From owner-freebsd-usb@FreeBSD.ORG Fri Nov 12 22:07:08 2004 Return-Path: Delivered-To: freebsd-usb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CBD216A4CE for ; Fri, 12 Nov 2004 22:07:08 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71F5E43D6B for ; Fri, 12 Nov 2004 22:07:08 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 58E257A403; Fri, 12 Nov 2004 14:07:08 -0800 (PST) Message-ID: <4195340C.6030201@elischer.org> Date: Fri, 12 Nov 2004 14:07:08 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Julian Elischer References: <41953285.8070405@elischer.org> In-Reply-To: <41953285.8070405@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: usb@freebsd.org Subject: Re: anyone seen this problem.. X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 22:07:08 -0000 Julian Elischer wrote: > > I'm working in 4.10++ plus a few MFC patches.. > > One of our applications regularly crashes when using a uhid device. ^^^^^ ugen > The stack trace and core dump makes me think it is a use-after-free > problem.. > It only happens at random intervals between 10 minutes and 1 day. > Sometimes it has done 1000s of opertaions.. sometimes it is the 2nd. > > > The end of the stack trace is always: > > #9 0xc0298049 in usb_allocmem (bus=0xc1bec400, size=0xc, align=0x0, > p=0xc1bed53c) at ../../dev/usb/usb_mem.c:259 > #10 0xc028dc6f in ehci_allocm (bus=0xc1bec400, dma=0xc1bed53c, > size=0xc) at ../../dev/usb/ehci.c:1024 > #11 0xc0296937 in usbd_transfer (xfer=0xc1bed500) at > ../../dev/usb/usbdi.c:309 > #12 0xc0297c7d in usbd_bulk_transfer (xfer=0xc1bed500, > pipe=0xc1e7d680, flags=0x4, timeout=0x3e8, buf=0xc2367000, > size=0xcfc06d2c, lbl=0xc > > and the place it crashes is: > [in allocmem] > 256 s = splusb(); > 257 /* Check for free fragments. */ > 258 for (f = LIST_FIRST(&usb_frag_freelist); f; f = > LIST_NEXT(f, next)) > 259 if (f->block->tag == tag) > <--------------------here > 260 break; > 261 if (f == NULL) { > > it looks on analysis that something is trashing the most recent frag > that was freed > (i.e. the first on the list, the one pointed to by usb_frag_freelist.) > > The first word of it (f->block) is set to either "0x00000c" or > "0x1000c", > where it should be a valid pointer.. > It look like it's being treated like a flag of some sort.. > > Does this look at all familiar to anyone? > > julian > (still reading code) > > > > > > _______________________________________________ > freebsd-usb@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-usb > To unsubscribe, send any mail to "freebsd-usb-unsubscribe@freebsd.org"