usb: memory allocation WARNING in hcd_buffer_alloc

From: Dmitry Vyukov <dvyukov@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	chunfeng.yun@mediatek.com, geert@linux-m68k.org,
	USB list <linux-usb@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>
Subject: usb: memory allocation WARNING in hcd_buffer_alloc
Date: Tue, 5 Jul 2016 14:13:35 +0200	[thread overview]
Message-ID: <CACT4Y+YakBa6x9o7r93VwFtcLYpcti-CanLmJ1=fA0rRWg1oZQ@mail.gmail.com> (raw)

Hello,

The following program trigger the following WARNING:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 6263 at mm/page_alloc.c:3584[<     inline     >]
__alloc_pages_slowpath mm/page_alloc.c:3584
WARNING: CPU: 0 PID: 6263 at mm/page_alloc.c:3584[<      none      >]
__alloc_pages_nodemask+0x1731/0x2350 mm/page_alloc.c:3854
Modules linked in:
CPU: 0 PID: 6263 Comm: a.out Not tainted 4.7.0-rc5+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88006ad3f778 ffffffff82cc01af ffffffff86cf92c0
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff86cf92c0
 ffffffff816b7881 0000000000000009 ffff88006ad3f7c0 ffffffff8136d17f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc01af>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d17f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d38c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<     inline     >] __alloc_pages_slowpath mm/page_alloc.c:3584
 [<ffffffff816b7881>] __alloc_pages_nodemask+0x1731/0x2350 mm/page_alloc.c:3854
 [<     inline     >] __alloc_pages include/linux/gfp.h:432
 [<     inline     >] __alloc_pages_node include/linux/gfp.h:445
 [<     inline     >] alloc_pages_node include/linux/gfp.h:459
 [<ffffffff8120b28f>] dma_generic_alloc_coherent+0xff/0x250
arch/x86/kernel/pci-dma.c:102
 [<     inline     >] dma_alloc_attrs include/linux/dma-mapping.h:374
 [<     inline     >] dma_alloc_coherent include/linux/dma-mapping.h:401
 [<ffffffff84699f1d>] hcd_buffer_alloc+0x1dd/0x400 drivers/usb/core/buffer.c:140
 [<ffffffff8465a670>] usb_alloc_coherent+0x60/0x80 drivers/usb/core/usb.c:740
 [<ffffffff846a12ba>] usbdev_mmap+0x19a/0x650 drivers/usb/core/devio.c:244
 [<ffffffff8175ae2f>] mmap_region+0x87f/0xfe0 mm/mmap.c:1507
 [<ffffffff8175bf2d>] do_mmap+0x99d/0xbf0 mm/mmap.c:1286
 [<     inline     >] do_mmap_pgoff include/linux/mm.h:2005
 [<ffffffff81701e66>] vm_mmap_pgoff+0x156/0x1a0 mm/util.c:302
 [<     inline     >] SYSC_mmap_pgoff mm/mmap.c:1336
 [<ffffffff81754dea>] SyS_mmap_pgoff+0x34a/0x580 mm/mmap.c:1294
 [<     inline     >] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95
 [<ffffffff81208ff6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 [<ffffffff86a94e00>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 94402e12bc6578e5 ]---

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <sys/mman.h>

int main()
{
  int fd = open("/dev/bus/usb/001/001", 0x800ul, 0);
  mmap((void*)0x201c4000ul, 0xc00000ul, 0x3ul, 0x20012ul, fd, 0x0ul);
  return 0;
}

On commit 1a0a02d1efa066001fd315c1b4df583d939fa2c4 (Jun 30).