[syzbot] [usb?] KMSAN: kernel-infoleak in iowarrior_read

From: syzbot
Date: Wed Sep 11 2024 - 22:05:33 EST

Hello,

syzbot found the following issue on:

HEAD commit: d1f2d51b711a Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=125c743b980000
kernel config: https://syzkaller.appspot.com/x/.config?x=de85d75807a205cd
dashboard link: https://syzkaller.appspot.com/bug?extid=b8080cbc8d286a5fa23a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1633ca8b980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11db6567980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/df667fbbb2c1/disk-d1f2d51b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1574a134d7c4/vmlinux-d1f2d51b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a977c1daccb8/bzImage-d1f2d51b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b8080cbc8d286a5fa23a@xxxxxxxxxxxxxxxxxxxxxxxxx

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_inline_copy_to_user include/linux/uaccess.h:180 [inline]
_copy_to_user+0xbc/0x110 lib/usercopy.c:26
copy_to_user include/linux/uaccess.h:209 [inline]
iowarrior_read+0xb02/0xdc0 drivers/usb/misc/iowarrior.c:326
vfs_read+0x2a1/0xf60 fs/read_write.c:474
ksys_read+0x20f/0x4c0 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__x64_sys_read+0x93/0xe0 fs/read_write.c:627
x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
slab_post_alloc_hook mm/slub.c:3998 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
__do_kmalloc_node mm/slub.c:4161 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4174
kmalloc_noprof include/linux/slab.h:685 [inline]
kmalloc_array_noprof include/linux/slab.h:726 [inline]
iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x4ffb/0x72d0 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312
worker_thread+0xea7/0x14d0 kernel/workqueue.c:3389
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Bytes 0-72 of 73 are uninitialized
Memory access of size 73 starts at ffff888135d8b000
Data copied to user address 0000000020000000

CPU: 0 UID: 0 PID: 5280 Comm: syz-executor107 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup