Date: Fri, 12 Nov 2004 14:00:37 -0800 From: Julian Elischer <julian@elischer.org> To: usb@freebsd.org Subject: anyone seen this problem.. Message-ID: <41953285.8070405@elischer.org>
next in thread | raw e-mail | index | archive | help
I'm working in 4.10++ plus a few MFC patches..
One of our applications regularly crashes when using a uhid device.
The stack trace and core dump makes me think it is a use-after-free
problem..
It only happens at random intervals between 10 minutes and 1 day.
Sometimes it has done 1000s of opertaions.. sometimes it is the 2nd.
The end of the stack trace is always:
#9 0xc0298049 in usb_allocmem (bus=0xc1bec400, size=0xc, align=0x0,
p=0xc1bed53c) at ../../dev/usb/usb_mem.c:259
#10 0xc028dc6f in ehci_allocm (bus=0xc1bec400, dma=0xc1bed53c, size=0xc)
at ../../dev/usb/ehci.c:1024
#11 0xc0296937 in usbd_transfer (xfer=0xc1bed500) at
../../dev/usb/usbdi.c:309
#12 0xc0297c7d in usbd_bulk_transfer (xfer=0xc1bed500, pipe=0xc1e7d680,
flags=0x4, timeout=0x3e8, buf=0xc2367000, size=0xcfc06d2c, lbl=0xc
and the place it crashes is:
[in allocmem]
256 s = splusb();
257 /* Check for free fragments. */
258 for (f = LIST_FIRST(&usb_frag_freelist); f; f =
LIST_NEXT(f, next))
259 if (f->block->tag == tag) <--------------------here
260 break;
261 if (f == NULL) {
it looks on analysis that something is trashing the most recent frag
that was freed
(i.e. the first on the list, the one pointed to by usb_frag_freelist.)
The first word of it (f->block) is set to either "0x00000c" or "0x1000c",
where it should be a valid pointer..
It look like it's being treated like a flag of some sort..
Does this look at all familiar to anyone?
julian
(still reading code)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41953285.8070405>