NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/48963: kmem_free size mismatch causes panic when attaching urndis(4).
>Number: 48963
>Category: kern
>Synopsis: kmem_free size mismatch causes panic when attaching urndis(4).
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jul 04 18:10:00 +0000 2014
>Originator: Yasushi Oshima
>Release: NetBSD-current
>Organization:
>Environment:
NetBSD jaguar 6.99.45 NetBSD 6.99.45 (GENERIC) #2: Sat Jul 5 01:52:30 JST 2014
root@sweety:/export/current/daily/20140705/obj/amd64/sys/arch/amd64/compile/GENERIC
amd64
>Description:
When attaching urndis(4) device, kernel panic occurs.
urndis0 at uhub1 port 2 configuration 2 interface 0
urndis0: NEC AccessTechnica,Ltd. LTE Mobile Router, rev 2.00/1.00, addr 2
urndis0: address XX:XX:XX:XX:XX:XX
panic: kmem_free(0xfffffe811d936f40, 28) != allocated size 32
This problem is because size of kmem_free differs from the time of kmem_alloc
in urndis_ctrl_query() / urndis_ctrl_set().
This mismatch exists in netbsd-6, too.
>How-To-Repeat:
Attach urndis(4) device.
>Fix:
--- if_urndis.c 17 Oct 2013 21:07:37 -0000 1.6
+++ if_urndis.c 4 Jul 2014 17:04:26 -0000
@@ -513,7 +513,7 @@
le32toh(msg->rm_devicevchdl)));
rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
- kmem_free(msg, sizeof(*msg));
+ kmem_free(msg, sizeof(*msg) + qlen);
if (rval != RNDIS_STATUS_SUCCESS) {
printf("%s: query failed\n", DEVNAME(sc));
@@ -566,7 +566,7 @@
le32toh(msg->rm_devicevchdl)));
rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
- kmem_free(msg, sizeof(*msg));
+ kmem_free(msg, sizeof(*msg) + len);
if (rval != RNDIS_STATUS_SUCCESS) {
printf("%s: set failed\n", DEVNAME(sc));
Home |
Main Index |
Thread Index |
Old Index