kern/89362: Stale references to freed memory

HPS hselasky at c2i.net
Mon Nov 21 12:20:19 GMT 2005


>Number:         89362
>Category:       kern
>Synopsis:       Stale references to freed memory
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 21 12:20:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     HPS
>Release:        FreeBSD 7-current
>Organization:
>Environment:
FreeBSD 7-current i386
>Description:
When one sets up an interrupt handler from the "probe" method of an ISA/PNP/PCI/USB ... device driver, the interrupt name becomes garbled, when using "ps aux |grep irq". This is because the device system frees the pointer returned by "device_get_nameunit(dev)" between probe and attach. I suggest that one extends "device_t" with "char dev_nameunit[16]", and use that, instead of allocating memory.

In general, storing any pointers returned by "device_get_nameunit(dev)" in the "device_probe" method, for later use, will cause problems.

>How-To-Repeat:
Set up an interrupt handler from the "probe" method of a device driver.
Store the "device_get_nameunit(dev)" pointer when in the "device_probe" method. Print it out after attach, when the pointer has been freed and allocated again.

>Fix:
Set up the interrupt handler from the "attach" method of a device driver. Make a copy of "device_get_nameunit(dev)" and not a reference.


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list