Re: [syzbot] [hwmon?] KMSAN: uninit-value in get_temp_cnct
From: Guenter Roeck
Date: Thu Jun 19 2025 - 09:01:43 EST
On 6/19/25 01:01, Marius Zachmann wrote:
Am Mittwoch, dem 18.06.2025 um 22:56 -0700 schrieb Guenter Roeck:
On 6/18/25 21:31, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 4774cfe3543a Merge tag 'scsi-fixes' of
git://git.kernel.or..
git tree: upstream
console output:
https://syzkaller.appspot.com/x/log.txt?x=10e3f10c580000
kernel config:
https://syzkaller.appspot.com/x/.config?x=61539536677af51c
dashboard link:
https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
compiler: Debian clang version 20.1.6
(++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian
LLD 20.1.6
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
It doesn't need one: The problem will be seen if the data returned
from the
power supply is shorter than expected. In the example below, the
problem will
be seen if less than NUM_TEMP_SENSORS+1 data bytes were received.
One possible fix would be to record the returned data length in
ccp_raw_event()
and to have each caller of send_usb_cmd() check if the returned
amount of data
is sufficient.
Guenter
The device should always return the same number of bytes.
The term is "should". That doesn't mean it always _does_ return the
expected number of bytes, only that it is expected to do so.
I could zero-initialize the buffer at allocation. Then there should
be no uninitialized values.
As long as the values are usable, sure. That would not really fix the
protocol error, though, it would just hide it.
Also I could check the number of returned bytes in send_usb_cmd()
instead of having each caller checking it, and return -EIO if
it is not correct?
Yes, that would be an even better fix, though I would suggest to return
-EPROTO in that case to distinguish it from an actual i/o error.
Thanks,
Guenter