On Sun, Nov 27, 2005 at 09:59:43AM -0500, Alan Stern wrote:
> On Sun, 27 Nov 2005, Ville Syrjälä wrote:
>
> > When I tried to reproduce the oops the box would just hang and when I
> > eventually got oopses out of it they didn't seem very consistent.
> >
> > The usbtest module source code is at the end of this message.
> >
> > So I just compiled 2.6.15-rc2 with some debug options turned on and used
> > a serial console to get this trace.
>
> > usb 1-1: new full speed USB device using uhci_hcd and address 2
> > input: usbtest as /class/input/input1
> > input: usbtest as /class/input/input2
> > usb 1-1: USB disconnect, address 2
> > slab error in cache_free_debugcheck(): cache `size-2048': double free, or
> > memory outside object was overwritten
> > [<c01036f7>] dump_stack+0x17/0x20
> > [<c013e066>] __slab_error+0x26/0x30
> > [<c013fc9a>] cache_free_debugcheck+0x1aa/0x220
> > [<c0140771>] kfree+0x51/0x90
> > [<d080d034>] usbtest_delete+0x14/0x20 [usbtest]
> > [<d080d1cb>] usbtest_disconnect+0x1b/0x20 [usbtest]
>
> I suspect you are triggering a bug in the input layer. Adding a few
> debugging lines to the test driver, particularly in usbtest_delete, might
> help pinpoint the bug.
It explodes when I call input_free_device() which just a wrapper for
kfree(). And now I see the reason for the double free.
input_dev_release() also does kfree() on the input_dev.
So the question is: Why does input_free_device() even exist?
> > static int usbtest_probe(struct usb_interface *interface, const struct
> > usb_device_id *id)
> > {
> > struct usb_device *udev = interface_to_usbdev(interface);
> > struct usbtest *ut;
> > int r;
> >
> > ut = kzalloc(sizeof (struct usbtest), GFP_KERNEL);
> > if (!ut)
> > return -ENOMEM;
> >
> > ut->udev = udev;
> > usb_make_path(udev, ut->phys, sizeof(ut->phys));
> > strlcat(ut->phys, "/input0", sizeof(ut->phys));
> >
> > strlcat(ut->name, "usbtest", sizeof(ut->name));
> >
> > r = usbtest_input_init(ut);
> > if (r)
> > goto error;
>
> So you try to deregister the input device even if it failed to register?
> Is that legal? (Although that's not what caused the oops in this case.)
I don't really know. It looks like input_unregister_device() cleans up
after both input_allocate_device() and input_register_device().
Actually input_device_register() can't actually fail so checking the
return value isn't really needed.
> > usb_set_intfdata(interface, ut);
>
> In a real driver, you would probably want to do this before registering
> the input device.
Really? Most drivers do it as the very last thing in the probe()
callback.
--
Ville Syrjälä
[EMAIL PROTECTED]
http://www.sci.fi/~syrjala/
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
