Recent USB changes broke kernel memory allocation

[Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>]

It seems that changes made to USB code on February 7th broke the kernel
memory allocation arena.  After that point, it is enough to insert a USB
memory stick into my amd64 laptop, and then remove it, to make the
kernel crash.  It seems the changes to the allocating and freeing calls
got a bit messed up, leading to internal disagreements about item sizes,
at least in the umass code:

: dejah# ;cd /var/crash
: dejah# ;dmesg -N netbsd.26 -M netbsd.26.core | tail -23
[  1525.390177] umass0: SMI Corporation (0x90c) USB DISK (0x1000), rev 2.00/11.00, addr 2
[  1525.390177] umass0: using SCSI over Bulk-Only
[  1525.390177] scsibus0 at umass0: 2 targets, 1 lun per target
[  1525.660323] sd0 at scsibus0 target 0 lun 0: <S31B1103, USB DISK, 1100> disk removable
[  1525.660323] sd0: 3864 MB, 7872 cyl, 16 head, 63 sec, 512 bytes/sect x 7913472 sectors
[  1537.266612] sd0: detached
[  1537.266612] scsibus0: detached
[  1537.266612] panic: kmem_free(0xffff8412b3188208, 8) != allocated size 472
[  1537.266612] cpu1: Begin traceback...
[  1537.266612] vpanic() at netbsd:vpanic+0x16f
[  1537.266612] snprintf() at netbsd:snprintf
[  1537.266612] kmem_alloc() at netbsd:kmem_alloc
[  1537.266612] umass_detach() at netbsd:umass_detach+0xe1
[  1537.266612] config_detach() at netbsd:config_detach+0x121
[  1537.266612] usb_disconnect_port() at netbsd:usb_disconnect_port+0xb8
[  1537.266612] uhub_explore() at netbsd:uhub_explore+0x221
[  1537.266612] usb_discover.isra.2() at netbsd:usb_discover.isra.2+0x68
[  1537.266612] usb_event_thread() at netbsd:usb_event_thread+0x77
[  1537.266612] cpu1: End traceback...

[  1537.266612] dumping to dev 0,1 (offset=1472, size=1045482):
[  1537.266612] dump 
: dejah# ;gdb netbsd.gdb
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64--netbsd".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from netbsd.gdb...done.
(gdb) target kvm netbsd.26.core
0xffffffff80222d75 in cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
    at /usr/src/sys/arch/amd64/amd64/machdep.c:726
726                     dumpsys();
(gdb) bt
#0  0xffffffff80222d75 in cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
    at /usr/src/sys/arch/amd64/amd64/machdep.c:726
#1  0xffffffff809ec2c7 in vpanic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu", 
    ap=ap@entry=0xffff84806a1d5d78) at /usr/src/sys/kern/subr_prf.c:335
#2  0xffffffff809ec35e in panic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu")
    at /usr/src/sys/kern/subr_prf.c:254
#3  0xffffffff809e1944 in kmem_size_check (sz=8, p=0xffff8412b3188200) at /usr/src/sys/kern/subr_kmem.c:549
#4  kmem_intr_free (p=0xffff8412b3188200, requested_size=8) at /usr/src/sys/kern/subr_kmem.c:337
#5  0xffffffff8047d794 in umass_detach (self=<optimized out>, flags=1) at /usr/src/sys/dev/usb/umass.c:844
#6  0xffffffff809d337b in config_detach (dev=dev@entry=0xffff8412a6f78908, flags=flags@entry=1)
    at /usr/src/sys/kern/subr_autoconf.c:1748
#7  0xffffffff804697df in usb_disconnect_port (up=up@entry=0xffff84129e303210, parent=<optimized out>, 
    flags=flags@entry=1) at /usr/src/sys/dev/usb/usb_subr.c:1665
#8  0xffffffff8046a3a2 in uhub_explore (dev=0xffff84129e2fae20) at /usr/src/sys/dev/usb/uhub.c:637
#9  0xffffffff80463e47 in usb_discover (sc=<optimized out>, sc=<optimized out>) at /usr/src/sys/dev/usb/usb.c:1004
#10 0xffffffff80463f0e in usb_event_thread (arg=0xffff84129e16bf68) at /usr/src/sys/dev/usb/usb.c:562
#11 0xffffffff802097c7 in lwp_trampoline ()
#12 0x0000000000000000 in ?? ()
(gdb) up
#1  0xffffffff809ec2c7 in vpanic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu", 
    ap=ap@entry=0xffff84806a1d5d78) at /usr/src/sys/kern/subr_prf.c:335
335             cpu_reboot(bootopt, NULL);
(gdb) up
#2  0xffffffff809ec35e in panic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu")
    at /usr/src/sys/kern/subr_prf.c:254
254             vpanic(fmt, ap);
(gdb) up
#3  0xffffffff809e1944 in kmem_size_check (sz=8, p=0xffff8412b3188200) at /usr/src/sys/kern/subr_kmem.c:549
549                     panic("kmem_free(%p, %zu) != allocated size %zu",
(gdb) list
544     
545             hd = (struct kmem_header *)p;
546             hsz = hd->size;
547     
548             if (hsz != sz) {
549                     panic("kmem_free(%p, %zu) != allocated size %zu",
550                         (const uint8_t *)p + SIZE_SIZE, sz, hsz);
551             }
552     
553             hd->size = -1;
(gdb) up
#4  kmem_intr_free (p=0xffff8412b3188200, requested_size=8) at /usr/src/sys/kern/subr_kmem.c:337
337             kmem_size_check(p, requested_size);
(gdb) up
#5  0xffffffff8047d794 in umass_detach (self=<optimized out>, flags=1) at /usr/src/sys/dev/usb/umass.c:844
844                     kmem_free(scbus, sizeof(*scbus));
(gdb) list
839                     default:
840                             /* nothing to do */
841                             break;
842                     }
843     
844                     kmem_free(scbus, sizeof(*scbus));
845                     sc->bus = NULL;
846             }
847     
848             if (rv != 0)
(gdb) quit
: dejah# ;

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay