From owner-freebsd-bugs@FreeBSD.ORG  Sun Jul  9 13:19:47 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@FreeBSD.org
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 543B116A4DA
	for <freebsd-bugs@FreeBSD.org>; Sun,  9 Jul 2006 13:19:47 +0000 (UTC)
	(envelope-from ohki@gssm.otsuka.tsukuba.ac.jp)
Received: from utogwpl.gssm.otsuka.tsukuba.ac.jp
	(utogwpl.gssm.otsuka.tsukuba.ac.jp [210.154.96.162])
	by mx1.FreeBSD.org (Postfix) with SMTP id 737D143D6D
	for <freebsd-bugs@FreeBSD.org>; Sun,  9 Jul 2006 13:19:43 +0000 (GMT)
	(envelope-from ohki@gssm.otsuka.tsukuba.ac.jp)
Received: (qmail 91199 invoked from network); 9 Jul 2006 13:19:42 -0000
Received: from OneOfLocalMachines (HELO smr00.gssm.otsuka.tsukuba.ac.jp)
	(10.2.1.1) by 10.1.1.1 with SMTP; 9 Jul 2006 13:19:42 -0000
Received: from gssm.otsuka.tsukuba.ac.jp (localhost [127.0.0.1])
	by smr00.gssm.otsuka.tsukuba.ac.jp (8.13.3/8.13.3) with ESMTP id
	k69DJg39036632; Sun, 9 Jul 2006 22:19:42 +0900 (JST)
	(envelope-from ohki@gssm.otsuka.tsukuba.ac.jp)
Message-Id: <200607091319.k69DJg39036632@smr00.gssm.otsuka.tsukuba.ac.jp>
From: Atsuo Ohki <ohki@gssm.otsuka.tsukuba.ac.jp>
To: "Wojciech A. Koszek" <wkoszek@FreeBSD.org>
In-reply-to: Your message of "Fri, 07 Jul 2006 16:56:43 GMT"
References: <200607060842.k668gK2K021382@smr00.gssm.otsuka.tsukuba.ac.jp>
	<200607071139.k67BdTqH027312@smr00.gssm.otsuka.tsukuba.ac.jp>
	<20060707165643.GA60398@FreeBSD.czest.pl>
Mime-Version: 1.0
Content-Type: text/plain;charset="US-ASCII"
Date: Sun, 09 Jul 2006 22:19:42 +0900
Sender: ohki@gssm.otsuka.tsukuba.ac.jp
Cc: freebsd-bugs@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org,
	Robert Watson <rwatson@FreeBSD.org>
Subject: Re: kern/99758: chown/chmod pty slave side in kernel
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2006 13:19:47 -0000

"Wojciech A. Koszek" writes:
> Sure. I'm willing to hear more about your changes and patches! To reproduce
> problems I've seen, try to download Peter Wemm's stress suite, compile it,
> and run PTY code. As I recall, after unpacking stress2.tgz you'll have
> run.sh script and pty<some_extension>. You run it by typing: ./run
> ./pty<some_extension_maybe_conf>. Try to switch to other virtual terminal
> and login.

 I got stress2.tgz and done `./run.sh pty.cfg' and got the message like

	Memory modified after free ...
	Most recently used by DEVFS1

 The reason for this panic is devfs_close() in fs/devfs/devfs_vnops.c.
 As you see, devfs_close() eventually calls ptcclose()/ptsclose()
 which calls pty_maybecleanup() destroying devs for ptc&pts, but
 devfs_close() then calls dev_relthread() which may access just freeed dev.

 I'm afraid that devfs is not designed to handle destroing dev during
 close operation.

 I'm working on this problem with the idea:
  i) destory_dev() should not free dev, but just mark inactive.
  ii) devfs_populate() should actually free an inactive dev.
  iii) modify devfs_find() and other routines to take care of an inactive dev.
 But no success yet ;-<