KMSAN: kernel-usb-infoleak in hif_usb

KMSAN: kernel-usb-infoleak in hif_usb_send
Status: upstream: reported C repro on 2020/08/11 17:06
Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com
First crash: 45d, last: 5d09h

Sample crash report:

usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
=====================================================
BUG: KMSAN: kernel-usb-infoleak in kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:307
CPU: 1 PID: 3752 Comm: kworker/1:2 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:307
 usb_submit_urb+0x861/0x2470 drivers/usb/core/urb.c:406
 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
 hif_usb_send+0x633/0x1790 drivers/net/wireless/ath/ath9k/hif_usb.c:470
 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
 htc_connect_service+0x14b4/0x19f0 drivers/net/wireless/ath/ath9k/htc_hst.c:275
 ath9k_wmi_connect+0x178/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:268
 ath9k_init_htc_services+0xf3/0x11f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x4dc/0x3ed0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:962
 ath9k_htc_hw_init+0xdf/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:501
 ath9k_hif_usb_firmware_cb+0x42e/0xab0 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
 request_firmware_work_func+0x1aa/0x2d0 drivers/base/firmware_loader/main.c:1001
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
 slab_alloc_node mm/slub.c:2839 [inline]
 __kmalloc_node_track_caller+0xeab/0x12e0 mm/slub.c:4478
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x35f/0xb30 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1083 [inline]
 htc_connect_service+0x1057/0x19f0 drivers/net/wireless/ath/ath9k/htc_hst.c:258
 ath9k_wmi_connect+0x178/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:268
 ath9k_init_htc_services+0xf3/0x11f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x4dc/0x3ed0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:962
 ath9k_htc_hw_init+0xdf/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:501
 ath9k_hif_usb_firmware_cb+0x42e/0xab0 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
 request_firmware_work_func+0x1aa/0x2d0 drivers/base/firmware_loader/main.c:1001
 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
 kthread+0x551/0x590 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff88810a729200
=====================================================

Crashes (162):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-kmsan-gce	2020/08/20 18:25	https://github.com/google/kmsan.git master	ce8056d1	ed282a3a	.config	log	report	syz	C		glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/08/13 08:14	https://github.com/google/kmsan.git master	ce8056d1	bc15f7db	.config	log	report	syz	C		glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/16 17:23	https://github.com/google/kmsan.git master	6c24608b	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/16 15:30	https://github.com/google/kmsan.git master	6c24608b	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/16 12:33	https://github.com/google/kmsan.git master	3b3ea602	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/16 11:07	https://github.com/google/kmsan.git master	3b3ea602	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/16 04:09	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/15 22:16	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/15 19:38	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/15 17:10	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/15 12:21	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/15 08:32	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/13 01:31	https://github.com/google/kmsan.git master	3b3ea602	ce441f06	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/11 14:25	https://github.com/google/kmsan.git master	3b3ea602	adfb8b4e	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/10 16:48	https://github.com/google/kmsan.git master	3b3ea602	409809d8	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/07 06:28	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/05 16:17	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/04 07:08	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/04 04:27	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/04 02:43	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/02 14:45	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce	2020/09/02 12:32	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/16 19:56	https://github.com/google/kmsan.git master	6c24608b	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/16 17:46	https://github.com/google/kmsan.git master	6c24608b	18d7d030	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/16 02:04	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/15 23:54	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/15 18:34	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/15 14:40	https://github.com/google/kmsan.git master	3b3ea602	6989d6f6	.config	log	report			info	glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/12 21:22	https://github.com/google/kmsan.git master	3b3ea602	ce441f06	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/12 20:03	https://github.com/google/kmsan.git master	3b3ea602	ce441f06	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/12 06:51	https://github.com/google/kmsan.git master	3b3ea602	79fb24e2	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/12 05:14	https://github.com/google/kmsan.git master	3b3ea602	79fb24e2	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/11 17:10	https://github.com/google/kmsan.git master	3b3ea602	adfb8b4e	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/11 05:57	https://github.com/google/kmsan.git master	3b3ea602	409809d8	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/09 17:47	https://github.com/google/kmsan.git master	3b3ea602	0ea7a887	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/09 15:56	https://github.com/google/kmsan.git master	3b3ea602	0ea7a887	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/08 17:28	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/06 19:09	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/05 08:08	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/05 00:32	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/03 19:13	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/02 17:22	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/02 08:20	https://github.com/google/kmsan.git master	3b3ea602	abf9ba4f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/01 20:07	https://github.com/google/kmsan.git master	3b3ea602	d5a3ae1f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/09/01 17:12	https://github.com/google/kmsan.git master	3b3ea602	d5a3ae1f	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/08/11 15:40	https://github.com/google/kmsan.git master	ce8056d1	bacaf5fa	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/08/08 05:20	https://github.com/google/kmsan.git master	ce8056d1	ff51e522	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci-upstream-kmsan-gce-386	2020/08/07 17:50	https://github.com/google/kmsan.git master	05fd5f9f	cb436c69	.config	log	report				glider@google.com, gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org