From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org,
linux-usb@vger.kernel.org, perex@perex.cz,
syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: [PATCH] ALSA: line6: fix uninit-value in line6_pod_process_message
Date: Tue, 2 Apr 2024 14:47:24 +0800 [thread overview]
Message-ID: <tencent_44291B84257ABAB7BB7B33C49E0E1BC74B08@qq.com> (raw)
In-Reply-To: <00000000000084b18706150bcca5@google.com>
[Syzbot reported]
BUG: KMSAN: uninit-value in line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201
line6_pod_process_message+0x72f/0x7b0 sound/usb/line6/pod.c:201
line6_data_received+0x5db/0x7e0 sound/usb/line6/driver.c:317
__usb_hcd_giveback_urb+0x508/0x770 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x157/0x720 drivers/usb/core/hcd.c:1732
dummy_timer+0xd93/0x6b10 drivers/usb/gadget/udc/dummy_hcd.c:1987
call_timer_fn+0x49/0x580 kernel/time/timer.c:1793
expire_timers kernel/time/timer.c:1844 [inline]
__run_timers kernel/time/timer.c:2418 [inline]
__run_timer_base+0x84e/0xe90 kernel/time/timer.c:2429
run_timer_base kernel/time/timer.c:2438 [inline]
run_timer_softirq+0x3a/0x70 kernel/time/timer.c:2448
__do_softirq+0x1c0/0x7d7 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:633 [inline]
irq_exit_rcu+0x6a/0x130 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x83/0x90 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x25/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_do_entry+0x22/0x40 drivers/acpi/processor_idle.c:573
acpi_idle_enter+0xa1/0xc0 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0xcb/0x250 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x7f/0xf0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x551/0x750 kernel/sched/idle.c:332
cpu_startup_entry+0x65/0x80 kernel/sched/idle.c:430
rest_init+0x1e8/0x260 init/main.c:732
start_kernel+0x927/0xa70 init/main.c:1074
x86_64_start_reservations+0x2e/0x30 arch/x86/kernel/head64.c:507
x86_64_start_kernel+0x98/0xa0 arch/x86/kernel/head64.c:488
common_startup_64+0x12c/0x137
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmalloc_trace+0x578/0xba0 mm/slub.c:3992
kmalloc include/linux/slab.h:628 [inline]
line6_init_cap_control+0x4f1/0x770 sound/usb/line6/driver.c:700
line6_probe+0xeae/0x1120 sound/usb/line6/driver.c:797
pod_probe+0x79/0x90 sound/usb/line6/pod.c:522
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:656
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798
driver_probe_device+0x72/0x890 drivers/base/dd.c:828
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1028
device_initial_probe+0x32/0x40 drivers/base/dd.c:1077
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x1475/0x1c90 drivers/base/core.c:3705
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:656
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:798
driver_probe_device+0x72/0x890 drivers/base/dd.c:828
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:956
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1028
device_initial_probe+0x32/0x40 drivers/base/dd.c:1077
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x1475/0x1c90 drivers/base/core.c:3705
usb_new_device+0x15ff/0x2470 drivers/usb/core/hub.c:2643
hub_port_connect drivers/usb/core/hub.c:5512 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5652 [inline]
port_event drivers/usb/core/hub.c:5812 [inline]
hub_event+0x4ff8/0x72d0 drivers/usb/core/hub.c:5894
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa81/0x1bd0 kernel/workqueue.c:3335
worker_thread+0xea5/0x1560 kernel/workqueue.c:3416
kthread+0x3e2/0x540 kernel/kthread.c:388
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
[Fix]
Let's clear all the content of the buffer message during alloc.
Reported-and-tested-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
sound/usb/line6/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
index b67617b68e50..8fd9d42aa8e2 100644
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -697,7 +697,7 @@ static int line6_init_cap_control(struct usb_line6 *line6)
return -ENOMEM;
if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) {
- line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
+ line6->buffer_message = kzalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
if (!line6->buffer_message)
return -ENOMEM;
--
2.43.0
next prev parent reply other threads:[~2024-04-02 6:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 16:51 [syzbot] [usb?] [sound?] KMSAN: uninit-value in line6_pod_process_message syzbot
2024-04-02 2:24 ` Edward Adam Davis
2024-04-02 6:29 ` syzbot
2024-04-02 6:47 ` Edward Adam Davis [this message]
2024-04-02 6:51 ` [PATCH] ALSA: line6: fix " Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_44291B84257ABAB7BB7B33C49E0E1BC74B08@qq.com \
--to=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=perex@perex.cz \
--cc=syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.