Re: [PATCH v5 20/38] kmsan: handle memory sent to/from USB

Andrey Konovalov <andreyknvl@xxxxxxxxxx> · Tue, 14 Apr 2020 16:46:07 +0200

On Wed, Mar 25, 2020 at 5:14 PM <glider@xxxxxxxxxx> wrote:
>
> Depending on the value of is_out kmsan_handle_urb() KMSAN either
> marks the data copied to the kernel from a USB device as initialized,
> or checks the data sent to the device for being initialized.
>
> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
> To: Alexander Potapenko <glider@xxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Wolfram Sang <wsa@xxxxxxxxxxxxx>
> Cc: Petr Mladek <pmladek@xxxxxxxx>
> Cc: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Cc: Marco Elver <elver@xxxxxxxxxx>
> Cc: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> Cc: linux-mm@xxxxxxxxx
>
> ---
>
> This patch was previously called "kmsan: call KMSAN hooks where needed"
>
> v4:
>  - split this patch away
>
> Change-Id: Idd0f8ce858975112285706ffb7286f570bd3007b
> ---
>  drivers/usb/core/urb.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
> index da923ec176122..4a0b0ac0f52f9 100644
> --- a/drivers/usb/core/urb.c
> +++ b/drivers/usb/core/urb.c
> @@ -8,6 +8,7 @@
>  #include <linux/bitops.h>
>  #include <linux/slab.h>
>  #include <linux/log2.h>
> +#include <linux/kmsan-checks.h>
>  #include <linux/usb.h>
>  #include <linux/wait.h>
>  #include <linux/usb/hcd.h>
> @@ -402,6 +403,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
>                         URB_SETUP_MAP_SINGLE | URB_SETUP_MAP_LOCAL |
>                         URB_DMA_SG_COMBINED);
>         urb->transfer_flags |= (is_out ? URB_DIR_OUT : URB_DIR_IN);
> +       kmsan_handle_urb(urb, is_out);

I guess this could simply accept urb and then check
urb->transfer_flags instead of also accepting is_out?

Alan, do you think this is a good place for a call to
kmsan_handle_urb(), which is supposed to check that the memory we pass
to a USB device is initialized (so we don't leak uninitialized memory)
and mark memory received from the device as initialized? You can find
the implementation here:

https://github.com/google/kmsan/commit/491a67cf03fa9e0f240fd6eb53a6074e4bfd1a2c#diff-020c941e2b8fc67f5ddca598cd954d57R322

>
>         if (xfertype != USB_ENDPOINT_XFER_CONTROL &&
>                         dev->state < USB_STATE_CONFIGURED)
> --
> 2.25.1.696.g5e7596f4ac-goog
>