From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D57DC433ED for ; Thu, 6 May 2021 15:00:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 77A0161166 for ; Thu, 6 May 2021 15:00:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235064AbhEFPBy (ORCPT ); Thu, 6 May 2021 11:01:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235052AbhEFPBw (ORCPT ); Thu, 6 May 2021 11:01:52 -0400 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9791C061761 for ; Thu, 6 May 2021 08:00:53 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id q127so5202178qkb.1 for ; Thu, 06 May 2021 08:00:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wnPWvebsLpWqkrgssMxxziUnTuI2lMgL+wHmlHihUo0=; b=ZatXpqHIBpF4zhWfm4wG0j3tasAauayBHHJLd5R4AUda+bkDSsfL/haw69SivVlKfz q/euFcBEhT/sWxTPsKy8Wvb7mOUGGR3g/NFaE/+VRoKgbaSUu560Brc6iuuRqRApAnbj 6tLRAUYgTn6cAY9xz7iRDp0gWdl0ZgLk69gS3sLGU2WECmJVm9JW3bHywc7YUoZV3IJo 2zFKoM1gvv2lqgytki5oO11b7FY0Bi1m/pqt2la6zxoZ5cHuBqopKtcbVdUI8oERbYfB Il4qyf3IwZ1DUJINyoGqVfMzP6PSsIBx1apn9tbvyuKbIiyC3upYb48J2dwU7TKSFf7G 3zig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wnPWvebsLpWqkrgssMxxziUnTuI2lMgL+wHmlHihUo0=; b=JV4b9GiWFL/WfWjj1NZy6Nl203FiCCzqgmO7h4JXaTjOlzfu/fgDc28uW4abVco9s4 yofW6qIuLPD4YzTT+DlunmgW6y0QdieengXCrzOeJTvtECdEVKO/qbRg6Ho8IXS+JebG k4GZa7E1ca4+Vs6qDnnQBIgl9WCXy4uj06RVgsOQsqFf5dC/QJkrEC3FLmhoV4FqS/iU rCBbtN1jw2rsHx3PAKFwaKB6ti2fhr8xrbX4JXiDhm9ypwzjLB27FauZCyyuiNbneKXB Nln0erEvUVrQknzP5zuAEgW0nHqrto5TjnwvTIvRPxPYi42eTZ+f51r6eQ9LVj2IiNGj IcFg== X-Gm-Message-State: AOAM532/3ryZyH1NNGLoIHlTF3tgjkaioVYN+YdiuIwGW+fBWfEJQGiI iK5pLtWgBbaGhghc4Te9AWYulzPUwHt7chJPMpB7aA== X-Google-Smtp-Source: ABdhPJw49gJsVB0KnaLsnNWT/f9nsGNoD86YZOc44K+29dWFrmXJQgU+zsNwUxCtB9baHOqhxVQreTCNOrDapSXP8EA= X-Received: by 2002:a37:c20a:: with SMTP id i10mr4479130qkm.350.1620313252874; Thu, 06 May 2021 08:00:52 -0700 (PDT) MIME-Version: 1.0 References: <000000000000fdc0be05c1a6d68f@google.com> <20210506142210.GA37570@pc638.lan> <20210506145722.GC1955@kadam> In-Reply-To: <20210506145722.GC1955@kadam> From: Dmitry Vyukov Date: Thu, 6 May 2021 17:00:41 +0200 Message-ID: Subject: Re: [syzbot] WARNING in __vmalloc_node_range To: Dan Carpenter Cc: Uladzislau Rezki , USB list , Linux Media Mailing List , LKML , Mauro Carvalho Chehab , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 6, 2021 at 4:57 PM Dan Carpenter wrote: > > On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote: > > Seems like vmalloc() is called with zero size passed: > > > > > > void *__vmalloc_node_range(unsigned long size, unsigned long align, > > unsigned long start, unsigned long end, gfp_t gfp_mask, > > pgprot_t prot, unsigned long vm_flags, int node, > > const void *caller) > > { > > struct vm_struct *area; > > void *addr; > > unsigned long real_size = size; > > unsigned long real_align = align; > > unsigned int shift = PAGE_SHIFT; > > > > 2873 if (WARN_ON_ONCE(!size)) > > return NULL; > > > > > > from the dvb_dmx_init() driver: > > > > > > int dvb_dmx_init(struct dvb_demux *dvbdemux) > > { > > int i; > > struct dmx_demux *dmx = &dvbdemux->dmx; > > > > dvbdemux->cnt_storage = NULL; > > dvbdemux->users = 0; > > 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter), > > dvbdemux->filternum)); > > Indeed. > > It is a mystery because array_size() should never return less than > sizeof(struct dvb_demux_filter). That's the whole point of the > array_size() function is that it returns ULONG_MAX if there is an > integer overflow. But it will return 0 if dvbdemux->filternum==0, right?