* [syzbot] WARNING in __vmalloc_node_range @ 2021-05-06 10:33 syzbot 2021-05-06 14:22 ` Uladzislau Rezki 0 siblings, 1 reply; 12+ messages in thread From: syzbot @ 2021-05-06 10:33 UTC (permalink / raw) To: linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: d665ea6e Merge tag 'for-linus-5.13-rc1' of git://git.kerne.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=148bff43d00000 kernel config: https://syzkaller.appspot.com/x/.config?x=f635d6ce17da8a68 dashboard link: https://syzkaller.appspot.com/bug?extid=7336195c02c1bd2f64e1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e963e1d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116eec2dd00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com usb 1-1: media controller created dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. cxusb: set interface failed dvb-usb: bulk message failed: -22 (1/0) DVB: Unable to find symbol mt352_attach() dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)' dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201)) usb 1-1: media controller created ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873 Modules linked in: CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873 Code: c7 04 24 00 00 00 00 eb 93 e8 93 b7 d9 ff 44 89 fa 44 89 f6 4c 89 ef e8 75 20 07 00 48 89 04 24 e9 be fb ff ff e8 77 b7 d9 ff <0f> 0b 48 c7 04 24 00 00 00 00 e9 63 ff ff ff e8 63 b7 d9 ff 8b 7c RSP: 0018:ffffc9000007ee30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff8403d464 RCX: 0000000000000000 RDX: ffff888100283680 RSI: ffffffff81673599 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 8000000000000163 R10: ffffffff81672ed2 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90000000000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffeb9f7c40 CR3: 00000001033f2000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __vmalloc_node mm/vmalloc.c:2963 [inline] vmalloc+0x67/0x80 mm/vmalloc.c:2996 dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251 dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 really_probe+0x291/0xf60 drivers/base/dd.c:576 driver_probe_device+0x298/0x410 drivers/base/dd.c:763 __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4b0 drivers/base/dd.c:938 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbe0/0x2100 drivers/base/core.c:3319 usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 really_probe+0x291/0xf60 drivers/base/dd.c:576 driver_probe_device+0x298/0x410 drivers/base/dd.c:763 __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4b0 drivers/base/dd.c:938 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbe0/0x2100 drivers/base/core.c:3319 usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2556 hub_port_connect drivers/usb/core/hub.c:5276 [inline] hub_port_connect_change drivers/usb/core/hub.c:5416 [inline] port_event drivers/usb/core/hub.c:5562 [inline] hub_event+0x2357/0x4320 drivers/usb/core/hub.c:5644 process_one_work+0x98d/0x1580 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x38c/0x460 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 10:33 [syzbot] WARNING in __vmalloc_node_range syzbot @ 2021-05-06 14:22 ` Uladzislau Rezki 2021-05-06 14:57 ` Dan Carpenter 0 siblings, 1 reply; 12+ messages in thread From: Uladzislau Rezki @ 2021-05-06 14:22 UTC (permalink / raw) To: linux-usb, linux-media Cc: linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs > Hello, > > syzbot found the following issue on: > > HEAD commit: d665ea6e Merge tag 'for-linus-5.13-rc1' of git://git.kerne.