NetBSD Problem Report #48963

From www@NetBSD.org  Fri Jul  4 18:09:20 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id EF451A6545
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  4 Jul 2014 18:09:20 +0000 (UTC)
Message-Id: <20140704180919.2F214A6547@mollari.NetBSD.org>
Date: Fri,  4 Jul 2014 18:09:19 +0000 (UTC)
From: oshima-ya@yagoto-urayama.jp
Reply-To: oshima-ya@yagoto-urayama.jp
To: gnats-bugs@NetBSD.org
Subject: kmem_free size mismatch causes panic when attaching urndis(4).
X-Send-Pr-Version: www-1.0

>Number:         48963
>Category:       kern
>Synopsis:       kmem_free size mismatch causes panic when attaching urndis(4).
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    skrll
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 04 18:10:00 +0000 2014
>Closed-Date:    Fri Aug 08 07:41:26 +0000 2014
>Last-Modified:  Fri Aug 08 07:41:26 +0000 2014
>Originator:     Yasushi Oshima
>Release:        NetBSD-current
>Organization:
>Environment:
NetBSD jaguar 6.99.45 NetBSD 6.99.45 (GENERIC) #2: Sat Jul  5 01:52:30 JST 2014  root@sweety:/export/current/daily/20140705/obj/amd64/sys/arch/amd64/compile/GENERIC amd64

>Description:
When attaching urndis(4) device, kernel panic occurs.

urndis0 at uhub1 port 2 configuration 2 interface 0
urndis0: NEC AccessTechnica,Ltd. LTE Mobile Router, rev 2.00/1.00, addr 2
urndis0: address XX:XX:XX:XX:XX:XX
panic: kmem_free(0xfffffe811d936f40, 28) != allocated size 32

This problem is because size of kmem_free differs from the time of kmem_alloc in urndis_ctrl_query() / urndis_ctrl_set(). 

This mismatch exists in netbsd-6, too.

>How-To-Repeat:
Attach urndis(4) device.

>Fix:
--- if_urndis.c 17 Oct 2013 21:07:37 -0000      1.6
+++ if_urndis.c 4 Jul 2014 17:04:26 -0000
@@ -513,7 +513,7 @@
            le32toh(msg->rm_devicevchdl)));

        rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
-       kmem_free(msg, sizeof(*msg));
+       kmem_free(msg, sizeof(*msg) + qlen);

        if (rval != RNDIS_STATUS_SUCCESS) {
                printf("%s: query failed\n", DEVNAME(sc));
@@ -566,7 +566,7 @@
            le32toh(msg->rm_devicevchdl)));

        rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
-       kmem_free(msg, sizeof(*msg));
+       kmem_free(msg, sizeof(*msg) + len);

        if (rval != RNDIS_STATUS_SUCCESS) {
                printf("%s: set failed\n", DEVNAME(sc));

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->skrll
Responsible-Changed-By: skrll@NetBSD.org
Responsible-Changed-When: Sat, 05 Jul 2014 09:22:39 +0000
Responsible-Changed-Why:
Take


State-Changed-From-To: open->pending-pullups
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Sat, 05 Jul 2014 09:35:09 +0000
State-Changed-Why:
Fix committed to -current. Pending pullup to netbsd-6.


From: "Nick Hudson" <skrll@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48963 CVS commit: src/sys/dev/usb
Date: Sat, 5 Jul 2014 09:30:08 +0000

 Module Name:	src
 Committed By:	skrll
 Date:		Sat Jul  5 09:30:08 UTC 2014

 Modified Files:
 	src/sys/dev/usb: if_urndis.c

 Log Message:
 PR/48963: kmem_free size mismatch causes panic when attaching urndis(4).

 Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions


 To generate a diff of this commit:
 cvs rdiff -u -r1.6 -r1.7 src/sys/dev/usb/if_urndis.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "SAITOH Masanobu" <msaitoh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48963 CVS commit: [netbsd-6] src/sys/dev/usb
Date: Thu, 7 Aug 2014 08:01:37 +0000

 Module Name:	src
 Committed By:	msaitoh
 Date:		Thu Aug  7 08:01:37 UTC 2014

 Modified Files:
 	src/sys/dev/usb [netbsd-6]: if_urndis.c

 Log Message:
 Pull up following revision(s) (requested by skrll in ticket #1094):
 	sys/dev/usb/if_urndis.c: revision 1.7
 PR/48963: kmem_free size mismatch causes panic when attaching urndis(4).
 Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions


 To generate a diff of this commit:
 cvs rdiff -u -r1.3.2.1 -r1.3.2.2 src/sys/dev/usb/if_urndis.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "SAITOH Masanobu" <msaitoh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48963 CVS commit: [netbsd-6-1] src/sys/dev/usb
Date: Thu, 7 Aug 2014 08:05:24 +0000

 Module Name:	src
 Committed By:	msaitoh
 Date:		Thu Aug  7 08:05:24 UTC 2014

 Modified Files:
 	src/sys/dev/usb [netbsd-6-1]: if_urndis.c

 Log Message:
 Pull up following revision(s) (requested by skrll in ticket #1094):
 	sys/dev/usb/if_urndis.c: revision 1.7
 PR/48963: kmem_free size mismatch causes panic when attaching urndis(4).
 Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions


 To generate a diff of this commit:
 cvs rdiff -u -r1.3.2.1 -r1.3.2.1.2.1 src/sys/dev/usb/if_urndis.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "SAITOH Masanobu" <msaitoh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48963 CVS commit: [netbsd-6-0] src/sys/dev/usb
Date: Thu, 7 Aug 2014 08:06:37 +0000

 Module Name:	src
 Committed By:	msaitoh
 Date:		Thu Aug  7 08:06:37 UTC 2014

 Modified Files:
 	src/sys/dev/usb [netbsd-6-0]: if_urndis.c

 Log Message:
 Pull up following revision(s) (requested by skrll in ticket #1094):
 	sys/dev/usb/if_urndis.c: revision 1.7
 PR/48963: kmem_free size mismatch causes panic when attaching urndis(4).
 Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions


 To generate a diff of this commit:
 cvs rdiff -u -r1.3.6.1 -r1.3.6.2 src/sys/dev/usb/if_urndis.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: msaitoh@NetBSD.org
State-Changed-When: Fri, 08 Aug 2014 07:41:26 +0000
State-Changed-Why:
Pulled up.
Thanks.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.