Re: KMSAN: uninit-value in alauda_check_media
From: Alan Stern <stern@rowland.harvard.edu>
Date: 2021-12-28 22:49:09
Also in:
kernel-janitors, lkml
On Tue, Dec 28, 2021 at 08:47:15AM +0100, Christophe JAILLET wrote:
Hi, (2nd try - text only format - sorry for the noise) first try to use syzbot. I hope I do it right. Discussion about the syz report can be found at https://lore.kernel.org/linux-kernel/0000000000007d25ff059457342d@google.com/ (local) This patch only test if alauda_get_media_status() (and its embedded usb_stor_ctrl_transfer()) before using the data. In case of error, it returns USB_STOR_TRANSPORT_ERROR as done elsewhere. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master CJ
quoted hunk ↗ jump to hunk
diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index 20b857e97e60..6c486d964911 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c@@ -318,7 +318,8 @@ static int alauda_get_media_status(struct us_data *us, unsigned char *data) rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, command, 0xc0, 0, 1, data, 2); - usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); + if (rc == USB_STOR_XFER_GOOD) + usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]);
Instead of adding this test, you could initialize data[0] and data[1] to zero before the call to usb_stor_ctrl_transfer.
quoted hunk ↗ jump to hunk
return rc; }@@ -453,8 +454,11 @@ static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; unsigned char status[2]; + int rc; - alauda_get_media_status(us, status); + rc = alauda_get_media_status(us, status); + if (rc != USB_STOR_TRANSPORT_GOOD) + return USB_STOR_TRANSPORT_ERROR; /* Check for no media or door open */ if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10)
In general this looks fine. Let us know when you are ready to submit the patch. Alan Stern