NetBSD Problem Report #53734

From ryo_on@yk.rim.or.jp  Wed Nov 21 15:31:32 2018
Return-Path: <ryo_on@yk.rim.or.jp>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 1092D7A1CC
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 21 Nov 2018 15:31:32 +0000 (UTC)
Message-Id: <430PdV6gwKz4P5vw2@mail.SiriusCloud.jp>
Date: Wed, 21 Nov 2018 23:11:14 +0900
From: ryoon@NetBSD.org
Reply-To: ryoon@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: Prevent kernel panic during Wide Vision FHD Camera detection
X-Send-Pr-Version: 3.95

>Number:         53734
>Category:       kern
>Synopsis:       Prevent kernel panic during Wide Vision FHD Camera detection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 21 15:35:00 +0000 2018
>Closed-Date:    
>Last-Modified:  Fri Jul 01 01:05:01 +0000 2022
>Originator:     Ryo ONODERA
>Release:        NetBSD 8.99.26
>Organization:

>Environment:


System: NetBSD brownie 8.99.26 NetBSD 8.99.26 (DTRACE7) #13: Wed Nov 21 22:02:05 JST 2018 ryoon@brownie:/usr/world/8.99/amd64/obj/sys/arch/amd64/compile/DTRACE7 amd64
Architecture: x86_64
Machine: amd64
>Description:
During detection of HP Wide Vision FHD Camera USB video embedded
in HP Spectre x360 13-inch, kernel panics as follows (manual transcript):

> bt
vmem_alloc() at netbsd:vmem_alloc+0x41
uvm_km_kmem_alloc() at netbsd:uvm_km_kmem_alloc+0x47
kmem_intr_alloc at netbsd:kmem_intr_alloc+0x6e
uvideo_unit_alloc_controls() at netbsd:uvideo_unit_alloc_controls+...
(snip)

Adding some printf to uvideo_unit_init() function
in src/sys/dev/usb/uvideo.c shows me that uvideo_unit_alloc_controls()'s
2nd argumen, size is zero in UDESC_EXTENSION_UNIT case in
uvideo_unit_init()

>How-To-Repeat:
Boot GENERIC kernel of NetBSD/amd64 8.99.26 on HP Spectre x360 13-inch ae019TU.
>Fix:

It seems that passing zero to kmem_alloc() is problematic.
The following patch prevents the kernel panic.

Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/uvideo.c,v
retrieving revision 1.46
diff -u -r1.46 uvideo.c
--- sys/dev/usb/uvideo.c	21 Jan 2018 13:57:12 -0000	1.46
+++ sys/dev/usb/uvideo.c	21 Nov 2018 13:08:10 -0000
@@ -989,7 +989,11 @@
 uvideo_unit_alloc_controls(struct uvideo_unit *vu, uint8_t size,
 			   const uint8_t *controls)
 {
-	vu->vu_controls = kmem_alloc(sizeof(*vu->vu_controls) * size, KM_SLEEP);
+	size_t tsize = sizeof(*vu->vu_controls) * size;
+
+	if (!(tsize > 0))
+		return USBD_INVAL;
+	vu->vu_controls = kmem_alloc(tsize, KM_SLEEP);
 	vu->vu_control_size = size;
 	memcpy(vu->vu_controls, controls, size);



However it seems that  HP Wide Vision FHD Camera uses USB isochronous
transfer in xHCI and the camera does not work anyway.

>Release-Note:

>Audit-Trail:
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Wed, 23 Oct 2019 00:52:40 +0000

 Module Name:	src
 Committed By:	maya
 Date:		Wed Oct 23 00:52:39 UTC 2019

 Modified Files:
 	src/sys/dev/usb: uvideo.c

 Log Message:
 Avoid kmem_alloc(0,..), which hits an assertion.

 PR kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection


 To generate a diff of this commit:
 cvs rdiff -u -r1.49 -r1.50 src/sys/dev/usb/uvideo.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Wed, 23 Oct 2019 01:03:36 +0000

 Module Name:	src
 Committed By:	maya
 Date:		Wed Oct 23 01:03:36 UTC 2019

 Modified Files:
 	src/sys/dev/usb: uvideo.c

 Log Message:
 Check if size is zero, too.

 PR kern/53734


 To generate a diff of this commit:
 cvs rdiff -u -r1.50 -r1.51 src/sys/dev/usb/uvideo.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 23 Oct 2019 14:58:01 +0000
State-Changed-Why:
Does this version work? if so, we should pull it up.


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53734 CVS commit: [netbsd-9] src/sys/dev/usb
Date: Sun, 29 Dec 2019 11:13:48 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Sun Dec 29 11:13:48 UTC 2019

 Modified Files:
 	src/sys/dev/usb [netbsd-9]: uvideo.c

 Log Message:
 Pull up following revision(s) (requested by mlelstv in ticket #590):

 	sys/dev/usb/uvideo.c: revision 1.50
 	sys/dev/usb/uvideo.c: revision 1.51
 	sys/dev/usb/uvideo.c: revision 1.52

 Avoid kmem_alloc(0,..), which hits an assertion.

 PR kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection
 Check if size is zero, too.

 PR kern/53734
 we want to check that the allocation is going to be zero, not whether
 some pointer is NULL (oops).

 Should be the right version this time!


 To generate a diff of this commit:
 cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/dev/usb/uvideo.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Fri, 1 Jul 2022 01:06:51 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Fri Jul  1 01:06:51 UTC 2022

 Modified Files:
 	src/sys/dev/usb: uvideo.c

 Log Message:
 uvideo(4): Make alloc logic match free logic.

 Reported-by: syzbot+57cdc1be653327f78b6f@syzkaller.appspotmail.com

 PR kern/53734


 To generate a diff of this commit:
 cvs rdiff -u -r1.82 -r1.83 src/sys/dev/usb/uvideo.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.