On Sun, Aug 16, 2020 at 06:41:18PM +0000, Mikolaj Kucharski wrote:
> >Synopsis: scanimage -L triggers panic, free: size too large 55 > 32
> >Category: kernel
> >Environment:
> System : OpenBSD 6.7
> Details : OpenBSD 6.7-current (GENERIC.MP) #28: Sun Aug 16 10:19:11
> MDT 2020
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> Conntecting Samsung M2070 Series printer and running scanimage -L
> triggers
> kernel panic, every time.
>
> login: panic: free: size too large 55 > 32 (0xffff800000c18b20) type temp
> Stopped at db_enter+0x10: popq %rbp
> TID PID UID PRFLAGS PFLAGS CPU COMMAND
> *446853 20722 0 0x3 0 3K scanimage
> db_enter() at db_enter+0x10
> panic(ffffffff81df8f3e) at panic+0x12a
> free(ffff800000c18b20,7f,37) at free+0x3c1
> usbioctl(3d00,c0185507,ffff800022691a70,3,ffff8000227ecf00) at usbioctl+0x3fa
> VOP_IOCTL(fffffd810805cc38,c0185507,ffff800022691a70,3,fffffd812e7c3a80,ffff8000227ecf00)
> at VOP_IOCTL+0x55
> vn_ioctl(fffffd810eb0a968,c0185507,ffff800022691a70,ffff8000227ecf00) at
> vn_ioctl+0x75
> sys_ioctl(ffff8000227ecf00,ffff800022691b80,ffff800022691be0) at
> sys_ioctl+0x2d4
> syscall(ffff800022691c50) at syscall+0x389
> Xsyscall() at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffda9f0, count: 6
> https://www.openbsd.org/ddb.html describes the minimum info required in bug
> reports. Insufficient info makes it difficult to find and fix bugs.
>
> ddb{3}> show panic
> free: size too large 55 > 32 (0xffff800000c18b20) type temp
>
> ddb{3}> bt
> db_enter() at db_enter+0x10
> panic(ffffffff81df8f3e) at panic+0x12a
> free(ffff800000c18b20,7f,37) at free+0x3c1
> usbioctl(3d00,c0185507,ffff800022691a70,3,ffff8000227ecf00) at usbioctl+0x3fa
> VOP_IOCTL(fffffd810805cc38,c0185507,ffff800022691a70,3,fffffd812e7c3a80,ffff8000227ecf00)
> at VOP_IOCTL+0x55
> vn_ioctl(fffffd810eb0a968,c0185507,ffff800022691a70,ffff8000227ecf00) at
> vn_ioctl+0x75
> sys_ioctl(ffff8000227ecf00,ffff800022691b80,ffff800022691be0) at
> sys_ioctl+0x2d4
> syscall(ffff800022691c50) at syscall+0x389
> Xsyscall() at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffda9f0, count: -9
> ddb{3}>
>
With following patch:
Index: sys/dev/usb/usb.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb.c,v
retrieving revision 1.124
diff -u -p -u -r1.124 usb.c
--- sys/dev/usb/usb.c 6 Oct 2019 17:11:51 -0000 1.124
+++ sys/dev/usb/usb.c 16 Aug 2020 19:21:30 -0000
@@ -664,6 +664,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
}
}
ret:
+ printf("%s:%u: free(%p, %d, %zu)\n", __func__, __LINE__, ptr,
M_TEMP, len);
free(ptr, M_TEMP, len);
return (error);
}
@@ -772,6 +773,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
uio.uio_rw = UIO_READ;
uio.uio_procp = p;
error = uiomove((void *)cdesc, len, &uio);
+ printf("%s:%u: free(%p, %d, %hu)\n", __func__, __LINE__, cdesc,
M_TEMP, UGETW(cdesc->wTotalLength));
free(cdesc, M_TEMP, UGETW(cdesc->wTotalLength));
return (error);
}
before panic, kernel messages say:
login: usbioctl:776: free(0xffff800000c4bba0, 127, 25)
usbioctl:776: free(0xffff800000c18700, 127, 55)
usbioctl:776: free(0xffff800000c4bbe0, 127, 25)
usbioctl:776: free(0xffff800000c4bc20, 127, 25)
usbioctl:776: free(0xffff800000c4bc40, 127, 55)
panic: free: size too large 55 > 32 (0xffff800000c4bc40) type temp
so it's
free(cdesc, M_TEMP, UGETW(cdesc->wTotalLength));
in usbioctl(), line 775 in sys/dev/usb/usb.c -r1.124
--
Regards,
Mikolaj
