public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

* KMSAN: uninit-value in mii_nway_restart
@ 2019-06-04 10:32 syzbot
       [not found] ` <b15ccfc3-4b86-4a6c-b72c-880963d842f6n@googlegroups.com>
  0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2019-06-04 10:32 UTC (permalink / raw)
  To: davem, glider, linux-kernel, netdev, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
git tree:       kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x=1180360ea00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
dashboard link: https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16a2b4f2a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107f4e86a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1f53a30781af65d2c955@syzkaller•appspotmail.com

ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to  
write reg index 0x000d: -71
ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to  
write reg index 0x000e: -71
ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to  
write reg index 0x000d: -71
ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to  
write reg index 0x000e: -71
ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to read  
reg index 0x0000: -71
==================================================================
BUG: KMSAN: uninit-value in mii_nway_restart+0x141/0x260  
drivers/net/mii.c:467
CPU: 1 PID: 3353 Comm: kworker/1:2 Not tainted 5.1.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x191/0x1f0 lib/dump_stack.c:113
  kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
  __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
  mii_nway_restart+0x141/0x260 drivers/net/mii.c:467
  ax88179_bind+0xee3/0x1a10 drivers/net/usb/ax88179_178a.c:1329
  usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
  usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
  really_probe+0xdae/0x1d80 drivers/base/dd.c:513
  driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
  __device_attach+0x454/0x730 drivers/base/dd.c:844
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
  bus_probe_device+0x137/0x390 drivers/base/bus.c:514
  device_add+0x288d/0x30e0 drivers/base/core.c:2106
  usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
  generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
  usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
  really_probe+0xdae/0x1d80 drivers/base/dd.c:513
  driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
  __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
  bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
  __device_attach+0x454/0x730 drivers/base/dd.c:844
  device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
  bus_probe_device+0x137/0x390 drivers/base/bus.c:514
  device_add+0x288d/0x30e0 drivers/base/core.c:2106
  usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
  hub_port_connect drivers/usb/core/hub.c:5089 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
  port_event drivers/usb/core/hub.c:5350 [inline]
  hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
  process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
  worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
  kthread+0x4b5/0x4f0 kernel/kthread.c:254
  ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Local variable description: ----buf.i@ax88179_mdio_read
Variable was created at:
  __ax88179_read_cmd drivers/net/usb/ax88179_178a.c:199 [inline]
  ax88179_read_cmd drivers/net/usb/ax88179_178a.c:311 [inline]
  ax88179_mdio_read+0x7b/0x240 drivers/net/usb/ax88179_178a.c:369
  mii_nway_restart+0xcf/0x260 drivers/net/mii.c:465
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups•com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 2+ messages in thread

• [parent not found: <b15ccfc3-4b86-4a6c-b72c-880963d842f6n@googlegroups.com>]

• • * Re: KMSAN: uninit-value in mii_nway_restart
           [not found] ` <b15ccfc3-4b86-4a6c-b72c-880963d842f6n@googlegroups.com>
    @ 2022-08-30  8:26   ` Alexander Potapenko
      0 siblings, 0 replies; 2+ messages in thread
    From: Alexander Potapenko @ 2022-08-30  8:26 UTC (permalink / raw)
      To: syzkaller-bugs, David Miller, Alexander Potapenko, LKML,
    	Networking
    
    (adding the original recipients back)
    
    On Fri, Aug 26, 2022 at 10:44 AM Alexander Potapenko <glider@google•com> wrote:
    >
    >
    >
    > On Tuesday, June 4, 2019 at 12:32:05 PM UTC+2 syzbot wrote:
    >>
    >> Hello,
    >>
    >> syzbot found the following crash on:
    >>
    >> HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
    >> git tree: kmsan
    >> console output: https://syzkaller.appspot.com/x/log.txt?x=1180360ea00000
    >> kernel config: https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
    >> dashboard link: https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955
    >> compiler: clang version 9.0.0 (/home/glider/llvm/clang
    >> 06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
    >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a2b4f2a00000
    >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=107f4e86a00000
    >>
    >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
    >> Reported-by: syzbot+1f53a3...@syzkaller•appspotmail.com
    >>
    >> ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to
    >> write reg index 0x000d: -71
    >> ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to
    >> write reg index 0x000e: -71
    >> ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to
    >> write reg index 0x000d: -71
    >> ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to
    >> write reg index 0x000e: -71
    >> ax88179_178a 1-1:0.186 (unnamed net_device) (uninitialized): Failed to read
    >> reg index 0x0000: -71
    >> ==================================================================
    >> BUG: KMSAN: uninit-value in mii_nway_restart+0x141/0x260
    >> drivers/net/mii.c:467
    >> CPU: 1 PID: 3353 Comm: kworker/1:2 Not tainted 5.1.0+ #1
    >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
    >> Google 01/01/2011
    >> Workqueue: usb_hub_wq hub_event
    >> Call Trace:
    >> __dump_stack lib/dump_stack.c:77 [inline]
    >> dump_stack+0x191/0x1f0 lib/dump_stack.c:113
    >> kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
    >> __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
    >> mii_nway_restart+0x141/0x260 drivers/net/mii.c:467
    >> ax88179_bind+0xee3/0x1a10 drivers/net/usb/ax88179_178a.c:1329
    >> usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
    >> usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
    >> really_probe+0xdae/0x1d80 drivers/base/dd.c:513
    >> driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
    >> __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
    >> bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
    >> __device_attach+0x454/0x730 drivers/base/dd.c:844
    >> device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
    >> bus_probe_device+0x137/0x390 drivers/base/bus.c:514
    >> device_add+0x288d/0x30e0 drivers/base/core.c:2106
    >> usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
    >> generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
    >> usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
    >> really_probe+0xdae/0x1d80 drivers/base/dd.c:513
    >> driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
    >> __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
    >> bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
    >> __device_attach+0x454/0x730 drivers/base/dd.c:844
    >> device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
    >> bus_probe_device+0x137/0x390 drivers/base/bus.c:514
    >> device_add+0x288d/0x30e0 drivers/base/core.c:2106
    >> usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
    >> hub_port_connect drivers/usb/core/hub.c:5089 [inline]
    >> hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
    >> port_event drivers/usb/core/hub.c:5350 [inline]
    >> hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
    >> process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
    >> worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
    >> kthread+0x4b5/0x4f0 kernel/kthread.c:254
    >> ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
    >>
    >> Local variable description: ----buf.i@ax88179_mdio_read
    >> Variable was created at:
    >> __ax88179_read_cmd drivers/net/usb/ax88179_178a.c:199 [inline]
