lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <21281086.36492.1766981516854@app.mailbox.org>
Date: Sun, 28 Dec 2025 20:11:56 -0800 (PST)
From: vdso@...lbox.org
To: mhklinux@...look.com, mhkelley58@...il.com
Cc: "haiyangz@...rosoft.com" <haiyangz@...rosoft.com>,
	"wei.liu@...nel.org" <wei.liu@...nel.org>,
	"decui@...rosoft.com" <decui@...rosoft.com>,
	"kys@...rosoft.com" <kys@...rosoft.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
	"dan.carpenter@...aro.org" <dan.carpenter@...aro.org>
Subject: Re: [PATCH 1/1] Drivers: hv: Fix uninit'ed variable in
 hv_msg_dump() if CONFIG_PRINTK not set


> On 12/19/2025 8:08 AM  mhkelley58@...il.com wrote:
> 
>  
> From: Michael Kelley <mhklinux@...look.com>
> 
> When CONFIG_PRINTK is not set, kmsg_dump_get_buffer() returns 'false'
> without setting the bytes_written argument. In such case, bytes_written
> is uninitialized when it is tested for zero.
> 
> This is admittedly an unlikely scenario, but in the interest of correctness
> and avoiding tool noise about uninitialized variables, fix this by testing
> the return value before testing bytes_written.
> 
> Fixes: 9c318a1d9b50 ("Drivers: hv: move panic report code from vmbus to hv early init code")
> Reported-by: kernel test robot <lkp@...el.com>
> Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> Closes: https://lore.kernel.org/all/202512172102.OcUspn1Z-lkp@intel.com/
> Signed-off-by: Michael Kelley <mhklinux@...look.com>
> ---
>  drivers/hv/hv_common.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c
> index f466a6099eff..de9e069c5a0c 100644
> --- a/drivers/hv/hv_common.c
> +++ b/drivers/hv/hv_common.c
> @@ -188,6 +188,7 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
>  {
>  	struct kmsg_dump_iter iter;
>  	size_t bytes_written;
> +	bool ret;
>  
>  	/* We are only interested in panics. */
>  	if (detail->reason != KMSG_DUMP_PANIC || !sysctl_record_panic_msg)
> @@ -198,9 +199,9 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
>  	 * be single-threaded.
>  	 */
>  	kmsg_dump_rewind(&iter);
> -	kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
> -			     &bytes_written);
> -	if (!bytes_written)
> +	ret = kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
> +				   &bytes_written);
> +	if (!ret || !bytes_written)
>  		return;
>  	/*
>  	 * P3 to contain the physical address of the panic page & P4 to

The existing code

1. doesn't care about the return value from kmsg_dump_get_buffer.
   The return value wouldn't make the function return before, why does that
   need to change? 

2. returns early when there are no bytes written.
   I think it shouldn't as otherwise the crash control register isn't written to,
   and the panic isn't signalled to the host. Is there another path maybe that
   I'm not noticing?

That said, would it make sense to you the patch be something similar to:

diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c
index 0a3ab7efed46..20e4a9a13b32 100644
--- a/drivers/hv/hv_common.c
+++ b/drivers/hv/hv_common.c
@@ -188,6 +188,7 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
 {
        struct kmsg_dump_iter iter;
        size_t bytes_written;
+       bool ret;
 
        /* We are only interested in panics. */
        if (detail->reason != KMSG_DUMP_PANIC || !sysctl_record_panic_msg)
@@ -197,11 +198,16 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
         * Write dump contents to the page. No need to synchronize; panic should
         * be single-threaded.
         */
+       bytes_written = 0;
        kmsg_dump_rewind(&iter);
-       kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
+       ret = kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
                             &bytes_written);
-       if (!bytes_written)
-               return;
+       /*
+        * Whether there is more data available or not, send what has been captured
+        * to the host. Ignore the return value.
+        */
+       (void) ret;
+
        /*
         * P3 to contain the physical address of the panic page & P4 to
         * contain the size of the panic data in that page. Rest of the
@@ -210,7 +216,7 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
        hv_set_msr(HV_MSR_CRASH_P0, 0);
        hv_set_msr(HV_MSR_CRASH_P1, 0);
        hv_set_msr(HV_MSR_CRASH_P2, 0);
-       hv_set_msr(HV_MSR_CRASH_P3, virt_to_phys(hv_panic_page));
+       hv_set_msr(HV_MSR_CRASH_P3, bytes_written ? virt_to_phys(hv_panic_page) : NULL);
        hv_set_msr(HV_MSR_CRASH_P4, bytes_written);
 
        /*

--
Cheers,
Roman

> -- 
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