[syzbot] [comedi?] memory leak in do_cmd_ioctl

[syzbot] [comedi?] memory leak in do_cmd_ioctl

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8f0b4cce4481 Linux 6.19-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17df89b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10bad11a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17d0411a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b3f098aba85/disk-8f0b4cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e249c8a4ce76/vmlinux-8f0b4cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/851cb7eb2c27/bzImage-8f0b4cce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88811193c4d8 (size 8):
  comm "syz.0.17", pid 6094, jiffies 4294942826
  hex dump (first 8 bytes):
    04 00 00 00 00 00 00 00                          ........
  backtrace (crc 844a0efa):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4958 [inline]
    slab_alloc_node mm/slub.c:5263 [inline]
    __do_kmalloc_node mm/slub.c:5656 [inline]
    __kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
    memdup_user+0x2a/0xe0 mm/util.c:221
    memdup_array_user include/linux/string.h:39 [inline]
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
    comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811193c990 (size 8):
  comm "syz.0.18", pid 6096, jiffies 4294942827
  hex dump (first 8 bytes):
    04 00 00 00 00 00 00 00                          ........
  backtrace (crc 844a0efa):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4958 [inline]
    slab_alloc_node mm/slub.c:5263 [inline]
    __do_kmalloc_node mm/slub.c:5656 [inline]
    __kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
    memdup_user+0x2a/0xe0 mm/util.c:221
    memdup_array_user include/linux/string.h:39 [inline]
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
    comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811193cea0 (size 8):
  comm "syz.0.19", pid 6099, jiffies 4294942829
  hex dump (first 8 bytes):
    04 00 00 00 00 00 00 00                          ........
  backtrace (crc 844a0efa):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4958 [inline]
    slab_alloc_node mm/slub.c:5263 [inline]
    __do_kmalloc_node mm/slub.c:5656 [inline]
    __kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
    memdup_user+0x2a/0xe0 mm/util.c:221
    memdup_array_user include/linux/string.h:39 [inline]
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
    comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888144d28bf8 (size 8):
  comm "syz.0.20", pid 6124, jiffies 4294943361
  hex dump (first 8 bytes):
    04 00 00 00 00 00 00 00                          ........
  backtrace (crc 844a0efa):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4958 [inline]
    slab_alloc_node mm/slub.c:5263 [inline]
    __do_kmalloc_node mm/slub.c:5656 [inline]
    __kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
    memdup_user+0x2a/0xe0 mm/util.c:221
    memdup_array_user include/linux/string.h:39 [inline]
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
    comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[PATCH] comedi: test memleak

[xiaopeitux]

From: Pei Xiao <xiaopei01@kylinos.cn>

#syz test
---
 drivers/comedi/comedi_fops.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..60fb3b0656c1 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1893,6 +1893,8 @@ static int do_cmd_ioctl(struct comedi_device *dev,
 
 	ret = s->do_cmdtest(dev, s, &async->cmd);
 
+	kfree(cmd->chanlist);   /* free kernel copy of user chanlist */
+
 	if (async->cmd.flags & CMDF_BOGUS || ret) {
 		dev_dbg(dev->class_dev, "test returned %d\n", ret);
 		*cmd = async->cmd;
-- 
2.25.1

Re: [syzbot] [comedi?] memory leak in do_cmd_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in do_cmd_ioctl

BUG: unable to handle page fault for address: ffffec5e00000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6735 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS:  00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 do_cmd_ioctl.part.0+0x18a/0x360 drivers/comedi/comedi_fops.c:1896
 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
 comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2321
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7feb6858f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feb67bfe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007feb687e5fa0 RCX: 00007feb6858f749
RDX: 0000200000000180 RSI: 0000000080506409 RDI: 0000000000000003
RBP: 00007feb68613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007feb687e6038 R14: 00007feb687e5fa0 R15: 00007fff6cee0be8
 </TASK>
Modules linked in:
CR2: ffffec5e00000008
---[ end trace 0000000000000000 ]---
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS:  00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	80 48 01 df          	orb    $0xdf,0x1(%rax)
   4:	0f 82 6a 03 00 00    	jb     0x374
   a:	48 c7 c0 00 00 00 80 	mov    $0xffffffff80000000,%rax
  11:	48 2b 05 66 9b 14 05 	sub    0x5149b66(%rip),%rax        # 0x5149b7e
  18:	48 01 c7             	add    %rax,%rdi
  1b:	48 c1 ef 0c          	shr    $0xc,%rdi
  1f:	48 c1 e7 06          	shl    $0x6,%rdi
  23:	48 03 3d 44 9b 14 05 	add    0x5149b44(%rip),%rdi        # 0x5149b6e
* 2a:	48 8b 47 08          	mov    0x8(%rdi),%rax <-- trapping instruction
  2e:	a8 01                	test   $0x1,%al
  30:	4c 8d 60 ff          	lea    -0x1(%rax),%r12
  34:	4c 0f 44 e7          	cmove  %rdi,%r12
  38:	41 80 7c 24 33 f5    	cmpb   $0xf5,0x33(%r12)
  3e:	0f                   	.byte 0xf
  3f:	85                   	.byte 0x85


