From: Uladzislau Rezki <urezki@gmail.com>
To: linux-usb@vger.kernel.org, linux-media@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, mchehab@kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING in __vmalloc_node_range
Date: Thu, 6 May 2021 16:22:10 +0200 [thread overview]
Message-ID: <20210506142210.GA37570@pc638.lan> (raw)
In-Reply-To: <000000000000fdc0be05c1a6d68f@google.com>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: d665ea6e Merge tag 'for-linus-5.13-rc1' of git://git.kerne..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=148bff43d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f635d6ce17da8a68
> dashboard link: https://syzkaller.appspot.com/bug?extid=7336195c02c1bd2f64e1
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e963e1d00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116eec2dd00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
>
> usb 1-1: media controller created
> dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
> cxusb: set interface failed
> dvb-usb: bulk message failed: -22 (1/0)
> DVB: Unable to find symbol mt352_attach()
> dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)'
> dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201))
> usb 1-1: media controller created
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 7 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
> Modules linked in:
> CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
> Code: c7 04 24 00 00 00 00 eb 93 e8 93 b7 d9 ff 44 89 fa 44 89 f6 4c 89 ef e8 75 20 07 00 48 89 04 24 e9 be fb ff ff e8 77 b7 d9 ff <0f> 0b 48 c7 04 24 00 00 00 00 e9 63 ff ff ff e8 63 b7 d9 ff 8b 7c
> RSP: 0018:ffffc9000007ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffffff8403d464 RCX: 0000000000000000
> RDX: ffff888100283680 RSI: ffffffff81673599 RDI: 0000000000000003
> RBP: 0000000000000001 R08: 0000000000000000 R09: 8000000000000163
> R10: ffffffff81672ed2 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc90000000000 R14: dffffc0000000000 R15: 00000000ffffffff
> FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fffeb9f7c40 CR3: 00000001033f2000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> __vmalloc_node mm/vmalloc.c:2963 [inline]
> vmalloc+0x67/0x80 mm/vmalloc.c:2996
> dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
> dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
> dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
> dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
> dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
> cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634
> usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
> really_probe+0x291/0xf60 drivers/base/dd.c:576
> driver_probe_device+0x298/0x410 drivers/base/dd.c:763
> __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870
> bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
> __device_attach+0x228/0x4b0 drivers/base/dd.c:938
> bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> device_add+0xbe0/0x2100 drivers/base/core.c:3319
> usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164
> usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
> usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
> really_probe+0x291/0xf60 drivers/base/dd.c:576
> driver_probe_device+0x298/0x410 drivers/base/dd.c:763
> __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870
> bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
> __device_attach+0x228/0x4b0 drivers/base/dd.c:938
> bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> device_add+0xbe0/0x2100 drivers/base/core.c:3319
> usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2556
> hub_port_connect drivers/usb/core/hub.c:5276 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5416 [inline]
> port_event drivers/usb/core/hub.c:5562 [inline]
> hub_event+0x2357/0x4320 drivers/usb/core/hub.c:5644
> process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
> worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
> kthread+0x38c/0x460 kernel/kthread.c:313
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Seems like vmalloc() is called with zero size passed:
<snip>
void *__vmalloc_node_range(unsigned long size, unsigned long align,
unsigned long start, unsigned long end, gfp_t gfp_mask,
pgprot_t prot, unsigned long vm_flags, int node,
const void *caller)
{
struct vm_struct *area;
void *addr;
unsigned long real_size = size;
unsigned long real_align = align;
unsigned int shift = PAGE_SHIFT;
2873 if (WARN_ON_ONCE(!size))
return NULL;
<snip>
from the dvb_dmx_init() driver:
<snip>
int dvb_dmx_init(struct dvb_demux *dvbdemux)
{
int i;
struct dmx_demux *dmx = &dvbdemux->dmx;
dvbdemux->cnt_storage = NULL;
dvbdemux->users = 0;
1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter),
<snip> dvbdemux->filternum));
--
Vlad Rezki
next prev parent reply other threads:[~2021-05-06 14:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-06 10:33 [syzbot] WARNING in __vmalloc_node_range syzbot
2021-05-06 14:22 ` Uladzislau Rezki [this message]
2021-05-06 14:57 ` Dan Carpenter
2021-05-06 15:00 ` Dmitry Vyukov
2021-05-06 15:06 ` Dan Carpenter
2021-05-06 15:00 ` Pavel Skripkin
2021-05-07 8:04 ` Dan Carpenter
2021-05-07 12:29 ` Pavel Skripkin
2021-05-07 12:42 ` Uladzislau Rezki
2021-05-07 12:45 ` Pavel Skripkin
2021-05-08 12:46 ` Dan Carpenter
2021-05-11 7:07 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210506142210.GA37570@pc638.lan \
--to=urezki@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.