Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Nov 2004 14:07:08 -0800
From:      Julian Elischer <julian@elischer.org>
To:        Julian Elischer <julian@elischer.org>
Cc:        usb@freebsd.org
Subject:   Re: anyone seen this problem..
Message-ID:  <4195340C.6030201@elischer.org>
In-Reply-To: <41953285.8070405@elischer.org>
References:  <41953285.8070405@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 


Julian Elischer wrote:

>
> I'm working in 4.10++  plus a few MFC patches..
>
> One of our applications regularly crashes when using a uhid device. 

                                                                                
^^^^^ ugen

> The stack trace and core dump makes me think it is a use-after-free 
> problem..
> It only happens at random intervals between 10 minutes and 1 day.
> Sometimes it has done 1000s of opertaions.. sometimes it is the 2nd.
>
>
> The end of the stack trace is always:
>
> #9  0xc0298049 in usb_allocmem (bus=0xc1bec400, size=0xc, align=0x0, 
> p=0xc1bed53c) at ../../dev/usb/usb_mem.c:259
> #10 0xc028dc6f in ehci_allocm (bus=0xc1bec400, dma=0xc1bed53c, 
> size=0xc) at ../../dev/usb/ehci.c:1024
> #11 0xc0296937 in usbd_transfer (xfer=0xc1bed500) at 
> ../../dev/usb/usbdi.c:309
> #12 0xc0297c7d in usbd_bulk_transfer (xfer=0xc1bed500, 
> pipe=0xc1e7d680, flags=0x4, timeout=0x3e8, buf=0xc2367000, 
> size=0xcfc06d2c, lbl=0xc
>
> and the place it crashes is:
> [in allocmem]
> 256             s = splusb();
> 257             /* Check for free fragments. */
> 258             for (f = LIST_FIRST(&usb_frag_freelist); f; f = 
> LIST_NEXT(f, next))
> 259                     if (f->block->tag == tag) 
> <--------------------here
> 260                             break;
> 261             if (f == NULL) {
>
> it looks on analysis that something is trashing the most recent frag 
> that was freed
> (i.e. the first on the list, the one pointed to by usb_frag_freelist.)
>
> The first word of it (f->block) is set  to either "0x00000c" or 
> "0x1000c",
> where it should be a valid pointer..
> It look like it's being treated like a flag of some sort..
>
> Does this look at all familiar to anyone?
>
> julian
> (still reading code)
>
>
>
>
>
> _______________________________________________
> freebsd-usb@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-usb
> To unsubscribe, send any mail to "freebsd-usb-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4195340C.6030201>