Tested on:

commit:         8f0b4cce Linux 6.19-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bd411a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=166d411a580000

[PATCH] comedi: test kmemleak

[xiaopeitux]

From: Pei Xiao <xiaopei01@kylinos.cn>

#syz test
---
 drivers/comedi/comedi_fops.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..283a64613208 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1935,6 +1935,11 @@ static int do_cmd_ioctl(struct comedi_device *dev,
 		return 0;
 
 cleanup:
+
+	if (async && async->cmd.chanlist) {
+		kfree(async->cmd.chanlist);
+		async->cmd.chanlist = NULL;
+	}
 	do_become_nonbusy(dev, s);
 
 	return ret;
-- 
2.25.1

Re: [syzbot] [comedi?] memory leak in do_cmd_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com
Tested-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com

Tested on:

commit:         8f0b4cce Linux 6.19-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=106c311a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1744cd92580000

Note: testing is done by a robot and is best-effort only.

[PATCH] comedi: runflags cannot determine whether to reclaim chanlist

[Edward Adam Davis]

syzbot reported a memory leak [1], because patch 4e1da516debb did
not consider the exceptional exit case in do_cmd_ioctl() where runflags
is not set.
This caused chanlist not to be properly freed by do_become_nonbusy(),
as it only frees chanlist when runflags is correctly set.

Added a check in do_become_nonbusy() for the case where runflags is not
set, to properly free the chanlist memory.

[1]
BUG: memory leak
  backtrace (crc 844a0efa):
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command handling")
Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/comedi/comedi_fops.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..003586a381ad 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *dev,
 	__comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING |
 					     COMEDI_SRF_BUSY);
 	spin_unlock_irqrestore(&s->spin_lock, flags);
-	if (comedi_is_runflags_busy(runflags)) {
+	if (async) {
 		/*
 		 * "Run active" counter was set to 1 when setting up the
 		 * command.  Decrement it and wait for it to become 0.
 		 */
-		comedi_put_is_subdevice_running(s);
-		wait_for_completion(&async->run_complete);
+		if (comedi_is_runflags_busy(runflags)) {
+			comedi_put_is_subdevice_running(s);
+			wait_for_completion(&async->run_complete);
+		}
 		comedi_buf_reset(s);
 		async->inttrig = NULL;
 		kfree(async->cmd.chanlist);
-- 
2.43.0

Re: [PATCH] comedi: runflags cannot determine whether to reclaim chanlist

[Ian Abbott]

On 15/12/2025 11:11, Edward Adam Davis wrote:
> syzbot reported a memory leak [1], because patch 4e1da516debb did
> not consider the exceptional exit case in do_cmd_ioctl() where runflags
> is not set.
> This caused chanlist not to be properly freed by do_become_nonbusy(),
> as it only frees chanlist when runflags is correctly set.
> 
> Added a check in do_become_nonbusy() for the case where runflags is not
> set, to properly free the chanlist memory.
> 
> [1]
> BUG: memory leak
>    backtrace (crc 844a0efa):
>      __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
>      do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
>      do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
> 
> Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command handling")
> Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   drivers/comedi/comedi_fops.c | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
> index 657c98cd723e..003586a381ad 100644
> --- a/drivers/comedi/comedi_fops.c
> +++ b/drivers/comedi/comedi_fops.c
> @@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *dev,
>   	__comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING |
>   					     COMEDI_SRF_BUSY);
>   	spin_unlock_irqrestore(&s->spin_lock, flags);
> -	if (comedi_is_runflags_busy(runflags)) {
> +	if (async) {

The `if (async)` test is actually redundant (the code should not be 
reachable if `async` is null), but harmless, and the pre-4e1da516debb 
code tested it as a precaution, so no problem.

>   		/*
>   		 * "Run active" counter was set to 1 when setting up the
>   		 * command.  Decrement it and wait for it to become 0.
>   		 */
> -		comedi_put_is_subdevice_running(s);
> -		wait_for_completion(&async->run_complete);
> +		if (comedi_is_runflags_busy(runflags)) {
> +			comedi_put_is_subdevice_running(s);
> +			wait_for_completion(&async->run_complete);
> +		}
>   		comedi_buf_reset(s);
>   		async->inttrig = NULL;
>   		kfree(async->cmd.chanlist);

Thanks for the fix.  Looks good!

Reviewed-by: Ian Abbott <abbotti@mev.co.uk>

-- 
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-