Re: [syzbot] [usb?] KMSAN: kernel-infoleak in iowarrior_read
From: syzbot
Date: Sun Sep 15 2024 - 14:41:48 EST
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-infoleak in iowarrior_read
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_inline_copy_to_user include/linux/uaccess.h:180 [inline]
_copy_to_user+0xbc/0x110 lib/usercopy.c:26
copy_to_user include/linux/uaccess.h:209 [inline]
iowarrior_read+0xb02/0xdc0 drivers/usb/misc/iowarrior.c:326
vfs_read+0x2a1/0xf60 fs/read_write.c:474
ksys_read+0x20f/0x4c0 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__x64_sys_read+0x93/0xe0 fs/read_write.c:627
x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3998 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
__do_kmalloc_node mm/slub.c:4161 [inline]
__kmalloc_noprof+0x661/0xf30 mm/slub.c:4174
kmalloc_noprof include/linux/slab.h:685 [inline]
kmalloc_array_noprof include/linux/slab.h:726 [inline]
iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
really_probe+0x4db/0xd90 drivers/base/dd.c:657
__driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
driver_probe_device+0x72/0x890 drivers/base/dd.c:829
__device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
__device_attach+0x3c1/0x650 drivers/base/dd.c:1029
device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x4ffb/0x72d0 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3393
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Bytes 0-72 of 73 are uninitialized
Memory access of size 73 starts at ffff88811889e000
Data copied to user address 0000000020000000
CPU: 1 UID: 0 PID: 6520 Comm: syz.0.143 Not tainted 6.11.0-syzkaller-g98f7e32f20d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================
Tested on:
commit: 98f7e32f Linux 6.11
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117b97c7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3ab8d456be59dad9
dashboard link: https://syzkaller.appspot.com/bug?extid=b8080cbc8d286a5fa23a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.