Re: scanimage -L triggers panic, free: size too large 55 > 32

Mon, 17 Aug 2020 21:42:41 -0700 

Could you please also send an lsusb -v of the device?

pkg_add usbutils
lsusb
lsusb -d <vendor_id>:<product_id> -v

On Sun, Aug 16, 2020 at 07:26:12PM +0000, Mikolaj Kucharski wrote:

> On Sun, Aug 16, 2020 at 06:41:18PM +0000, Mikolaj Kucharski wrote:
> > >Synopsis:  scanimage -L triggers panic, free: size too large 55 > 32
> > >Category:  kernel
> > >Environment:
> >     System      : OpenBSD 6.7
> >     Details     : OpenBSD 6.7-current (GENERIC.MP) #28: Sun Aug 16 10:19:11 
> > MDT 2020
> >                      
> > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > 
> >     Architecture: OpenBSD.amd64
> >     Machine     : amd64
> > >Description:
> >     Conntecting Samsung M2070 Series printer and running scanimage -L 
> > triggers
> > kernel panic, every time.
> > 
> > login: panic: free: size too large 55 > 32 (0xffff800000c18b20) type temp
> > Stopped at      db_enter+0x10:  popq    %rbp
> >     TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
> > *446853  20722      0         0x3          0    3K scanimage
> > db_enter() at db_enter+0x10
> > panic(ffffffff81df8f3e) at panic+0x12a
> > free(ffff800000c18b20,7f,37) at free+0x3c1
> > usbioctl(3d00,c0185507,ffff800022691a70,3,ffff8000227ecf00) at 
> > usbioctl+0x3fa
> > VOP_IOCTL(fffffd810805cc38,c0185507,ffff800022691a70,3,fffffd812e7c3a80,ffff8000227ecf00)
> >  at VOP_IOCTL+0x55
> > vn_ioctl(fffffd810eb0a968,c0185507,ffff800022691a70,ffff8000227ecf00) at 
> > vn_ioctl+0x75
> > sys_ioctl(ffff8000227ecf00,ffff800022691b80,ffff800022691be0) at 
> > sys_ioctl+0x2d4
> > syscall(ffff800022691c50) at syscall+0x389
> > Xsyscall() at Xsyscall+0x128
> > end of kernel
> > end trace frame: 0x7f7ffffda9f0, count: 6
> > https://www.openbsd.org/ddb.html describes the minimum info required in bug
> > reports.  Insufficient info makes it difficult to find and fix bugs.
> > 
> > ddb{3}> show panic
> > free: size too large 55 > 32 (0xffff800000c18b20) type temp
> > 
> > ddb{3}> bt
> > db_enter() at db_enter+0x10
> > panic(ffffffff81df8f3e) at panic+0x12a
> > free(ffff800000c18b20,7f,37) at free+0x3c1
> > usbioctl(3d00,c0185507,ffff800022691a70,3,ffff8000227ecf00) at 
> > usbioctl+0x3fa
> > VOP_IOCTL(fffffd810805cc38,c0185507,ffff800022691a70,3,fffffd812e7c3a80,ffff8000227ecf00)
> >  at VOP_IOCTL+0x55
> > vn_ioctl(fffffd810eb0a968,c0185507,ffff800022691a70,ffff8000227ecf00) at 
> > vn_ioctl+0x75
> > sys_ioctl(ffff8000227ecf00,ffff800022691b80,ffff800022691be0) at 
> > sys_ioctl+0x2d4
> > syscall(ffff800022691c50) at syscall+0x389
> > Xsyscall() at Xsyscall+0x128
> > end of kernel
> > end trace frame: 0x7f7ffffda9f0, count: -9
> > ddb{3}>
> > 
> 
> With following patch:
> 
> Index: sys/dev/usb/usb.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/usb.c,v
> retrieving revision 1.124
> diff -u -p -u -r1.124 usb.c
> --- sys/dev/usb/usb.c 6 Oct 2019 17:11:51 -0000       1.124
> +++ sys/dev/usb/usb.c 16 Aug 2020 19:21:30 -0000
> @@ -664,6 +664,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
>                       }
>               }
>       ret:
> +             printf("%s:%u: free(%p, %d, %zu)\n", __func__, __LINE__, ptr, 
> M_TEMP, len);
>               free(ptr, M_TEMP, len);
>               return (error);
>       }
> @@ -772,6 +773,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
>               uio.uio_rw = UIO_READ;
>               uio.uio_procp = p;
>               error = uiomove((void *)cdesc, len, &uio);
> +             printf("%s:%u: free(%p, %d, %hu)\n", __func__, __LINE__, cdesc, 
> M_TEMP, UGETW(cdesc->wTotalLength));
>               free(cdesc, M_TEMP, UGETW(cdesc->wTotalLength));
>               return (error);
>       }
> 
> before panic, kernel messages say:
> 
> login: usbioctl:776: free(0xffff800000c4bba0, 127, 25)
> usbioctl:776: free(0xffff800000c18700, 127, 55)
> usbioctl:776: free(0xffff800000c4bbe0, 127, 25)
> usbioctl:776: free(0xffff800000c4bc20, 127, 25)
> usbioctl:776: free(0xffff800000c4bc40, 127, 55)
> panic: free: size too large 55 > 32 (0xffff800000c4bc40) type temp
> 
> so it's
> 
>       free(cdesc, M_TEMP, UGETW(cdesc->wTotalLength));
> 
> in usbioctl(), line 775 in sys/dev/usb/usb.c -r1.124
> 
> -- 
> Regards,
>  Mikolaj
>

Reply via email to