From owner-cvs-all@FreeBSD.ORG Fri Sep 29 18:43:42 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CED5D16A415; Fri, 29 Sep 2006 18:43:42 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F90F43D8A; Fri, 29 Sep 2006 18:43:31 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id C3FA61A3C1C; Fri, 29 Sep 2006 11:43:31 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 48664514F7; Fri, 29 Sep 2006 14:43:31 -0400 (EDT) Date: Fri, 29 Sep 2006 14:43:31 -0400 From: Kris Kennaway To: Martin Blapp Message-ID: <20060929184331.GA33567@xor.obsecurity.org> References: <200609290952.k8T9qvcU053566@repoman.freebsd.org> <20060929202338.W91466@godot.imp.ch> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <20060929202338.W91466@godot.imp.ch> User-Agent: Mutt/1.4.2.2i Cc: cvs-src@FreeBSD.org, Martin Blapp , cvs-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: cvs commit: src/sys/kern tty_pty.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 18:43:42 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 29, 2006 at 08:26:40PM +0200, Martin Blapp wrote: >=20 > Hi all, >=20 > > Free tty struct after last close. This should fix the pty-leak by numbe= rs. > > Remove workarounds for tty_refcount beeing 0, this will be fixed=20 > > differently > > later. > > > > Back out rev 1.145 since we initialize the tty struct from scratch and = bad > > things can't happen anymore. > > >=20 > Sigh. Peter Holmes stress tests did show that we still have problems. Wit= h=20 > the beckout of rev. 1.145 we get again the same panics as the pty_pts cod= e=20 > does. > This is deep somewhere in the devfs code. It does happen with/without=20 > freeing > struct tty. >=20 > Memory modified after free 0xc45b7d00(252) val=3Ddeadc0dd @ 0xc45b7d70 > panic: Most recently used by DEVFS1 You can identify precisely where the use-after-free occurs by configuring DEBUG_MEMGUARD; I posted a trace of what is probably the same bug once to current@ once but don't have it to hand. Kris --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFHWlSWry0BWjoQKURAssEAKC8bfc+yWoVzhbfYEu5QWV4jH0dCwCgjRGa zZ1q4iYI3I+xgsk4hEgiB9c= =hKEa -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--