Date: Mon, 21 Nov 2005 12:10:23 GMT From: HPS <hselasky@c2i.net> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/89362: Stale references to freed memory Message-ID: <200511211210.jALCANrW023608@www.freebsd.org> Resent-Message-ID: <200511211220.jALCKHhN006058@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 89362 >Category: kern >Synopsis: Stale references to freed memory >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 21 12:20:17 GMT 2005 >Closed-Date: >Last-Modified: >Originator: HPS >Release: FreeBSD 7-current >Organization: >Environment: FreeBSD 7-current i386 >Description: When one sets up an interrupt handler from the "probe" method of an ISA/PNP/PCI/USB ... device driver, the interrupt name becomes garbled, when using "ps aux |grep irq". This is because the device system frees the pointer returned by "device_get_nameunit(dev)" between probe and attach. I suggest that one extends "device_t" with "char dev_nameunit[16]", and use that, instead of allocating memory. In general, storing any pointers returned by "device_get_nameunit(dev)" in the "device_probe" method, for later use, will cause problems. >How-To-Repeat: Set up an interrupt handler from the "probe" method of a device driver. Store the "device_get_nameunit(dev)" pointer when in the "device_probe" method. Print it out after attach, when the pointer has been freed and allocated again. >Fix: Set up the interrupt handler from the "attach" method of a device driver. Make a copy of "device_get_nameunit(dev)" and not a reference. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511211210.jALCANrW023608>