Hi, I was trying to fix a memory leak in the USB subsystem when closing a interrupt transfer, see http://article.gmane.org/gmane.os.openbsd.bugs/13563 and http://article.gmane.org/gmane.os.openbsd.bugs/1012.
I traced the memory leak back to the uhci_*_intr_abort() function in dev/usb/uhci.c. Here the xfer->pipe->intrxfer variable, which points to memory that was allocated in usbd_open_pipe_intr(), is set to NULL without freeing it. When the interrupt endpoint is closed usbd_close_pipe() in dev/usb/usbdi.c will try to free the data in xfer->pipe->intrxfer if this isn't a NULL pointer. But since the uhci_*_intr_abort() function is always called before the usbd_close_pipe() function the xfer->pipe->intrxfer variable will never be freed, at least in case of ugen(4). Now i was wondering why uhci_*_intr_abort() sets the xfer->pipe->intrxfer pointer to NULL? Grepping on intrxfer in the source showed that it is only really used by usbdi.c to track the intrxfer pointer so it can be freed. If my assumption is correct that setting the pointer to NULL is incorrect, the attached patch can be used to fix this issue. David [demime 1.01d removed an attachment of type application/octet-stream which had a name of usb_mem_leak_46cur.patch]
