Re: Recent USB changes broke kernel memory allocation

To: Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>
Subject: Re: Recent USB changes broke kernel memory allocation
From: Jaromír Doleček <jaromir.dolecek%gmail.com@localhost>
Date: Sun, 10 Feb 2019 20:25:51 +0100

Fixed now. If you update the tree to have sys/dev/usb/umass.c rev.
1.174 you'll get the fixed files.

Jaromir

Le dim. 10 févr. 2019 à 19:31, Tom Ivar Helbekkmo
<tih%hamartun.priv.no@localhost> a écrit :
>
> It seems that changes made to USB code on February 7th broke the kernel
> memory allocation arena.  After that point, it is enough to insert a USB
> memory stick into my amd64 laptop, and then remove it, to make the
> kernel crash.  It seems the changes to the allocating and freeing calls
> got a bit messed up, leading to internal disagreements about item sizes,
> at least in the umass code:
>
> : dejah# ;cd /var/crash
> : dejah# ;dmesg -N netbsd.26 -M netbsd.26.core | tail -23
> [  1525.390177] umass0: SMI Corporation (0x90c) USB DISK (0x1000), rev 2.00/11.00, addr 2
> [  1525.390177] umass0: using SCSI over Bulk-Only
> [  1525.390177] scsibus0 at umass0: 2 targets, 1 lun per target
> [  1525.660323] sd0 at scsibus0 target 0 lun 0: <S31B1103, USB DISK, 1100> disk removable
> [  1525.660323] sd0: 3864 MB, 7872 cyl, 16 head, 63 sec, 512 bytes/sect x 7913472 sectors
> [  1537.266612] sd0: detached
> [  1537.266612] scsibus0: detached
> [  1537.266612] panic: kmem_free(0xffff8412b3188208, 8) != allocated size 472
> [  1537.266612] cpu1: Begin traceback...
> [  1537.266612] vpanic() at netbsd:vpanic+0x16f
> [  1537.266612] snprintf() at netbsd:snprintf
> [  1537.266612] kmem_alloc() at netbsd:kmem_alloc
> [  1537.266612] umass_detach() at netbsd:umass_detach+0xe1
> [  1537.266612] config_detach() at netbsd:config_detach+0x121
> [  1537.266612] usb_disconnect_port() at netbsd:usb_disconnect_port+0xb8
> [  1537.266612] uhub_explore() at netbsd:uhub_explore+0x221
> [  1537.266612] usb_discover.isra.2() at netbsd:usb_discover.isra.2+0x68
> [  1537.266612] usb_event_thread() at netbsd:usb_event_thread+0x77
> [  1537.266612] cpu1: End traceback...
>
> [  1537.266612] dumping to dev 0,1 (offset=1472, size=1045482):
> [  1537.266612] dump
> : dejah# ;gdb netbsd.gdb
> GNU gdb (GDB) 8.0.1
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64--netbsd".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from netbsd.gdb...done.
> (gdb) target kvm netbsd.26.core
> 0xffffffff80222d75 in cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
>     at /usr/src/sys/arch/amd64/amd64/machdep.c:726
> 726                     dumpsys();
> (gdb) bt
> #0  0xffffffff80222d75 in cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0)
>     at /usr/src/sys/arch/amd64/amd64/machdep.c:726
> #1  0xffffffff809ec2c7 in vpanic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu",
>     ap=ap@entry=0xffff84806a1d5d78) at /usr/src/sys/kern/subr_prf.c:335
> #2  0xffffffff809ec35e in panic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu")
>     at /usr/src/sys/kern/subr_prf.c:254
> #3  0xffffffff809e1944 in kmem_size_check (sz=8, p=0xffff8412b3188200) at /usr/src/sys/kern/subr_kmem.c:549
> #4  kmem_intr_free (p=0xffff8412b3188200, requested_size=8) at /usr/src/sys/kern/subr_kmem.c:337
> #5  0xffffffff8047d794 in umass_detach (self=<optimized out>, flags=1) at /usr/src/sys/dev/usb/umass.c:844
> #6  0xffffffff809d337b in config_detach (dev=dev@entry=0xffff8412a6f78908, flags=flags@entry=1)
>     at /usr/src/sys/kern/subr_autoconf.c:1748
> #7  0xffffffff804697df in usb_disconnect_port (up=up@entry=0xffff84129e303210, parent=<optimized out>,
>     flags=flags@entry=1) at /usr/src/sys/dev/usb/usb_subr.c:1665
> #8  0xffffffff8046a3a2 in uhub_explore (dev=0xffff84129e2fae20) at /usr/src/sys/dev/usb/uhub.c:637
> #9  0xffffffff80463e47 in usb_discover (sc=<optimized out>, sc=<optimized out>) at /usr/src/sys/dev/usb/usb.c:1004
> #10 0xffffffff80463f0e in usb_event_thread (arg=0xffff84129e16bf68) at /usr/src/sys/dev/usb/usb.c:562
> #11 0xffffffff802097c7 in lwp_trampoline ()
> #12 0x0000000000000000 in ?? ()
> (gdb) up
> #1  0xffffffff809ec2c7 in vpanic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu",
>     ap=ap@entry=0xffff84806a1d5d78) at /usr/src/sys/kern/subr_prf.c:335
> 335             cpu_reboot(bootopt, NULL);
> (gdb) up
> #2  0xffffffff809ec35e in panic (fmt=fmt@entry=0xffffffff813f8838 "kmem_free(%p, %zu) != allocated size %zu")
>     at /usr/src/sys/kern/subr_prf.c:254
> 254             vpanic(fmt, ap);
> (gdb) up
> #3  0xffffffff809e1944 in kmem_size_check (sz=8, p=0xffff8412b3188200) at /usr/src/sys/kern/subr_kmem.c:549
> 549                     panic("kmem_free(%p, %zu) != allocated size %zu",
> (gdb) list
> 544
> 545             hd = (struct kmem_header *)p;
> 546             hsz = hd->size;
> 547
> 548             if (hsz != sz) {
> 549                     panic("kmem_free(%p, %zu) != allocated size %zu",
> 550                         (const uint8_t *)p + SIZE_SIZE, sz, hsz);
> 551             }
> 552
> 553             hd->size = -1;
> (gdb) up
> #4  kmem_intr_free (p=0xffff8412b3188200, requested_size=8) at /usr/src/sys/kern/subr_kmem.c:337
> 337             kmem_size_check(p, requested_size);
> (gdb) up
> #5  0xffffffff8047d794 in umass_detach (self=<optimized out>, flags=1) at /usr/src/sys/dev/usb/umass.c:844
> 844                     kmem_free(scbus, sizeof(*scbus));
> (gdb) list
> 839                     default:
> 840                             /* nothing to do */
> 841                             break;
> 842                     }
> 843
> 844                     kmem_free(scbus, sizeof(*scbus));
> 845                     sc->bus = NULL;
> 846             }
> 847
> 848             if (rv != 0)
> (gdb) quit
> : dejah# ;
>
> -tih
> --
> Most people who graduate with CS degrees don't understand the significance
> of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

Follow-Ups:
- Re: Recent USB changes broke kernel memory allocation
  - From: Tom Ivar Helbekkmo

References:
- Recent USB changes broke kernel memory allocation
  - From: Tom Ivar Helbekkmo

Prev by Date: Recent USB changes broke kernel memory allocation
Next by Date: re: README: gcc 7 switch coming to a port near you!
Previous by Thread: Recent USB changes broke kernel memory allocation
Next by Thread: Re: Recent USB changes broke kernel memory allocation
Indexes:

Home | Main Index | Thread Index | Old Index