NetBSD Problem Report #53734

From ryo_on@yk.rim.or.jp  Wed Nov 21 15:31:32 2018
Return-Path: <ryo_on@yk.rim.or.jp>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 1092D7A1CC
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 21 Nov 2018 15:31:32 +0000 (UTC)
Message-Id: <430PdV6gwKz4P5vw2@mail.SiriusCloud.jp>
Date: Wed, 21 Nov 2018 23:11:14 +0900
From: ryoon@NetBSD.org
Reply-To: ryoon@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: Prevent kernel panic during Wide Vision FHD Camera detection
X-Send-Pr-Version: 3.95

>Number:         53734
>Category:       kern
>Synopsis:       Prevent kernel panic during Wide Vision FHD Camera detection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 21 15:35:00 +0000 2018
>Originator:     Ryo ONODERA
>Release:        NetBSD 8.99.26
>Organization:

>Environment:


System: NetBSD brownie 8.99.26 NetBSD 8.99.26 (DTRACE7) #13: Wed Nov 21 22:02:05 JST 2018 ryoon@brownie:/usr/world/8.99/amd64/obj/sys/arch/amd64/compile/DTRACE7 amd64
Architecture: x86_64
Machine: amd64
>Description:
During detection of HP Wide Vision FHD Camera USB video embedded
in HP Spectre x360 13-inch, kernel panics as follows (manual transcript):

> bt
vmem_alloc() at netbsd:vmem_alloc+0x41
uvm_km_kmem_alloc() at netbsd:uvm_km_kmem_alloc+0x47
kmem_intr_alloc at netbsd:kmem_intr_alloc+0x6e
uvideo_unit_alloc_controls() at netbsd:uvideo_unit_alloc_controls+...
(snip)

Adding some printf to uvideo_unit_init() function
in src/sys/dev/usb/uvideo.c shows me that uvideo_unit_alloc_controls()'s
2nd argumen, size is zero in UDESC_EXTENSION_UNIT case in
uvideo_unit_init()

>How-To-Repeat:
Boot GENERIC kernel of NetBSD/amd64 8.99.26 on HP Spectre x360 13-inch ae019TU.
>Fix:

It seems that passing zero to kmem_alloc() is problematic.
The following patch prevents the kernel panic.

Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/uvideo.c,v
retrieving revision 1.46
diff -u -r1.46 uvideo.c
--- sys/dev/usb/uvideo.c	21 Jan 2018 13:57:12 -0000	1.46
+++ sys/dev/usb/uvideo.c	21 Nov 2018 13:08:10 -0000
@@ -989,7 +989,11 @@
 uvideo_unit_alloc_controls(struct uvideo_unit *vu, uint8_t size,
 			   const uint8_t *controls)
 {
-	vu->vu_controls = kmem_alloc(sizeof(*vu->vu_controls) * size, KM_SLEEP);
+	size_t tsize = sizeof(*vu->vu_controls) * size;
+
+	if (!(tsize > 0))
+		return USBD_INVAL;
+	vu->vu_controls = kmem_alloc(tsize, KM_SLEEP);
 	vu->vu_control_size = size;
 	memcpy(vu->vu_controls, controls, size);



However it seems that  HP Wide Vision FHD Camera uses USB isochronous
transfer in xHCI and the camera does not work anyway.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.