    >> ax88179_read_cmd drivers/net/usb/ax88179_178a.c:311 [inline]
    >> ax88179_mdio_read+0x7b/0x240 drivers/net/usb/ax88179_178a.c:369
    >> mii_nway_restart+0xcf/0x260 drivers/net/mii.c:465
    >> ==================================================================
    >>
    >
    >>
    >>
    >> ---
    >> This bug is generated by a bot. It may contain errors.
    >> See https://goo.gl/tpsmEJ for more information about syzbot.
    >> syzbot engineers can be reached at syzk...@googlegroups•com.
    >>
    >> syzbot will keep track of this bug report. See:
    >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
    >> syzbot can test patches for this bug, for details see:
    >> https://goo.gl/tpsmEJ#testing-patches
    >
    >
    > This bug is still triggerable by KMSAN (https://syzkaller.appspot.com/bug?id=835562bfa4dd92c72f323f29ad388c9cb4b0e63f):
    >
    > =====================================================
    > BUG: KMSAN: uninit-value in mii_nway_restart+0x117/0x1d0 drivers/net/mii.c:465
    >  mii_nway_restart+0x117/0x1d0 drivers/net/mii.c:465
    >  dm9601_bind+0xa17/0xb50 drivers/net/usb/dm9601.c:431
    >  usbnet_probe+0xebb/0x3cc0 drivers/net/usb/usbnet.c:1747
    >  usb_probe_interface+0xc4b/0x11f0 drivers/usb/core/driver.c:396
    >  really_probe+0x499/0xf50 drivers/base/dd.c:634
    >  __driver_probe_device+0x2fa/0x3d0 drivers/base/dd.c:764
    >  driver_probe_device+0x72/0x7a0 drivers/base/dd.c:794
    >  __device_attach_driver+0x6f1/0x890 drivers/base/dd.c:917
    >  bus_for_each_drv+0x1fc/0x360 drivers/base/bus.c:427
    >  __device_attach+0x42a/0x720 drivers/base/dd.c:989
    >  device_initial_probe+0x2e/0x40 drivers/base/dd.c:1038
    >  bus_probe_device+0x13c/0x3b0 drivers/base/bus.c:487
    >  device_add+0x1d4b/0x26c0 drivers/base/core.c:3428
    >  usb_set_configuration+0x30f8/0x37e0 drivers/usb/core/message.c:2170
    >  usb_generic_driver_probe+0x105/0x290 drivers/usb/core/generic.c:238
    >  usb_probe_device+0x288/0x490 drivers/usb/core/driver.c:293
    >  really_probe+0x499/0xf50 drivers/base/dd.c:634
    >  __driver_probe_device+0x2fa/0x3d0 drivers/base/dd.c:764
    >  driver_probe_device+0x72/0x7a0 drivers/base/dd.c:794
    >  __device_attach_driver+0x6f1/0x890 drivers/base/dd.c:917
    >  bus_for_each_drv+0x1fc/0x360 drivers/base/bus.c:427
    >  __device_attach+0x42a/0x720 drivers/base/dd.c:989
    >  device_initial_probe+0x2e/0x40 drivers/base/dd.c:1038
    >  bus_probe_device+0x13c/0x3b0 drivers/base/bus.c:487
    >  device_add+0x1d4b/0x26c0 drivers/base/core.c:3428
    >  usb_new_device+0x17a1/0x2360 drivers/usb/core/hub.c:2566
    >  hub_port_connect drivers/usb/core/hub.c:5363 [inline]
    >  hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
    >  port_event drivers/usb/core/hub.c:5663 [inline]
    >  hub_event+0x5559/0x8050 drivers/usb/core/hub.c:5745
    >  process_one_work+0xb27/0x13e0 kernel/workqueue.c:2289
    >  worker_thread+0x1076/0x1d60 kernel/workqueue.c:2436
    >  kthread+0x31b/0x430 kernel/kthread.c:376
    >  ret_from_fork+0x1f/0x30
    >
    > Local variable res created at:
    >  dm9601_mdio_read+0x49/0xf0 drivers/net/usb/dm9601.c:226
    >  mii_nway_restart+0x84/0x1d0 drivers/net/mii.c:463
    >
    > CPU: 0 PID: 28 Comm: kworker/0:1 Not tainted 5.19.0-syzkaller-32655-g1b070a5d1a2c #0
    > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
    > Workqueue: usb_hub_wq hub_event
    > =====================================================
    >
    > I believe we should either be always checking the return value of dm_read_shared_word(), or make it unconditionally initialize *value.
    
    
    
    -- 
    Alexander Potapenko
    Software Engineer
    
    Google Germany GmbH
    Erika-Mann-Straße, 33
    80636 München
    
    Geschäftsführer: Paul Manicle, Liana Sebastian
    Registergericht und -nummer: Hamburg, HRB 86891
    Sitz der Gesellschaft: Hamburg
    
    ^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-30  8:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-04 10:32 KMSAN: uninit-value in mii_nway_restart syzbot
     [not found] ` <b15ccfc3-4b86-4a6c-b72c-880963d842f6n@googlegroups.com>
2022-08-30  8:26   ` Alexander Potapenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox