The initialize cldata->handle in msm_bus_dbg_client_data() or this field could be used uninitialized in msm_bus_dbg_rec_transaction(). KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) reports this bug. [ 435.087052] ================================================================== [ 435.087086] BUG: KUMSAN: uninit-use in msm_bus_dbg_rec_transaction+0x7c/0x50c [ 435.087106] Read of size 8 at addr ffffffc0d1338008 by task kworker/7:0/3039 [ 435.087119] [ 435.087141] CPU: 7 PID: 3039 Comm: kworker/7:0 Tainted: G B 4.9.124-dirty #83 [ 435.087157] Hardware name: Google Inc. MSM sdm670 B4 PVT v1.0 (DT) [ 435.087180] Workqueue: pm pm_runtime_work [ 435.087193] Call trace: [ 435.087213] [<ffffff900808eaa0>] dump_backtrace+0x0/0x3b4 [ 435.087234] [<ffffff900808ee70>] show_stack+0x1c/0x24 [ 435.087255] [<ffffff900866b52c>] dump_stack+0xb8/0xe8 [ 435.087276] [<ffffff90082f1398>] kasan_report+0x2a8/0x630 [ 435.087297] [<ffffff90082ef1b4>] __asan_load8+0x190/0x198 [ 435.087317] [<ffffff9008817f1c>] msm_bus_dbg_rec_transaction+0x7c/0x50c [ 435.087338] [<ffffff900880bfe4>] update_bw_adhoc+0x74/0x2ec [ 435.087359] [<ffffff9008800e1c>] msm_bus_scale_update_bw+0x44/0x84 [ 435.087382] [<ffffff9009469e84>] geni_se_rmv_ab_ib+0x258/0x3c0 [ 435.087403] [<ffffff900946a0ac>] se_geni_clks_off+0xc0/0x160 [ 435.087425] [<ffffff9008ed9878>] geni_i2c_runtime_suspend+0x40/0x84 [ 435.087446] [<ffffff9008b8bee8>] pm_generic_runtime_suspend+0x58/0x8c [ 435.087467] [<ffffff9008b8f5fc>] rpm_callback+0x160/0x1bc [ 435.087488] [<ffffff9008b8f820>] rpm_suspend+0x1c8/0xa04 [ 435.087507] [<ffffff9008b922b0>] pm_runtime_work+0x12c/0x148 [ 435.087527] [<ffffff90080eb7d4>] process_one_work+0x288/0x830 [ 435.087547] [<ffffff90080ebe1c>] worker_thread+0xa0/0x818 [ 435.087566] [<ffffff90080f660c>] kthread+0x128/0x148 [ 435.087585] [<ffffff9008083980>] ret_from_fork+0x10/0x50 [ 435.087597] [ 435.087611] Allocated by task 1: [ 435.087631] kasan_kmalloc+0x12c/0x1e0 [ 435.087649] kmem_cache_alloc_trace+0x138/0x290 [ 435.087667] msm_bus_dbg_client_data+0x898/0xad4 [ 435.087687] register_client_adhoc+0x5c0/0x670 [ 435.087705] msm_bus_scale_register_client+0x2c/0x68 [ 435.087725] arm_smmu_init_power_resources+0x43c/0x4cc [ 435.087743] qsmmuv500_tbu_probe+0x17c/0x1f0 [ 435.087762] platform_drv_probe+0x7c/0x140 [ 435.087781] driver_probe_device+0x170/0x710 [ 435.087800] __device_attach_driver+0x10c/0x1f0 [ 435.087818] bus_for_each_drv+0xbc/0x11c [ 435.087836] __device_attach+0x174/0x21c [ 435.087854] device_initial_probe+0x1c/0x24 [ 435.087872] bus_probe_device+0xfc/0x10c [ 435.087889] device_add+0x718/0x990 [ 435.087909] of_device_add+0x68/0x94 [ 435.087928] of_platform_device_create_pdata+0xe4/0x150 [ 435.087947] of_platform_bus_create+0x1f0/0x62c [ 435.087966] of_platform_populate+0x8c/0x154 [ 435.087983] qsmmuv500_arch_init+0x40c/0x474 [ 435.088001] arm_smmu_device_dt_probe+0x1b40/0x1ec4 [ 435.088020] platform_drv_probe+0x7c/0x140 [ 