q: Memory modified after free in usb2
Sam Leffler
sam at freebsd.org
Thu Mar 26 09:46:08 PDT 2009
Weongyo Jeong wrote:
> On Wed, Mar 25, 2009 at 10:46:54AM +0100, Hans Petter Selasky wrote:
>
>> On Wednesday 25 March 2009, Weongyo Jeong wrote:
>>
>>> Hello Hans :),
>>>
>>> I think porting uath(4) to usb almost have done that it works well to
>>> associate with AP and for WPA but I'm suffered from a strange panic after
>>> detach as follows:
>>>
>>> Memory modified after free 0xc4da3600(508) val=24000000 @ 0xc4da3600
>>> panic: Most recently used by USBdev
>>>
>>> cpuid = 0
>>> KDB: enter: panic
>>> [thread pid 17 tid 100036 ]
>>> Stopped at kdb_enter+0x3a: movl $0,kdb_why
>>>
>>> The detach step is like as follows:
>>>
>>> usb2_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
>>> ...
>>> uath_free_rx_data_list(sc);
>>> uath_free_tx_data_list(sc);
>>> uath_free_cmd_list(sc, sc->sc_cmd, UATH_CMD_LIST_COUNT);
>>>
>>> that I've checked all memory leaks or calls after freeing memory but it
>>> looks it's not a driver problem.
>>>
>>> To solve this problem I modified codes slightly like below:
>>>
>>> usb2_transfer_unsetup(sc->sc_xfer, UATH_N_XFERS);
>>> usb2_pause_mtx(NULL, 5 * hz);
>>> ...
>>> uath_free_rx_data_list(sc);
>>> uath_free_tx_data_list(sc);
>>> uath_free_cmd_list(sc, sc->sc_cmd, UATH_CMD_LIST_COUNT);
>>>
>>> After adding it I couldn't see `Memory modified after free' messages
>>> anymore. My question is that I can't understand why adding
>>> usb2_pause_mtx() helps this symptom?
>>>
>> Did you drain all the taskqueues before unsetup ?
>>
>
> It looks I found a problem that some tasks running by net80211 causes
> this problem. It looks calling usb2_transfer_unsetup() after
> ieee80211_ifdetach(ic) solves the problem. Thanks!
>
ieee80211_ifdetach may call back into the driver (e.g. if you're
associated in sta mode and the state machine wants to notify the ap to
disassociate). Reordering the calls is the right thing to do.
Sam
More information about the freebsd-usb
mailing list