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > console output: https://syzkaller.appspot.com/x/log.txt?x=148bff43d00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f635d6ce17da8a68 > dashboard link: https://syzkaller.appspot.com/bug?extid=7336195c02c1bd2f64e1 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e963e1d00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116eec2dd00000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com > > usb 1-1: media controller created > dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. > cxusb: set interface failed > dvb-usb: bulk message failed: -22 (1/0) > DVB: Unable to find symbol mt352_attach() > dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)' > dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201)) > usb 1-1: media controller created > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 7 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873 > Modules linked in: > CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873 > Code: c7 04 24 00 00 00 00 eb 93 e8 93 b7 d9 ff 44 89 fa 44 89 f6 4c 89 ef e8 75 20 07 00 48 89 04 24 e9 be fb ff ff e8 77 b7 d9 ff <0f> 0b 48 c7 04 24 00 00 00 00 e9 63 ff ff ff e8 63 b7 d9 ff 8b 7c > RSP: 0018:ffffc9000007ee30 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffffffff8403d464 RCX: 0000000000000000 > RDX: ffff888100283680 RSI: ffffffff81673599 RDI: 0000000000000003 > RBP: 0000000000000001 R08: 0000000000000000 R09: 8000000000000163 > R10: ffffffff81672ed2 R11: 0000000000000000 R12: 0000000000000000 > R13: ffffc90000000000 R14: dffffc0000000000 R15: 00000000ffffffff > FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fffeb9f7c40 CR3: 00000001033f2000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > __vmalloc_node mm/vmalloc.c:2963 [inline] > vmalloc+0x67/0x80 mm/vmalloc.c:2996 > dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251 > dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184 > dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline] > dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] > dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 > cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634 > usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 > really_probe+0x291/0xf60 drivers/base/dd.c:576 > driver_probe_device+0x298/0x410 drivers/base/dd.c:763 > __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870 > bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 > __device_attach+0x228/0x4b0 drivers/base/dd.c:938 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 > device_add+0xbe0/0x2100 drivers/base/core.c:3319 > usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164 > usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 > usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 > really_probe+0x291/0xf60 drivers/base/dd.c:576 > driver_probe_device+0x298/0x410 drivers/base/dd.c:763 > __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870 > bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 > __device_attach+0x228/0x4b0 drivers/base/dd.c:938 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 > device_add+0xbe0/0x2100 drivers/base/core.c:3319 > usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2556 > hub_port_connect drivers/usb/core/hub.c:5276 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5416 [inline] > port_event drivers/usb/core/hub.c:5562 [inline] > hub_event+0x2357/0x4320 drivers/usb/core/hub.c:5644 > process_one_work+0x98d/0x1580 kernel/workqueue.c:2275 > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > kthread+0x38c/0x460 kernel/kthread.c:313 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches Seems like vmalloc() is called with zero size passed: <snip> void *__vmalloc_node_range(unsigned long size, unsigned long align, unsigned long start, unsigned long end, gfp_t gfp_mask, pgprot_t prot, unsigned long vm_flags, int node, const void *caller) { struct vm_struct *area; void *addr; unsigned long real_size = size; unsigned long real_align = align; unsigned int shift = PAGE_SHIFT; 2873 if (WARN_ON_ONCE(!size)) return NULL; <snip> from the dvb_dmx_init() driver: <snip> int dvb_dmx_init(struct dvb_demux *dvbdemux) { int i; struct dmx_demux *dmx = &dvbdemux->dmx; dvbdemux->cnt_storage = NULL; dvbdemux->users = 0; 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter), <snip> dvbdemux->filternum)); -- Vlad Rezki ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 14:22 ` Uladzislau Rezki @ 2021-05-06 14:57 ` Dan Carpenter 2021-05-06 15:00 ` Dmitry Vyukov 2021-05-06 15:00 ` Pavel Skripkin 0 siblings, 2 replies; 12+ messages in thread From: Dan Carpenter @ 2021-05-06 14:57 UTC (permalink / raw) To: Uladzislau Rezki Cc: linux-usb, linux-media, linux-kernel, mchehab, syzkaller-bugs On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote: > Seems like vmalloc() is called with zero size passed: > > <snip> > void *__vmalloc_node_range(unsigned long size, unsigned long align, > unsigned long start, unsigned long end, gfp_t gfp_mask, > pgprot_t prot, unsigned long vm_flags, int node, > const void *caller) > { > struct vm_struct *area; > void *addr; > unsigned long real_size = size; > unsigned long real_align = align; > unsigned int shift = PAGE_SHIFT; > > 2873 if (WARN_ON_ONCE(!size)) > return NULL; > <snip> > > from the dvb_dmx_init() driver: > > <snip> > int dvb_dmx_init(struct dvb_demux *dvbdemux) > { > int i; > struct dmx_demux *dmx = &dvbdemux->dmx; > > dvbdemux->cnt_storage = NULL; > dvbdemux->users = 0; > 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter), > <snip> dvbdemux->filternum)); Indeed. It is a mystery because array_size() should never return less than sizeof(struct dvb_demux_filter). That's the whole point of the array_size() function is that it returns ULONG_MAX if there is an integer overflow. regards, dan carpenter ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 14:57 ` Dan Carpenter @ 2021-05-06 15:00 ` Dmitry Vyukov 2021-05-06 15:06 ` Dan Carpenter 2021-05-06 15:00 ` Pavel Skripkin 1 sibling, 1 reply; 12+ messages in thread From: Dmitry Vyukov @ 2021-05-06 15:00 UTC (permalink / raw) To: Dan Carpenter Cc: Uladzislau Rezki, USB list, Linux Media Mailing List, LKML, Mauro Carvalho Chehab, syzkaller-bugs On Thu, May 6, 2021 at 4:57 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote: > > Seems like vmalloc() is called with zero size passed: > > > > <snip> > > void *__vmalloc_node_range(unsigned long size, unsigned long align, > > unsigned long start, unsigned long end, gfp_t gfp_mask, > > pgprot_t prot, unsigned long vm_flags, int node, > > const void *caller) > > { > > struct vm_struct *area; > > void *addr; > > unsigned long real_size = size; > > unsigned long real_align = align; > > unsigned int shift = PAGE_SHIFT; > > > > 2873 if (WARN_ON_ONCE(!size)) > > return NULL; > > <snip> > > > > from the dvb_dmx_init() driver: > > > > <snip> > > int dvb_dmx_init(struct dvb_demux *dvbdemux) > > { > > int i; > > struct dmx_demux *dmx = &dvbdemux->dmx; > > > > dvbdemux->cnt_storage = NULL; > > dvbdemux->users = 0; > > 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter), > > <snip> dvbdemux->filternum)); > > Indeed. > > It is a mystery because array_size() should never return less than > sizeof(struct dvb_demux_filter). That's the whole point of the > array_size() function is that it returns ULONG_MAX if there is an > integer overflow. But it will return 0 if dvbdemux->filternum==0, right? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 15:00 ` Dmitry Vyukov @ 2021-05-06 15:06 ` Dan Carpenter 0 siblings, 0 replies; 12+ messages in thread From: Dan Carpenter @ 2021-05-06 15:06 UTC (permalink / raw) To: Dmitry Vyukov Cc: Uladzislau Rezki, USB list, Linux Media Mailing List, LKML, Mauro Carvalho Chehab, syzkaller-bugs On Thu, May 06, 2021 at 05:00:41PM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Thu, May 6, 2021 at 4:57 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote: > > > Seems like vmalloc() is called with zero size passed: > > > > > > <snip> > > > void *__vmalloc_node_range(unsigned long size, unsigned long align, > > > unsigned long start, unsigned long end, gfp_t gfp_mask, > > > pgprot_t prot, unsigned long vm_flags, int node, > > > const void *caller) > > > { > > > struct vm_struct *area; > > > void *addr; > > > unsigned long real_size = size; > > > unsigned long real_align = align; > > > unsigned int shift = PAGE_SHIFT; > > > > > > 2873 if (WARN_ON_ONCE(!size)) > > > return NULL; > > > <snip> > > > > > > from the dvb_dmx_init() driver: > > > > > > <snip> > > > int dvb_dmx_init(struct dvb_demux *dvbdemux) > > > { > > > int i; > > > struct dmx_demux *dmx = &dvbdemux->dmx; > > > > > > dvbdemux->cnt_storage = NULL; > > > dvbdemux->users = 0; > > > 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter), > > > <snip> dvbdemux->filternum)); > > > > Indeed. > > > > It is a mystery because array_size() should never return less than > > sizeof(struct dvb_demux_filter). That's the whole point of the > > array_size() function is that it returns ULONG_MAX if there is an > > integer overflow. > > But it will return 0 if dvbdemux->filternum==0, right? > Heh... I'm an idiot. I was thinking of struct_size(). Sorry. regards, dan carpenter ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 14:57 ` Dan Carpenter 2021-05-06 15:00 ` Dmitry Vyukov @ 2021-05-06 15:00 ` Pavel Skripkin 2021-05-07 8:04 ` Dan Carpenter 2021-05-08 12:46 ` Dan Carpenter 1 sibling, 2 replies; 12+ messages in thread From: Pavel Skripkin @ 2021-05-06 15:00 UTC (permalink / raw) To: Dan Carpenter Cc: Uladzislau Rezki, linux-usb, linux-media, linux-kernel, mchehab, syzkaller-bugs On Thu, 6 May 2021 17:57:22 +0300 Dan Carpenter <dan.carpenter@oracle.com> wrote: > On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote: > > Seems like vmalloc() is called with zero size passed: > > > > <snip> > > void *__vmalloc_node_range(unsigned long size, unsigned long align, > > unsigned long start, unsigned long end, > > gfp_t gfp_mask, pgprot_t prot, unsigned long vm_flags, int node, > > const void *caller) > > { > > struct vm_struct *area; > > void *addr; > > unsigned long real_size = size; > > unsigned long real_align = align; > > unsigned int shift = PAGE_SHIFT; > > > > 2873 if (WARN_ON_ONCE(!size)) > > return NULL; > > <snip> > > > > from the dvb_dmx_init() driver: > > > > <snip> > > int dvb_dmx_init(struct dvb_demux *dvbdemux) > > { > > int i; > > struct dmx_demux *dmx = &dvbdemux->dmx; > > > > dvbdemux->cnt_storage = NULL; > > dvbdemux->users = 0; > > 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct > > dvb_demux_filter), <snip> > > dvbdemux->filternum)); > > Indeed. > > It is a mystery because array_size() should never return less than > sizeof(struct dvb_demux_filter). That's the whole point of the > array_size() function is that it returns ULONG_MAX if there is an > integer overflow. > > regards, > dan carpenter > > > Hi! I've already sent the patch: https://patchwork.linuxtv.org/project/linux-media/patch/20210506121211.8556-1-paskripkin@gmail.com/ With regards, Pavel Skripkin ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 15:00 ` Pavel Skripkin @ 2021-05-07 8:04 ` Dan Carpenter 2021-05-07 12:29 ` Pavel Skripkin 2021-05-08 12:46 ` Dan Carpenter 1 sibling, 1 reply; 12+ messages in thread From: Dan Carpenter @ 2021-05-07 8:04 UTC (permalink / raw) To: Pavel Skripkin Cc: Uladzislau Rezki, linux-usb, linux-media, linux-kernel, mchehab, syzkaller-bugs On Thu, May 06, 2021 at 06:00:53PM +0300, Pavel Skripkin wrote: > > Hi! > > I've already sent the patch: > https://patchwork.linuxtv.org/project/linux-media/patch/20210506121211.8556-1-paskripkin@gmail.com/ > Please, always add a Fixes tag. Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device") regards, dan carpenter ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-07 8:04 ` Dan Carpenter @ 2021-05-07 12:29 ` Pavel Skripkin 2021-05-07 12:42 ` Uladzislau Rezki 0 siblings, 1 reply; 12+ messages in thread From: Pavel Skripkin @ 2021-05-07 12:29 UTC (permalink / raw) To: Dan Carpenter Cc: Uladzislau Rezki, linux-usb, linux-media, linux-kernel, mchehab, syzkaller-bugs On Fri, 7 May 2021 11:04:36 +0300 Dan Carpenter <dan.carpenter@oracle.com> wrote: > On Thu, May 06, 2021 at 06:00:53PM +0300, Pavel Skripkin wrote: > > > > Hi! > > > > I've already sent the patch: > > https://patchwork.linuxtv.org/project/linux-media/patch/20210506121211.8556-1-paskripkin@gmail.com/ > > > > Please, always add a Fixes tag. > > Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB > device") > > regards, > dan carpenter > oh..., that's one thing I always forget about. Thanks for pointing it out, I'll send v2 soon With regards, Pavel Skripkin ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-07 12:29 ` Pavel Skripkin @ 2021-05-07 12:42 ` Uladzislau Rezki 2021-05-07 12:45 ` Pavel Skripkin 0 siblings, 1 reply; 12+ messages in thread From: Uladzislau Rezki @ 2021-05-07 12:42 UTC (permalink / raw) To: Pavel Skripkin Cc: Dan Carpenter, linux-usb, linux-media, LKML, mchehab, syzkaller-bugs Hello, Pavel. Also in the commit message i see a type. <snip> syzbot reported WARNING in vmalloc. The problem was in sizo size passed to vmalloc. <snip> Should it be "...zero size passed to vmalloc"? -- Vlad Rezki On Fri, May 7, 2021 at 2:29 PM Pavel Skripkin <paskripkin@gmail.com> wrote: > > On Fri, 7 May 2021 11:04:36 +0300 > Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > On Thu, May 06, 2021 at 06:00:53PM +0300, Pavel Skripkin wrote: > > > > > > Hi! > > > > > > I've already sent the patch: > > > https://patchwork.linuxtv.org/project/linux-media/patch/20210506121211.8556-1-paskripkin@gmail.com/ > > > > > > > Please, always add a Fixes tag. > > > > Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB > > device") > > > > regards, > > dan carpenter > > > > oh..., that's one thing I always forget about. Thanks for pointing it > out, I'll send v2 soon > > > With regards, > Pavel Skripkin -- Uladzislau Rezki ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-07 12:42 ` Uladzislau Rezki @ 2021-05-07 12:45 ` Pavel Skripkin 0 siblings, 0 replies; 12+ messages in thread From: Pavel Skripkin @ 2021-05-07 12:45 UTC (permalink / raw) To: Uladzislau Rezki Cc: Dan Carpenter, linux-usb, linux-media, LKML, mchehab, syzkaller-bugs On Fri, 7 May 2021 14:42:14 +0200 Uladzislau Rezki <urezki@gmail.com> wrote: > Hello, Pavel. > > Also in the commit message i see a type. > > <snip> > syzbot reported WARNING in vmalloc. The problem > was in sizo size passed to vmalloc. > <snip> > > Should it be "...zero size passed to vmalloc"? > Yes, it should. Thank you so much! > -- > Vlad Rezki > > > On Fri, May 7, 2021 at 2:29 PM Pavel Skripkin <paskripkin@gmail.com> > wrote: > > > > On Fri, 7 May 2021 11:04:36 +0300 > > Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > > On Thu, May 06, 2021 at 06:00:53PM +0300, Pavel Skripkin wrote: > > > > > > > > Hi! > > > > > > > > I've already sent the patch: > > > > https://patchwork.linuxtv.org/project/linux-media/patch/20210506121211.8556-1-paskripkin@gmail.com/ > > > > > > > > > > Please, always add a Fixes tag. > > > > > > Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for > > > DVB-USB device") > > > > > > regards, > > > dan carpenter > > > > > > > oh..., that's one thing I always forget about. Thanks for pointing > > it out, I'll send v2 soon > > > > > > With regards, > > Pavel Skripkin > > > With regards, Pavel Skripkin ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-06 15:00 ` Pavel Skripkin 2021-05-07 8:04 ` Dan Carpenter @ 2021-05-08 12:46 ` Dan Carpenter 2021-05-11 7:07 ` Dan Carpenter 1 sibling, 1 reply; 12+ messages in thread From: Dan Carpenter @ 2021-05-08 