From nobody@FreeBSD.org  Mon Nov 21 12:10:24 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1E6F16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Nov 2005 12:10:23 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C244443D45
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Nov 2005 12:10:23 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jALCANR5023609
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Nov 2005 12:10:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jALCANrW023608;
	Mon, 21 Nov 2005 12:10:23 GMT
	(envelope-from nobody)
Message-Id: <200511211210.jALCANrW023608@www.freebsd.org>
Date: Mon, 21 Nov 2005 12:10:23 GMT
From: HPS <hselasky@c2i.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Stale references to freed memory
X-Send-Pr-Version: www-2.3

>Number:         89362
>Category:       kern
>Synopsis:       Stale references to freed memory
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    imp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 21 12:20:17 GMT 2005
>Closed-Date:    Sat Mar 08 22:34:26 MST 2008
>Last-Modified:  Sun Mar  9 10:40:01 UTC 2008
>Originator:     HPS
>Release:        FreeBSD 7-current
>Organization:
>Environment:
FreeBSD 7-current i386
>Description:
When one sets up an interrupt handler from the "probe" method of an ISA/PNP/PCI/USB ... device driver, the interrupt name becomes garbled, when using "ps aux |grep irq". This is because the device system frees the pointer returned by "device_get_nameunit(dev)" between probe and attach. I suggest that one extends "device_t" with "char dev_nameunit[16]", and use that, instead of allocating memory.

In general, storing any pointers returned by "device_get_nameunit(dev)" in the "device_probe" method, for later use, will cause problems.

>How-To-Repeat:
Set up an interrupt handler from the "probe" method of a device driver.
Store the "device_get_nameunit(dev)" pointer when in the "device_probe" method. Print it out after attach, when the pointer has been freed and allocated again.

>Fix:
Set up the interrupt handler from the "attach" method of a device driver. Make a copy of "device_get_nameunit(dev)" and not a reference.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Mar 8 20:57:54 UTC 2008 
Responsible-Changed-Why:  
Assign to Warner, who may have views on this topic. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89362 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sat Mar 8 22:32:54 MST 2008 
State-Changed-Why:  
One is not allowed to cache the items that are complained about in 
this bug.  Probe routines must not have side effects.  Setting an 
interrupt is a side effect that must not persist past the end of probe 
routine. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=89362 

From: "M. Warner Losh" <imp@bsdimp.com>
To: rwatson@FreeBSD.org
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: kern/89362: Stale references to freed memory
Date: Sat, 08 Mar 2008 21:51:02 -0700 (MST)

 Don't set interrupt handlers in the probe routine.  That's not allowed
 as you cannot count on side effects in the probe routine.  It might be
 called multiple times.  softc is freed between probe and attach to
 keep people from doing this.
 
 The device_get_name*() calls definitely cannot be cached.
 
 Warner
>Unformatted:
