49 ` Alan Stern 2021-12-28 8:01 ` Christophe JAILLET 2 siblings, 2 replies; 19+ messages in thread From: Christophe JAILLET @ 2021-12-28 7:47 UTC (permalink / raw) To: syzbot+e7d46eb426883fb97efd Cc: glider, gregkh, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage, Kernel Janitors [-- Attachment #1: Type: text/plain, Size: 515 bytes --] Hi, (2nd try - text only format - sorry for the noise) first try to use syzbot. I hope I do it right. Discussion about the syz report can be found at https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ This patch only test if alauda_get_media_status() (and its embedded usb_stor_ctrl_transfer()) before using the data. In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master CJ [-- Attachment #2: patch_alauda.c --] [-- Type: text/x-csrc, Size: 983 bytes --] diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index 20b857e97e60..6c486d964911 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, command, 0xc0, 0, 1, data, 2); - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); + if (rc == USB_STOR_XFER_GOOD) + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); return rc; } @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; unsigned char status[2]; + int rc; - alauda_get_media_status(us, status); + rc = alauda_get_media_status(us, status); + if (rc != USB_STOR_TRANSPORT_GOOD) + return USB_STOR_TRANSPORT_ERROR; /* Check for no media or door open */ if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2021-12-28 7:47 ` Christophe JAILLET @ 2021-12-28 7:47 ` syzbot 2021-12-28 22:49 ` Alan Stern 1 sibling, 0 replies; 19+ messages in thread From: syzbot @ 2021-12-28 7:47 UTC (permalink / raw) To: Christophe JAILLET Cc: christophe.jaillet, glider, gregkh, kernel-janitors, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage > Hi, > > (2nd try - text only format - sorry for the noise) > > > first try to use syzbot. I hope I do it right. > Discussion about the syz report can be found at > https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ > > This patch only test if alauda_get_media_status() (and its embedded > usb_stor_ctrl_transfer()) before using the data. > In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. > > #syz test: KMSAN bugs can only be tested on https://github.com/google/kmsan.git tree because KMSAN tool is not upstreamed yet. See https://goo.gl/tpsmEJ#kmsan-bugs for details. > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master > > CJ > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2021-12-28 7:47 ` Christophe JAILLET 2021-12-28 7:47 ` syzbot @ 2021-12-28 22:49 ` Alan Stern 2021-12-29 9:16 ` Christophe JAILLET 1 sibling, 1 reply; 19+ messages in thread From: Alan Stern @ 2021-12-28 22:49 UTC (permalink / raw) To: Christophe JAILLET Cc: syzbot+e7d46eb426883fb97efd, glider, gregkh, linux-kernel, linux-usb, syzkaller-bugs, usb-storage, Kernel Janitors On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote: > Hi, > > (2nd try - text only format - sorry for the noise) > > > first try to use syzbot. I hope I do it right. > Discussion about the syz report can be found at > https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ > > This patch only test if alauda_get_media_status() (and its embedded > usb_stor_ctrl_transfer()) before using the data. > In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > master > > CJ > > diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c > index 20b857e97e60..6c486d964911 100644 > --- a/drivers/usb/storage/alauda.c > +++ b/drivers/usb/storage/alauda.c > @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) > rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, > command, 0xc0, 0, 1, data, 2); > > - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); > + if (rc == USB_STOR_XFER_GOOD) > + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); Instead of adding this test, you could initialize data[0] and data[1] to zero before the call to usb_stor_ctrl_transfer. > > return rc; > } > @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) > { > struct alauda_info *info = (struct alauda_info *) us->extra; > unsigned char status[2]; > + int rc; > > - alauda_get_media_status(us, status); > + rc = alauda_get_media_status(us, status); > + if (rc != USB_STOR_TRANSPORT_GOOD) > + return USB_STOR_TRANSPORT_ERROR; > > /* Check for no media or door open */ > if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) In general this looks fine. Let us know when you are ready to submit the patch. Alan Stern ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2021-12-28 