kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/53734: Prevent kernel panic during Wide Vision FHD Camera detection
From: ryoon%NetBSD.org@localhost
Date: Wed, 21 Nov 2018 15:35:00 +0000 (UTC)

>Number:         53734
>Category:       kern
>Synopsis:       Prevent kernel panic during Wide Vision FHD Camera detection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 21 15:35:00 +0000 2018
>Originator:     Ryo ONODERA
>Release:        NetBSD 8.99.26
>Organization:
	
>Environment:
	
	
System: NetBSD brownie 8.99.26 NetBSD 8.99.26 (DTRACE7) #13: Wed Nov 21 22:02:05 JST 2018 ryoon@brownie:/usr/world/8.99/amd64/obj/sys/arch/amd64/compile/DTRACE7 amd64
Architecture: x86_64
Machine: amd64
>Description:
During detection of HP Wide Vision FHD Camera USB video embedded
in HP Spectre x360 13-inch, kernel panics as follows (manual transcript):

> bt
vmem_alloc() at netbsd:vmem_alloc+0x41
uvm_km_kmem_alloc() at netbsd:uvm_km_kmem_alloc+0x47
kmem_intr_alloc at netbsd:kmem_intr_alloc+0x6e
uvideo_unit_alloc_controls() at netbsd:uvideo_unit_alloc_controls+...
(snip)

Adding some printf to uvideo_unit_init() function
in src/sys/dev/usb/uvideo.c shows me that uvideo_unit_alloc_controls()'s
2nd argumen, size is zero in UDESC_EXTENSION_UNIT case in
uvideo_unit_init()

>How-To-Repeat:
Boot GENERIC kernel of NetBSD/amd64 8.99.26 on HP Spectre x360 13-inch ae019TU.
>Fix:
	
It seems that passing zero to kmem_alloc() is problematic.
The following patch prevents the kernel panic.

Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/uvideo.c,v
retrieving revision 1.46
diff -u -r1.46 uvideo.c
--- sys/dev/usb/uvideo.c	21 Jan 2018 13:57:12 -0000	1.46
+++ sys/dev/usb/uvideo.c	21 Nov 2018 13:08:10 -0000
@@ -989,7 +989,11 @@
 uvideo_unit_alloc_controls(struct uvideo_unit *vu, uint8_t size,
 			   const uint8_t *controls)
 {
-	vu->vu_controls = kmem_alloc(sizeof(*vu->vu_controls) * size, KM_SLEEP);
+	size_t tsize = sizeof(*vu->vu_controls) * size;
+
+	if (!(tsize > 0))
+		return USBD_INVAL;
+	vu->vu_controls = kmem_alloc(tsize, KM_SLEEP);
 	vu->vu_control_size = size;
 	memcpy(vu->vu_controls, controls, size);
 


However it seems that  HP Wide Vision FHD Camera uses USB isochronous
transfer in xHCI and the camera does not work anyway.

>Unformatted:

Prev by Date: Re: lib/53682
Next by Date: kern/53735: ihidev.c r1.7 make intelfb drawing very slow
Previous by Thread: Re: lib/53682
Next by Thread: kern/53735: ihidev.c r1.7 make intelfb drawing very slow
Indexes:

Home | Main Index | Thread Index | Old Index