Re: [Ndiswrapper-general] Instability after ndiswrapper unload with USB drivers
Status: Beta
Brought to you by:
pgiri
Menu
▾
▴
Re: [Ndiswrapper-general] Instability after ndiswrapper unload with USB drivers
|
From: Pavel R. <pr...@gn...> - 2011-08-29 02:13:07
|
Hello! This is a follow-up for the previous message. I think I have the culprit now. I just don't have a fix. In some cases, a urb can be freed twice. First it's freed by the Linux USB code in usb_deregister() and then it's freed by our kill_all_urbs(). Freeing a URB twice for the second time leads to decreasing the first byte of the freed memory by one. That's where the reference count is located. I tried a hack in kill_all_urbs() that would prevent freeing URBs with refcount 0x6b6b6b6b. That made the instability disappear. Of course, this hack depends on SLUB debug, and it's still possible that somebody would claim and use the freed memory, overwriting the poison before kill_all_urbs() gets there. The fix would require that we call kill_all_urbs() before usb_deregister(). Ideally, all URBs associated with a device should be removed as soon as the device is disabled. I tried several approaches, but I would get various kernel crashes, usually in a worker for some queue. I checked the code, and it appears that we never cancel any workqueue. Indeed, wrap_cancel_work() is never used. That alone may be the reason. Also, killed URBs are never removed from wrap_urb->complete_list. There is quite a lot of code that needs to be fixed. -- Regards, Pavel Roskin |
