kern/50810: Kernel page fault trap in ugenclose()

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/50810: Kernel page fault trap in ugenclose()
From: gson%gson.org@localhost (Andreas Gustafsson)
Date: Mon, 15 Feb 2016 16:55:00 +0000 (UTC)

>Number:         50810
>Category:       kern
>Synopsis:       Kernel page fault trap in ugenclose()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 15 16:55:00 +0000 2016
>Originator:     Andreas Gustafsson
>Release:        NetBSD 6.1.5, 7.0, and -current
>Organization:

>Environment:
System: NetBSD guava.gson.org 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
Architecture: x86_64
Machine: amd64
>Description:

When I try to scan a document using the "scanimage" program from
version 1.0.25 of the sane-backends package and a Fujitsu ScanSnap
S1500 scanner, my system crashes with a fatal page fault in
ugenclose().

This happens with 6.1.5, 7.0. and -current.  The scanimage program
from earlier versions of sane-backends does not trigger the crash.

From the crash dump, I have determined that the crash happens when
ugenclose() dereferences sce->edesc, which is NULL.

The following patch prevents the crash, but it's probably not a
correct and complete fix since there are other places where sce->edesc
is checked for NULL only within "#ifdef DIAGNOSTIC", so presumably
that condition is not supposed to arise in the first place.
Also, it only prevents the crash, it does not make the scan succeed.

Index: ugen.c
===================================================================
RCS file: /bracket/repo/src/sys/dev/usb/ugen.c,v
retrieving revision 1.126
diff -u -r1.126 ugen.c
--- ugen.c	20 Sep 2014 08:45:23 -0000	1.126
+++ ugen.c	9 Feb 2016 19:56:22 -0000
@@ -544,6 +544,12 @@
 		usbd_close_pipe(sce->pipeh);
 		sce->pipeh = NULL;
 
+		if (sce->edesc == NULL) {
+			printf("ugenclose: endpt=%d dir=%d no edesc\n",
+			       endpt, dir);
+			continue;
+		}
+
 		switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
 		case UE_INTERRUPT:
 			ndflush(&sce->q, sce->q.c_cc);

>How-To-Repeat:

If you don't happen to have a ScanSnap S1500, you can ask me to run
tests.  The problem is 100% reproducible for me.

>Fix:

Follow-Ups:
- Re: kern/50810: Kernel page fault trap in ugenclose()
  - From: Nick Hudson

Prev by Date: Re: kern/50809: pf panics while purging state
Next by Date: Re: kern/50809: pf panics while purging state
Previous by Thread: Re: lib/50698 (hypotf() of small numbers yields infinity)
Next by Thread: Re: kern/50810: Kernel page fault trap in ugenclose()
Indexes:

Home | Main Index | Thread Index | Old Index