22:49 ` Alan Stern @ 2021-12-29 9:16 ` Christophe JAILLET 2021-12-29 16:45 ` Alan Stern 0 siblings, 1 reply; 19+ messages in thread From: Christophe JAILLET @ 2021-12-29 9:16 UTC (permalink / raw) To: Alan Stern Cc: glider, gregkh, linux-kernel, linux-usb, syzkaller-bugs, usb-storage, Kernel Janitors Le 28/12/2021 à 23:49, Alan Stern a écrit : > On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote: >> Hi, >> >> (2nd try - text only format - sorry for the noise) >> >> >> first try to use syzbot. I hope I do it right. >> Discussion about the syz report can be found at >> https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ >> >> This patch only test if alauda_get_media_status() (and its embedded >> usb_stor_ctrl_transfer()) before using the data. >> In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. >> >> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git >> master >> >> CJ >> > >> diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c >> index 20b857e97e60..6c486d964911 100644 >> --- a/drivers/usb/storage/alauda.c >> +++ b/drivers/usb/storage/alauda.c >> @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) >> rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, >> command, 0xc0, 0, 1, data, 2); >> >> - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); >> + if (rc == USB_STOR_XFER_GOOD) >> + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); > > Instead of adding this test, you could initialize data[0] and data[1] > to zero before the call to usb_stor_ctrl_transfer. Well, having the test is cleaner, IMHO. If usb_stor_ctrl_transfer() fails, a message explaining the reason is already generated by the same usb_stor_dbg(). Having an error message followed by another one stating that the Media Status is 0x00 0x00 could be confusing I think. Let me know if you have a real preference for a memset(data, 0, 2). If so, I'll add it. > >> >> return rc; >> } >> @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) >> { >> struct alauda_info *info = (struct alauda_info *) us->extra; >> unsigned char status[2]; >> + int rc; >> >> - alauda_get_media_status(us, status); >> + rc = alauda_get_media_status(us, status); >> + if (rc != USB_STOR_TRANSPORT_GOOD) >> + return USB_STOR_TRANSPORT_ERROR; >> >> /* Check for no media or door open */ >> if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) > > In general this looks fine. Let us know when you are ready to submit > the patch. I was unsure that this patch would get any interest because the driver looks old. That's why I first tried to play with syzbot :) In the syzbot history, you also mentioned that 'unsigned char status[2]' should be 'unsigned char *status = us->iobuf;' This is more a blind fix for me, but it looks consistent with other places that call alauda_get_media_status(). So, once you confirm if you prefer my 'if' or a 'memset', I'll resend a small serie for fixing both issues. CJ > > Alan Stern > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2021-12-29 9:16 ` Christophe JAILLET @ 2021-12-29 16:45 ` Alan Stern 0 siblings, 0 replies; 19+ messages in thread From: Alan Stern @ 2021-12-29 16:45 UTC (permalink / raw) To: Christophe JAILLET Cc: glider, gregkh, linux-kernel, linux-usb, syzkaller-bugs, usb-storage, Kernel Janitors On Wed, Dec 29, 2021 at 10:16:22AM +0100, Christophe JAILLET wrote: > Le 28/12/2021 à 23:49, Alan Stern a écrit : > > On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote: > > > Hi, > > > > > > (2nd try - text only format - sorry for the noise) > > > > > > > > > first try to use syzbot. I hope I do it right. > > > Discussion about the syz report can be found at > > > https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ > > > > > > This patch only test if alauda_get_media_status() (and its embedded > > > usb_stor_ctrl_transfer()) before using the data. > > > In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. > > > > > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > > > master > > > > > > CJ > > > > > > > > diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c > > > index 20b857e97e60..6c486d964911 100644 > > > --- a/drivers/usb/storage/alauda.c > > > +++ b/drivers/usb/storage/alauda.c > > > @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) > > > rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, > > > command, 0xc0, 0, 1, data, 2); > > > - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); > > > + if (rc == USB_STOR_XFER_GOOD) > > > + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); > > > > Instead of adding this test, you could initialize data[0] and