KMSAN: kernel-usb-infoleak in hif_usb

KMSAN: kernel-usb-infoleak in hif_usb_send
Status: upstream: reported C repro on 2020/08/11 17:06
Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com
First crash: 408d, last: 65d

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/26 03:08	21m	anant.thazhemadam@gmail.com		https://github.com/google/kmsan.git master	OK
2020/09/26 00:39	22m	anant.thazhemadam@gmail.com	patch	https://github.com/google/kmsan.git master	OK

Sample crash report:

usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
=====================================================
BUG: KMSAN: kernel-usb-infoleak in kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:303
CPU: 0 PID: 2019 Comm: kworker/0:2 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:120
 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
 kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402
 kmsan_handle_urb+0x28/0x40 mm/kmsan/kmsan_hooks.c:303
 usb_submit_urb+0x89f/0x2590 drivers/usb/core/urb.c:421
 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
 hif_usb_send+0x5f5/0x1720 drivers/net/wireless/ath/ath9k/hif_usb.c:479
 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
 htc_connect_service+0x14b2/0x19f0 drivers/net/wireless/ath/ath9k/htc_hst.c:275
 ath9k_wmi_connect+0x178/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
 ath9k_init_htc_services+0xf3/0x1190 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x4fb/0x3e10 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
 ath9k_htc_hw_init+0xdf/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x42b/0xab0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
 request_firmware_work_func+0x1b8/0x2e0 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275
 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421
 kthread+0x521/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
 kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104
 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76
 slab_alloc_node mm/slub.c:2907 [inline]
 __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1099 [inline]
 htc_connect_service+0x1057/0x19f0 drivers/net/wireless/ath/ath9k/htc_hst.c:258
 ath9k_wmi_connect+0x178/0x2c0 drivers/net/wireless/ath/ath9k/wmi.c:267
 ath9k_init_htc_services+0xf3/0x1190 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x4fb/0x3e10 drivers/net/wireless/ath/ath9k/htc_drv_init.c:960
 ath9k_htc_hw_init+0xdf/0x190 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x42b/0xab0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239
 request_firmware_work_func+0x1b8/0x2e0 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275
 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421
 kthread+0x521/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff888121719400
=====================================================

Crashes (12784):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2021/03/01 19:21	https://github.com/google/kmsan.git master	29ad81a1074a	4c37c133	.config	log	report	syz	C		KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/02/26 11:46	https://github.com/google/kmsan.git master	29ad81a1074a	76f7fc95	.config	log	report	syz	C		KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2020/12/25 23:56	https://github.com/google/kmsan.git master	73d62e81b476	b982b3ea	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/12/17 12:24	https://github.com/google/kmsan.git master	73d62e81b476	04201c06	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/08/20 18:25	https://github.com/google/kmsan.git master	ce8056d1f79e	ed282a3a	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/08/13 08:14	https://github.com/google/kmsan.git master	ce8056d1f79e	bc15f7db	.config	log	report	syz	C
ci-upstream-kmsan-gce	2021/07/16 15:30	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 14:53	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 13:13	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 11:54	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 10:44	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 09:41	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 08:38	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 07:25	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 05:50	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 04:49	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 03:37	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 02:30	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/16 02:19	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 22:54	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 21:38	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 20:49	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 19:47	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 19:43	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 18:41	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 17:36	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 17:17	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 15:57	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 14:11	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 13:20	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 12:11	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 11:10	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 10:36	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 09:27	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 08:41	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 07:21	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 06:43	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 03:29	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 03:03	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 01:34	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/15 00:39	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 23:35	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 22:28	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 22:09	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 21:07	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 20:06	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 19:24	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/07/14 18:38	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce-386	2021/07/05 15:19	https://github.com/google/kmsan.git master	57b5797c8013	55aa55c2	.config	log	report			info	KMSAN: kernel-usb-infoleak in hif_usb_send
ci-upstream-kmsan-gce	2021/01/17 13:43	https://github.com/google/kmsan.git master	73d62e81b476	813be542	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/08/11 15:40	https://github.com/google/kmsan.git master	ce8056d1f79e	bacaf5fa	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/08 05:20	https://github.com/google/kmsan.git master	ce8056d1f79e	ff51e522	.config	log	report
ci-upstream-kmsan-gce-386	2020/08/07 17:50	https://github.com/google/kmsan.git master	05fd5f9f0208	cb436c69	.config	log	report