NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/50810: Kernel page fault trap in ugenclose()

>Number:         50810
>Category:       kern
>Synopsis:       Kernel page fault trap in ugenclose()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 15 16:55:00 +0000 2016
>Originator:     Andreas Gustafsson
>Release:        NetBSD 6.1.5, 7.0, and -current

System: NetBSD 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
Architecture: x86_64
Machine: amd64

When I try to scan a document using the "scanimage" program from
version 1.0.25 of the sane-backends package and a Fujitsu ScanSnap
S1500 scanner, my system crashes with a fatal page fault in

This happens with 6.1.5, 7.0. and -current.  The scanimage program
from earlier versions of sane-backends does not trigger the crash.

From the crash dump, I have determined that the crash happens when
ugenclose() dereferences sce->edesc, which is NULL.

The following patch prevents the crash, but it's probably not a
correct and complete fix since there are other places where sce->edesc
is checked for NULL only within "#ifdef DIAGNOSTIC", so presumably
that condition is not supposed to arise in the first place.
Also, it only prevents the crash, it does not make the scan succeed.

Index: ugen.c
RCS file: /bracket/repo/src/sys/dev/usb/ugen.c,v
retrieving revision 1.126
diff -u -r1.126 ugen.c
--- ugen.c	20 Sep 2014 08:45:23 -0000	1.126
+++ ugen.c	9 Feb 2016 19:56:22 -0000
@@ -544,6 +544,12 @@
 		sce->pipeh = NULL;
+		if (sce->edesc == NULL) {
+			printf("ugenclose: endpt=%d dir=%d no edesc\n",
+			       endpt, dir);
+			continue;
+		}
 		switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
 			ndflush(&sce->q, sce->q.c_cc);


If you don't happen to have a ScanSnap S1500, you can ask me to run
tests.  The problem is 100% reproducible for me.


Home | Main Index | Thread Index | Old Index