data[1] > > to zero before the call to usb_stor_ctrl_transfer. > > Well, having the test is cleaner, IMHO. > If usb_stor_ctrl_transfer() fails, a message explaining the reason is > already generated by the same usb_stor_dbg(). Having an error message > followed by another one stating that the Media Status is 0x00 0x00 could be > confusing I think. > > Let me know if you have a real preference for a memset(data, 0, 2). > If so, I'll add it. > > > > > > return rc; > > > } > > > @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) > > > { > > > struct alauda_info *info = (struct alauda_info *) us->extra; > > > unsigned char status[2]; > > > + int rc; > > > - alauda_get_media_status(us, status); > > > + rc = alauda_get_media_status(us, status); > > > + if (rc != USB_STOR_TRANSPORT_GOOD) > > > + return USB_STOR_TRANSPORT_ERROR; > > > /* Check for no media or door open */ > > > if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) > > > > In general this looks fine. Let us know when you are ready to submit > > the patch. > > I was unsure that this patch would get any interest because the driver looks > old. That's why I first tried to play with syzbot :) It is indeed old. I doubt very many devices of this type are still in use. > In the syzbot history, you also mentioned that 'unsigned char status[2]' > should be 'unsigned char *status = us->iobuf;' > > This is more a blind fix for me, but it looks consistent with other places > that call alauda_get_media_status(). > > So, once you confirm if you prefer my 'if' or a 'memset', I'll resend a > small serie for fixing both issues. "if" and "memset" are both acceptable. You can use either one. Alan Stern ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media 2019-10-07 19:39 KMSAN: uninit-value in alauda_check_media syzbot 2019-10-11 11:23 ` Jaskaran Singh 2021-12-28 7:47 ` Christophe JAILLET @ 2021-12-28 8:01 ` Christophe JAILLET 2021-12-28 11:10 ` [syzbot] " syzbot 2 siblings, 1 reply; 19+ messages in thread From: Christophe JAILLET @ 2021-12-28 8:01 UTC (permalink / raw) To: syzbot+e7d46eb426883fb97efd; +Cc: linux-kernel [-- Attachment #1: Type: text/plain, Size: 562 bytes --] Hi, (3rd try - text only format, other git repo to please syzbot - sorry for the noise) first try (ok, 3rd...) to use syzbot. I hope I do it right. Discussion about the syz report can be found at https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org/ This patch only test if alauda_get_media_status() (and its embedded usb_stor_ctrl_transfer()) before using the data. In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. #syz test: https://github.com/google/kmsan.git master CJ [-- Attachment #2: patch_alauda.c --] [-- Type: text/x-csrc, Size: 983 bytes --] diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index 20b857e97e60..6c486d964911 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, command, 0xc0, 0, 1, data, 2); - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); + if (rc == USB_STOR_XFER_GOOD) + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); return rc; } @@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; unsigned char status[2]; + int rc; - alauda_get_media_status(us, status); + rc = alauda_get_media_status(us, status); + if (rc != USB_STOR_TRANSPORT_GOOD) + return USB_STOR_TRANSPORT_ERROR; /* Check for no media or door open */ if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [syzbot] KMSAN: uninit-value in alauda_check_media 2021-12-28 8:01 ` Christophe JAILLET @ 2021-12-28 11:10 ` syzbot 0 siblings, 0 replies; 19+ messages in thread From: syzbot @ 2021-12-28 11:10 UTC (permalink / raw) To: christophe.jaillet, glider, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in scsi_mode_sense sd 2:0:0:0: [sdd] 0 512-byte logical blocks: (0 B/0 B) sd 2:0:0:0: [sdd] 0-byte physical blocks ===================================================== BUG: KMSAN: uninit-value in scsi_mode_sense+0x1046/0x16d0 drivers/scsi/scsi_lib.c:2200 scsi_mode_sense+0x1046/0x16d0 drivers/scsi/scsi_lib.c:2200 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in set_disk_ro+0x2ab/0x310 block/genhd.c:1413 set_disk_ro+0x2ab/0x310 block/genhd.c:1413 sd_read_write_protect_flag drivers/scsi/sd.c:2712 [inline] sd_revalidate_disk+0x5697/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: scsi_mode_sense+0x1656/0x16d0 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:638 [inline] BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:720 string_nocheck lib/vsprintf.c:638 [inline] string+0x4ec/0x6f0 lib/vsprintf.c:720 vsnprintf+0x2222/0x3650 lib/vsprintf.c:2805 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2714 [inline] sd_revalidate_disk+0x597c/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: sd_read_write_protect_flag drivers/scsi/sd.c:2711 [inline] sd_revalidate_disk+0x5b19/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: scsi_mode_sense+0x1656/0x16d0 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:638 [inline] BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:720 string_nocheck lib/vsprintf.c:638 [inline] string+0x4ec/0x6f0 lib/vsprintf.c:720 vsnprintf+0x2222/0x3650 lib/vsprintf.c:2805 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2714 [inline] sd_revalidate_disk+0x597c/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: sd_read_write_protect_flag drivers/scsi/sd.c:2711 [inline] sd_revalidate_disk+0x5b19/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: scsi_mode_sense+0x1656/0x16d0 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:638 [inline] BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:720 string_nocheck lib/vsprintf.c:638 [inline] string+0x4ec/0x6f0 lib/vsprintf.c:720 vsnprintf+0x2222/0x3650 lib/vsprintf.c:2805 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2714 [inline] sd_revalidate_disk+0x597c/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: sd_read_write_protect_flag drivers/scsi/sd.c:2711 [inline] sd_revalidate_disk+0x5b19/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: scsi_mode_sense+0x1656/0x16d0 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:638 [inline] BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:720 string_nocheck lib/vsprintf.c:638 [inline] string+0x4ec/0x6f0 lib/vsprintf.c:720 vsnprintf+0x2222/0x3650 lib/vsprintf.c:2805 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2714 [inline] sd_revalidate_disk+0x597c/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: sd_read_write_protect_flag drivers/scsi/sd.c:2711 [inline] sd_revalidate_disk+0x5b19/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: scsi_mode_sense+0x1656/0x16d0 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== sd 2:0:0:0: [sdd] Write Protect is off ===================================================== BUG: KMSAN: uninit-value in hex_string+0x92b/0xa40 lib/vsprintf.c:1179 hex_string+0x92b/0xa40 lib/vsprintf.c:1179 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x962/0xa40 lib/vsprintf.c:1182 hex_string+0x962/0xa40 lib/vsprintf.c:1182 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x92b/0xa40 lib/vsprintf.c:1179 hex_string+0x92b/0xa40 lib/vsprintf.c:1179 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x962/0xa40 lib/vsprintf.c:1182 hex_string+0x962/0xa40 lib/vsprintf.c:1182 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x92b/0xa40 lib/vsprintf.c:1179 hex_string+0x92b/0xa40 lib/vsprintf.c:1179 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x962/0xa40 lib/vsprintf.c:1182 hex_string+0x962/0xa40 lib/vsprintf.c:1182 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x92b/0xa40 lib/vsprintf.c:1179 hex_string+0x92b/0xa40 lib/vsprintf.c:1179 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in hex_string+0x962/0xa40 lib/vsprintf.c:1182 hex_string+0x962/0xa40 lib/vsprintf.c:1182 pointer+0x3ae/0x2060 lib/vsprintf.c:2407 vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2809 vscnprintf+0xbe/0x1c0 lib/vsprintf.c:2908 sdev_prefix_printk+0x4b9/0x5a0 drivers/scsi/scsi_logging.c:73 sd_read_write_protect_flag drivers/scsi/sd.c:2716 [inline] sd_revalidate_disk+0x5afc/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was stored to memory at: memcpy_from_page include/linux/highmem.h:346 [inline] memcpy_from_bvec include/linux/bvec.h:207 [inline] bio_copy_kern_endio_read+0x4a3/0x620 block/blk-map.c:403 bio_endio+0xa7f/0xac0 block/bio.c:1491 req_bio_endio block/blk-mq.c:674 [inline] blk_update_request+0x1129/0x22d0 block/blk-mq.c:742 blk_mq_end_request block/blk-mq.c:821 [inline] blk_mq_dispatch_rq_list+0x16f8/0x3f50 block/blk-mq.c:1685 __blk_mq_sched_dispatch_requests+0x58b/0x8d0 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x1b9/0x380 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0x201/0x350 block/blk-mq.c:1785 __blk_mq_delay_run_hw_queue+0x21d/0x970 block/blk-mq.c:1862 blk_mq_run_hw_queue+0x57c/0x7b0 block/blk-mq.c:1915 blk_mq_sched_insert_request+0x3b8/0x790 block/blk-mq-sched.c:477 blk_execute_rq_nowait block/blk-exec.c:62 [inline] blk_execute_rq+0x406/0x7c0 block/blk-exec.c:102 __scsi_execute+0x84d/0xe30 drivers/scsi/scsi_lib.c:244 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Uninit was created at: __alloc_pages+0xbbf/0x1090 mm/page_alloc.c:5409 alloc_pages+0x8a5/0xb80 bio_copy_kern block/blk-map.c:449 [inline] blk_rq_map_kern+0x813/0x1400 block/blk-map.c:640 __scsi_execute+0x4bd/0xe30 drivers/scsi/scsi_lib.c:229 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_mode_sense+0x737/0x16d0 drivers/scsi/scsi_lib.c:2163 sd_revalidate_disk+0x5206/0xdfd0 drivers/scsi/sd.c:3328 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 51 Comm: kworker/u4:2 Tainted: G B 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound async_run_entry_fn ===================================================== ===================================================== BUG: KMSAN: uninit-value in scsi_mode_sense+0x1046/0x16d0 drivers/scsi/scsi_lib.c:2200 scsi_mode_sense+0x1046/0x16d0 drivers/scsi/scsi_lib.c:2200 sd_do_mode_sense drivers/scsi/sd.c:2657 [inline] sd_read_cache_type drivers/scsi/sd.c:2765 [inline] sd_revalidate_disk+0x6225/0xdfd0 drivers/scsi/sd.c:3329 sd_probe+0x10a7/0x1970 drivers/scsi/sd.c:3567 really_probe+0x67d/0x1510 drivers/base/dd.c:596 __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:751 driver_probe_device drivers/base/dd.c:781 [inline] __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:898 bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 __device_attach_async_helper+0x314/0x3e0 drivers/base/dd.c:927 async_run_entry_fn+0xd2/0x630 kernel/async.c:127 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthre Tested on: commit: 81c325bb kmsan: hooks: do not check memory in kmsan_in.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=1736b3dbb00000 kernel config: https://syzkaller.appspot.com/x/.config?x=1e3911d4873b88c8 dashboard link: https://syzkaller.appspot.com/bug?extid=e7d46eb426883fb97efd compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=1436c22db00000 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: KMSAN: uninit-value in alauda_check_media @ 2019-10-11 11:17 Jas K 0 siblings, 0 replies; 19+ messages in thread From: Jas K @ 2019-10-11 11:17 UTC (permalink / raw) To: syzbot+e7d46eb426883fb97efd Cc: stern, gregkh, linux-usb, usb-storage, linux-kernel Hi, just taking a crack at this. Hope you guys don't mind. #syz test: https://github.com/google/kasan.git 1e76a3e5 diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index ddab2cd3d2e7..bb309b9ad65b 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -452,7 +452,7 @@ static int alauda_init_media(struct us_data *us) static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; - unsigned char status[2]; + unsigned char *status = us->iobuf; int rc; rc = alauda_get_media_status(us, status); ^ permalink raw reply related [flat|nested] 19+ messages in thread
[parent not found: <cca3b7b4-d9cf-a275-ec0a-c99720a94049@wanadoo.fr>]
* Re: KMSAN: uninit-value in alauda_check_media [not found] <cca3b7b4-d9cf-a275-ec0a-c99720a94049@wanadoo.fr> @ 2021-12-28 7:52 ` syzbot 0 siblings, 0 replies; 19+ messages in thread From: syzbot @ 2021-12-28 7:52 UTC (permalink / raw) To: Christophe JAILLET Cc: christophe.jaillet, glider, gregkh, kernel-janitors, linux-kernel, linux-usb, stern, syzkaller-bugs, usb-storage > Hi, > > (3rd try - text only format, other git repo to please syzbot - sorry for > the noise) > > > first try (ok, 3rd...) to use syzbot. I hope I do it right. > Discussion about the syz report can be found at > https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org/ > > > This patch only test if alauda_get_media_status() (and its embedded > usb_stor_ctrl_transfer()) before using the data. > In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. > > #syz test: |https://github.com/google/kmsan.git| master "|https://github.com/google/kmsan.git|" does not look like a valid git repo address. > > CJ ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2021-12-29 16:45 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-10-07 19:39 KMSAN: uninit-value in alauda_check_media syzbot 2019-10-11 11:23 ` Jaskaran Singh 2019-10-11 11:51 ` Alexander Potapenko 2019-10-11 15:42 ` syzbot 2019-10-11 14:08 ` Alan Stern 2019-10-11 14:18 ` Andrey Konovalov 2019-10-11 14:53 ` Alan Stern 2019-10-11 15:06 ` Greg Kroah-Hartman 2019-10-14 12:56 ` Andrey Konovalov 2019-10-11 15:24 ` syzbot 2021-12-28 7:47 ` Christophe JAILLET 2021-12-28 7:47 ` syzbot 2021-12-28 22:49 ` Alan Stern 2021-12-29 9:16 ` Christophe JAILLET 2021-12-29 16:45 ` Alan Stern 2021-12-28 8:01 ` Christophe JAILLET 2021-12-28 11:10 ` [syzbot] " syzbot 2019-10-11 11:17 Jas K [not found] <cca3b7b4-d9cf-a275-ec0a-c99720a94049@wanadoo.fr> 2021-12-28 7:52 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).