syzbot

 sign-in | mailing list | source | docs
🐞 Open [994] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: kernel-usb-infoleak in __kmalloc

Status: auto-closed as invalid on 2020/11/08 23:23
Subsystems: input usb
[Documentation on labels]
First crash: 1354d, last: 1354d

Sample crash report:
=====================================================
BUG: KMSAN: kernel-usb-infoleak in kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:307
CPU: 0 PID: 12331 Comm: syz-executor.4 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x358/0x3d0 mm/kmsan/kmsan.c:457
 kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:307
 usb_submit_urb+0x861/0x2470 drivers/usb/core/urb.c:406
 hid_submit_ctrl+0xc3d/0x1260 drivers/hid/usbhid/hid-core.c:416
 usbhid_restart_ctrl_queue+0x3e9/0x5c0 drivers/hid/usbhid/hid-core.c:258
 __usbhid_submit_report drivers/hid/usbhid/hid-core.c:601 [inline]
 usbhid_submit_report+0xa63/0x13a0 drivers/hid/usbhid/hid-core.c:638
 usbhid_init_reports+0x231/0x5e0 drivers/hid/usbhid/hid-core.c:782
 hiddev_ioctl+0x1157/0x3a60 drivers/hid/usbhid/hiddev.c:685
 compat_ptr_ioctl+0xe2/0x150 fs/ioctl.c:794
 __do_compat_sys_ioctl fs/ioctl.c:847 [inline]
 __se_compat_sys_ioctl+0x55f/0x1100 fs/ioctl.c:798
 __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:798
 do_syscall_32_irqs_on arch/x86/entry/common.c:430 [inline]
 __do_fast_syscall_32+0x2af/0x480 arch/x86/entry/common.c:477
 do_fast_syscall_32+0x6b/0xd0 arch/x86/entry/common.c:505
 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:554
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f76549
Code: Bad RIP value.
RSP: 002b:00000000f55700cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000004805
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
 slab_alloc_node mm/slub.c:2839 [inline]
 slab_alloc mm/slub.c:2848 [inline]
 __kmalloc+0x312/0x410 mm/slub.c:3911
 kmalloc include/linux/slab.h:560 [inline]
 hcd_buffer_alloc+0x279/0x650 drivers/usb/core/buffer.c:132
 usb_alloc_coherent+0x11a/0x190 drivers/usb/core/usb.c:910
 hid_alloc_buffers drivers/hid/usbhid/hid-core.c:862 [inline]
 usbhid_start+0x1125/0x3fa0 drivers/hid/usbhid/hid-core.c:1088
 hid_hw_start+0xa6/0x2a0 drivers/hid/hid-core.c:2030
 cmhid_probe+0x260/0x440 drivers/hid/hid-cmedia.c:123
 hid_device_probe+0x480/0x940 drivers/hid/hid-core.c:2263
 really_probe+0xe46/0x20b0 drivers/base/dd.c:525
 driver_probe_device+0x293/0x390 drivers/base/dd.c:701
 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
 hid_add_device+0x15fc/0x1760 drivers/hid/hid-core.c:2419
 usbhid_probe+0x187f/0x1b90 drivers/hid/usbhid/hid-core.c:1407
 usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
 really_probe+0xf20/0x20b0 drivers/base/dd.c:529
 driver_probe_device+0x293/0x390 drivers/base/dd.c:701
 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
 usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
 usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
 really_probe+0xf20/0x20b0 drivers/base/dd.c:529
 driver_probe_device+0x293/0x390 drivers/base/dd.c:701
 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
 usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
 hub_port_connect drivers/usb/core/hub.c:5208 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
 port_event drivers/usb/core/hub.c:5494 [inline]
 hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Bytes 0-8191 of 8192 are uninitialized
Memory access of size 8192 starts at ffff88801ef48000
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/10 23:18 https://github.com/google/kmsan.git master ce8056d1f79e 7adc7b65 .config console log report ci-upstream-kmsan-gce-386
* Struck through repros no longer work on HEAD.