"Use after free" error during kldunload

From: Peter Jeremy <PeterJeremy_at_optushome.com.au>
Date: Tue, 10 Jan 2006 22:22:17 +1100
I got an unexpected and reproducable "page fault while in kernel mode"
whilst unloading a device driver.  The offending address indicates
that a pointer contains 0xdeadc0de.  This part of the code used to
work (long ago - it's been a while since I've tried kldunload'ing it,
possibly since 5.3 or so).  Can anyone suggest what I am doing wrong.

The relevant part of the backtrace looks like:
--- trap 0xc, eip = 0xc056229a, esp = 0xd6b9cae4, ebp = 0xd6b9caf0 ---
device_delete_child(c32e6900,deadc0de,c3379610,d6b9cb1c,c04a1fb6) at device_delete_child+0xa
device_delete_child(c3350100,c32e6900,c3350100,c3350100,d6b9cb40) at device_delete_child+0x1d
iicsmb_detach(c3350100,c3321050,c0748228,965,c3350100) at iicsmb_detach+0x36
device_detach(c3350100,c32e6900,c336e100,d6b9cb68,c05622ad) at device_detach+0x8e
device_delete_child(c336e100,c3350100,c338f000,d6b9cb88,c087fd7f) at device_delete_child+0x30
device_delete_child(c3371180,c336e100,0,c33a2e00,c3371180) at device_delete_child+0x1d
release_resources(c338f000,c0886928,c3371180,c3371180,d6b9cbc4) at release_resources+0xdf
saa_detach(c3371180,c3331850,c0748228,965,c331e9a0) at saa_detach+0x84
device_detach(c3371180,c0885188,c3371180,c32f0380,c0886940) at device_detach+0x8e
devclass_delete_driver(c32f0380,c0886928,1,c3281c80,c3281c80) at devclass_delete_driver+0x95
driver_module_handler(c3281c80,1,c0886940) at driver_module_handler+0xf3
module_unload(c3281c80,0,1fb,0,0) at module_unload+0x60
linker_file_unload(c32a2e00,0,c0707925,327,2) at linker_file_unload+0x87
kern_kldunload(c3a30600,2,0,d6b9cd30,c06c3d63) at kern_kldunload+0x94
kldunloadf(c3a30600,d6b9cd04,8,440,c3b6b318) at kldunloadf+0x2c

I have a crashdump but kgdb is reporting more 0xdeadcode's in
locations that don't make sense (it would have panic'd much earlier if
they were correct).  saa_detach() and release_resources() are in my
driver.

The attach code looks like:
saa_attach(device_t dev)
{
        struct saa_softc *sc;
        sc = (struct saa_softc *)device_get_softc(dev);
        
        sc->sc_dev = dev;
...
        sc->sc_iicbus_dev = device_add_child(dev, "iicbus", -1);
        if (!sc->sc_iicbus_dev ||
            bus_generic_attach(dev)) {
                emsg = "Error adding iicbus device";
                goto attach_failed;
        }
...
}

The detach code (in release_resources) looks like:
        rval = device_delete_child(sc->sc_dev, sc->sc_iicbus_dev);
-- 
Peter Jeremy
Received on Tue Jan 10 2006 - 10:22:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:50 UTC