Date: Thu, 29 Jan 2004 01:35:24 -0500 (EST) From: John Wehle <john@feith.com> To: bugs@freebsd.org Cc: current@freebsd.org Subject: nasty device_delete_child interaction Message-ID: <200401290635.i0T6ZO224579@jwlab.FEITH.COM>
next in thread | raw e-mail | index | archive | help
device_delete_child works by starting with the grandchildren
working back towards the immediate child. Several drivers
(i.e. if_xl.c, if_wx.c, iicbb.c) have code similar to:
xxx_attach()
{
...
sc->child_dev = device_add_child ...
}
xxx_detach()
{
bus_generic_detach ();
if (sc->child_dev)
device_delete_child ...
}
The problem is using device_delete_child on one of these
drivers causes the grandchild to be freed twice. When
device_delete_child is called for xxx, it recurses since
xxx has a child. The grandchild is detached and deleted.
xxx_detach is then called which calls device_delete_child
for the grandchild a second time causing a panic.
It seems to me that any driver which calls device_delete_child
as part of detaching must also implement something like:
xxx_child_detached()
{
if (child == sc->child_dev)
sc->child_dev = NULL;
}
xxx_detach()
{
/*
* Remember the child so we can delete it (bus_generic_detach
* indirectly zeroes sc->child_dev).
*/
child = sc->child_dev;
bus_generic_detach();
if (child)
device_delete_child ...
}
or am I missing something?
-- John
-------------------------------------------------------------------------
| Feith Systems | Voice: 1-215-646-8000 | Email: john@feith.com |
| John Wehle | Fax: 1-215-540-5495 | |
-------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401290635.i0T6ZO224579>