12:46 UTC (permalink / raw) To: Pavel Skripkin, mchehab Cc: Uladzislau Rezki, linux-usb, linux-media, linux-kernel, syzkaller-bugs I wrote a Smatch check to see if there were more of these and here are the other issues that it found. (I will expant this check to more types on Monday). drivers/media/usb/dvb-usb-v2/lmedm04.c:1196 (null)() warn: element count is wrong 'lme2510_props.num_adapters=0' vs 'lme2510_props.adapter=2' drivers/media/usb/dvb-usb-v2/af9035.c:1997 (null)() warn: element count is wrong 'af9035_props.num_adapters=0' vs 'af9035_props.adapter=2' drivers/media/usb/dvb-usb-v2/af9035.c:2043 (null)() warn: element count is wrong 'it930x_props.num_adapters=0' vs 'it930x_props.adapter=2' drivers/media/usb/dvb-usb-v2/af9015.c:1409 (null)() warn: element count is wrong 'af9015_props.num_adapters=0' vs 'af9015_props.adapter=2' drivers/media/usb/dvb-usb/dtt200u.c:384 (null)() warn: element count is wrong 'wt220u_miglia_properties.num_adapters=1' vs 'wt220u_miglia_properties.adapter=0' As far as I can see these are initialized in dvb_usb_adapter_init() where the loop is: for (n = 0; n < d->props.num_adapters; n++) { So it looks like all of these are genuine bugs. But I'm not a subsystem expert and can't test them. These line numbers are from linux-next. Btw, here are the other element/count pairings I was able to find which I'm going to test on Monday. ath5k_gain_opt, go_steps_count, go_step atomisp_camera_caps, sensor_num, sensor brcmf_rssi_event_le, rssi_level_num, rssi_levels catpt_stream_template, num_entries, entries dvb_usb_device_properties, num_adapters, adapter dvb_usb_device_properties, num_device_descs, devices go7007_board_info, num_inputs, inputs hda_input_mux, num_items, items idt_89hpes_cfg, port_cnt, ports mipi_phy_device_desc, num_regmaps, regmap_names mtk_thermal_data, need_switch_bank, bank_data mwifiex_sdio_card_reg, func1_spec_reg_num, func1_spec_reg_table nft_chain_type, hook_mask, hooks PWR_DFY_Section, dfy_size, dfy_data rkisp1_cif_isp_afc_config, num_afm_win, afm_win scarlett_device_info, num_controls, controls snd_soc_acpi_codecs, num_codecs, codecs timb_dma_platform_data, nr_channels, channels uniphier_u3hsphy_soc_data, nparams, param uniphier_u3ssphy_soc_data, nparams, param venus_resources, vcodec_clks_num, vcodec_pmdomains regards, dan carpenter ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] WARNING in __vmalloc_node_range 2021-05-08 12:46 ` Dan Carpenter @ 2021-05-11 7:07 ` Dan Carpenter 0 siblings, 0 replies; 12+ messages in thread From: Dan Carpenter @ 2021-05-11 7:07 UTC (permalink / raw) To: Pavel Skripkin, mchehab Cc: Uladzislau Rezki, linux-usb, linux-media, linux-kernel, syzkaller-bugs On Sat, May 08, 2021 at 03:46:30PM +0300, Dan Carpenter wrote: > I wrote a Smatch check to see if there were more of these and here are > the other issues that it found. (I will expant this check to more types > on Monday). > > drivers/media/usb/dvb-usb-v2/lmedm04.c:1196 (null)() warn: element count is wrong 'lme2510_props.num_adapters=0' vs 'lme2510_props.adapter=2' This one is fine, but could do with some cleaning up. > drivers/media/usb/dvb-usb-v2/af9035.c:1997 (null)() warn: element count is wrong 'af9035_props.num_adapters=0' vs 'af9035_props.adapter=2' > drivers/media/usb/dvb-usb-v2/af9035.c:2043 (null)() warn: element count is wrong 'it930x_props.num_adapters=0' vs 'it930x_props.adapter=2' > drivers/media/usb/dvb-usb-v2/af9015.c:1409 (null)() warn: element count is wrong 'af9015_props.num_adapters=0' vs 'af9015_props.adapter=2' These are false positives because they use the .get_adapter_count() function instead of setting num_adapters. > drivers/media/usb/dvb-usb/dtt200u.c:384 (null)() warn: element count is wrong 'wt220u_miglia_properties.num_adapters=1' vs 'wt220u_miglia_properties.adapter=0' I'm not sure what's going on with this one... It still