NetBSD Problem Report #53734
From ryo_on@yk.rim.or.jp Wed Nov 21 15:31:32 2018
Return-Path: <ryo_on@yk.rim.or.jp>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1092D7A1CC
for <gnats-bugs@gnats.NetBSD.org>; Wed, 21 Nov 2018 15:31:32 +0000 (UTC)
Message-Id: <430PdV6gwKz4P5vw2@mail.SiriusCloud.jp>
Date: Wed, 21 Nov 2018 23:11:14 +0900
From: ryoon@NetBSD.org
Reply-To: ryoon@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: Prevent kernel panic during Wide Vision FHD Camera detection
X-Send-Pr-Version: 3.95
>Number: 53734
>Category: kern
>Synopsis: Prevent kernel panic during Wide Vision FHD Camera detection
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: feedback
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Nov 21 15:35:00 +0000 2018
>Closed-Date:
>Last-Modified: Fri Jul 01 01:05:01 +0000 2022
>Originator: Ryo ONODERA
>Release: NetBSD 8.99.26
>Organization:
>Environment:
System: NetBSD brownie 8.99.26 NetBSD 8.99.26 (DTRACE7) #13: Wed Nov 21 22:02:05 JST 2018 ryoon@brownie:/usr/world/8.99/amd64/obj/sys/arch/amd64/compile/DTRACE7 amd64
Architecture: x86_64
Machine: amd64
>Description:
During detection of HP Wide Vision FHD Camera USB video embedded
in HP Spectre x360 13-inch, kernel panics as follows (manual transcript):
> bt
vmem_alloc() at netbsd:vmem_alloc+0x41
uvm_km_kmem_alloc() at netbsd:uvm_km_kmem_alloc+0x47
kmem_intr_alloc at netbsd:kmem_intr_alloc+0x6e
uvideo_unit_alloc_controls() at netbsd:uvideo_unit_alloc_controls+...
(snip)
Adding some printf to uvideo_unit_init() function
in src/sys/dev/usb/uvideo.c shows me that uvideo_unit_alloc_controls()'s
2nd argumen, size is zero in UDESC_EXTENSION_UNIT case in
uvideo_unit_init()
>How-To-Repeat:
Boot GENERIC kernel of NetBSD/amd64 8.99.26 on HP Spectre x360 13-inch ae019TU.
>Fix:
It seems that passing zero to kmem_alloc() is problematic.
The following patch prevents the kernel panic.
Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/uvideo.c,v
retrieving revision 1.46
diff -u -r1.46 uvideo.c
--- sys/dev/usb/uvideo.c 21 Jan 2018 13:57:12 -0000 1.46
+++ sys/dev/usb/uvideo.c 21 Nov 2018 13:08:10 -0000
@@ -989,7 +989,11 @@
uvideo_unit_alloc_controls(struct uvideo_unit *vu, uint8_t size,
const uint8_t *controls)
{
- vu->vu_controls = kmem_alloc(sizeof(*vu->vu_controls) * size, KM_SLEEP);
+ size_t tsize = sizeof(*vu->vu_controls) * size;
+
+ if (!(tsize > 0))
+ return USBD_INVAL;
+ vu->vu_controls = kmem_alloc(tsize, KM_SLEEP);
vu->vu_control_size = size;
memcpy(vu->vu_controls, controls, size);
However it seems that HP Wide Vision FHD Camera uses USB isochronous
transfer in xHCI and the camera does not work anyway.
>Release-Note:
>Audit-Trail:
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Wed, 23 Oct 2019 00:52:40 +0000
Module Name: src
Committed By: maya
Date: Wed Oct 23 00:52:39 UTC 2019
Modified Files:
src/sys/dev/usb: uvideo.c
Log Message:
Avoid kmem_alloc(0,..), which hits an assertion.
PR kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/dev/usb/uvideo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Wed, 23 Oct 2019 01:03:36 +0000
Module Name: src
Committed By: maya
Date: Wed Oct 23 01:03:36 UTC 2019
Modified Files:
src/sys/dev/usb: uvideo.c
Log Message:
Check if size is zero, too.
PR kern/53734
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.51 src/sys/dev/usb/uvideo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 23 Oct 2019 14:58:01 +0000
State-Changed-Why:
Does this version work? if so, we should pull it up.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53734 CVS commit: [netbsd-9] src/sys/dev/usb
Date: Sun, 29 Dec 2019 11:13:48 +0000
Module Name: src
Committed By: martin
Date: Sun Dec 29 11:13:48 UTC 2019
Modified Files:
src/sys/dev/usb [netbsd-9]: uvideo.c
Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #590):
sys/dev/usb/uvideo.c: revision 1.50
sys/dev/usb/uvideo.c: revision 1.51
sys/dev/usb/uvideo.c: revision 1.52
Avoid kmem_alloc(0,..), which hits an assertion.
PR kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection
Check if size is zero, too.
PR kern/53734
we want to check that the allocation is going to be zero, not whether
some pointer is NULL (oops).
Should be the right version this time!
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/dev/usb/uvideo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53734 CVS commit: src/sys/dev/usb
Date: Fri, 1 Jul 2022 01:06:51 +0000
Module Name: src
Committed By: riastradh
Date: Fri Jul 1 01:06:51 UTC 2022
Modified Files:
src/sys/dev/usb: uvideo.c
Log Message:
uvideo(4): Make alloc logic match free logic.
Reported-by: syzbot+57cdc1be653327f78b6f@syzkaller.appspotmail.com
PR kern/53734
To generate a diff of this commit:
cvs rdiff -u -r1.82 -r1.83 src/sys/dev/usb/uvideo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.