435.088039] driver_probe_device+0x170/0x710 [ 435.088057] __driver_attach+0x1c4/0x1c8 [ 435.088074] bus_for_each_dev+0xc4/0x124 [ 435.088092] driver_attach+0x34/0x40 [ 435.088110] bus_add_driver+0x260/0x3f4 [ 435.088128] driver_register+0x108/0x214 [ 435.088147] __platform_driver_register+0x84/0x90 [ 435.088168] arm_smmu_init.part.60+0x4c/0x1bc [ 435.088186] arm_smmu_init+0x24/0x38 [ 435.088203] do_one_initcall+0x64/0x1c0 [ 435.088223] kernel_init_freeable+0x26c/0x344 [ 435.088244] kernel_init+0x18/0x19c [ 435.088261] ret_from_fork+0x10/0x50 [ 435.088272] [ 435.088286] Freed by task 0: [ 435.088298] (stack is not available) [ 435.088309] [ 435.088327] The buggy address belongs to the object at ffffffc0d1338000\x0a which belongs to the cache kmalloc-8192 of size 8192 [ 435.088355] The buggy address is located 8 bytes inside of\x0a 8192-byte region [ffffffc0d1338000, ffffffc0d133a000) [ 435.088378] The buggy address belongs to the page: [ 435.088397] page:ffffffbf0344ce00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 435.088420] flags: 0x4000000000004080(slab|head) [ 435.088434] page dumped because: kasan: bad access detected [ 435.088446] [ 435.088459] Memory state around the buggy address: [ 435.088479] ffffffc0d1337fe0: 20 ea 01 05 27 49 04 aa 03 ab 20 46 29 f0 7a fa [ 435.088497] ffffffc0d1337ff0: 04 98 03 9a a0 f5 fa 60 04 90 d9 f8 04 10 45 ea [ 435.088516] >ffffffc0d1338000: 18 a3 32 d1 c0 ff ff ff aa aa aa aa aa aa aa aa [ 435.088531] ________________________________________________________^__________ [ 435.088549] ffffffc0d1338010: ff ff ff ff 06 00 00 00 00 00 00 00 aa aa aa aa [ 435.088568] ffffffc0d1338020: 00 d4 d3 c7 c0 ff ff ff 28 a1 33 d1 c0 ff ff ff [ 435.088580] [ 435.088593] Memory state around the buggy address: [ 435.088610] ffffffc0d1337f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 435.088629] ffffffc0d1337f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 435.088647] >ffffffc0d1338000: 00 ff 00 0f 00 00 00 ff ff ff ff ff ff ff ff ff [ 435.088662] _______________________^___________________________________________ [ 435.088680] ffffffc0d1338080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 435.088698] ffffffc0d1338100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 435.088713] ================================================================== Signed-off-by: Lu Shuaibing <shuaibinglu@xxxxxxx> --- drivers/soc/qcom/msm_bus/msm_bus_dbg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/qcom/msm_bus/msm_bus_dbg.c b/drivers/soc/qcom/msm_bus/msm_bus_dbg.c index df292336f08b..7ef82ba997f7 100644 --- a/drivers/soc/qcom/msm_bus/msm_bus_dbg.c +++ b/drivers/soc/qcom/msm_bus/msm_bus_dbg.c @@ -446,6 +446,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata, cldata->clid = clid; cldata->file = file; cldata->size = 0; + cldata->handle = NULL; rt_mutex_lock(&msm_bus_dbg_cllist_lock); list_add_tail(&cldata->list, &cl_list); rt_mutex_unlock(&msm_bus_dbg_cllist_lock); -- 2.19.1