looks buggy to me. I did re-run Smatch with more elem/count pairs checked and there were no bugs found. A bunch of drivers think you need to add a zeroed element at the end of the .devices[] array so someone could delete that if they wanted. drivers/media/usb/dvb-usb/vp702x.c:374 (null)() warn: element count is wrong 'vp702x_properties.num_device_descs=1' vs 'vp702x_properties.devices=2' drivers/media/usb/dvb-usb/vp7045.c:184 (null)() warn: element count is wrong 'vp7045_properties.num_device_descs=2' vs 'vp7045_properties.devices=3' drivers/media/usb/dvb-usb/cinergyT2-core.c:206 (null)() warn: element count is wrong 'cinergyt2_properties.num_device_descs=1' vs 'cinergyt2_properties.devices=2' drivers/media/usb/dvb-usb/digitv.c:300 (null)() warn: element count is wrong 'digitv_properties.num_device_descs=1' vs 'digitv_properties.devices=2' drivers/media/usb/dvb-usb/dibusb-mc.c:48 (null)() warn: element count is wrong 'dibusb_mc_properties.num_device_descs=8' vs 'dibusb_mc_properties.devices=9' drivers/media/usb/dvb-usb/pctv452e.c:963 (null)() warn: element count is wrong 'pctv452e_properties.num_device_descs=1' vs 'pctv452e_properties.devices=2' drivers/media/usb/dvb-usb/pctv452e.c:1015 (null)() warn: element count is wrong 'tt_connect_s2_3600_properties.num_device_descs=2' vs 'tt_connect_s2_3600_properties.devices=3' drivers/media/usb/dvb-usb/gp8psk.c:324 (null)() warn: element count is wrong 'gp8psk_properties.num_device_descs=4' vs 'gp8psk_properties.devices=5' drivers/media/usb/dvb-usb/nova-t-usb2.c:168 (null)() warn: element count is wrong 'nova_t_properties.num_device_descs=1' vs 'nova_t_properties.devices=2' drivers/media/usb/dvb-usb/dibusb-mb.c:267 (null)() warn: element count is wrong 'dibusb1_1_an2235_properties.num_device_descs=2' vs 'dibusb1_1_an2235_properties.devices=3' drivers/media/usb/dvb-usb/dibusb-mb.c:335 (null)() warn: element count is wrong 'dibusb2_0b_properties.num_device_descs=2' vs 'dibusb2_0b_properties.devices=3' drivers/media/usb/dvb-usb/dibusb-mb.c:398 (null)() warn: element count is wrong 'artec_t1_usb2_properties.num_device_descs=1' vs 'artec_t1_usb2_properties.devices=2' drivers/media/usb/dvb-usb/af9005.c:1015 (null)() warn: element count is wrong 'af9005_properties.num_device_descs=3' vs 'af9005_properties.devices=4' drivers/media/usb/dvb-usb/dtt200u.c:176 (null)() warn: element count is wrong 'dtt200u_properties.num_device_descs=1' vs 'dtt200u_properties.devices=2' drivers/media/usb/dvb-usb/dtt200u.c:228 (null)() warn: element count is wrong 'wt220u_properties.num_device_descs=1' vs 'wt220u_properties.devices=2' drivers/media/usb/dvb-usb/dtt200u.c:280 (null)() warn: element count is wrong 'wt220u_fc_properties.num_device_descs=1' vs 'wt220u_fc_properties.devices=2' drivers/media/usb/dvb-usb/dtt200u.c:332 (null)() warn: element count is wrong 'wt220u_zl0353_properties.num_device_descs=1' vs 'wt220u_zl0353_properties.devices=2' drivers/media/usb/dvb-usb/dtt200u.c:384 (null)() warn: element count is wrong 'wt220u_miglia_properties.num_device_descs=1' vs 'wt220u_miglia_properties.devices=2' drivers/media/usb/dvb-usb/az6027.c:1096 (null)() warn: element count is wrong 'az6027_properties.num_device_descs=8' vs 'az6027_properties.devices=9' regards, dan carpenter ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2021-05-11 7:08 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-06 10:33 [syzbot] WARNING in __vmalloc_node_range syzbot 2021-05-06 14:22 ` Uladzislau Rezki 2021-05-06 14:57 ` Dan Carpenter 2021-05-06 15:00 ` Dmitry Vyukov 2021-05-06 15:06 ` Dan Carpenter 2021-05-06 15:00 ` Pavel Skripkin 2021-05-07 8:04 ` Dan Carpenter 2021-05-07 12:29 ` Pavel Skripkin 2021-05-07 12:42 ` Uladzislau Rezki 2021-05-07 12:45 ` Pavel Skripkin 2021-05-08 12:46 ` Dan Carpenter 2021-05-11 7:07 ` Dan Carpenter
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.