From owner-freebsd-hackers@FreeBSD.ORG Thu Jan 4 11:02:36 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EF5A16A403 for ; Thu, 4 Jan 2007 11:02:36 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id D66B213C442 for ; Thu, 4 Jan 2007 11:02:35 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id l04Aq8fD079675; Thu, 4 Jan 2007 17:52:08 +0700 (KRAT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id l04Aq8Yq079674; Thu, 4 Jan 2007 17:52:08 +0700 (KRAT) (envelope-from eugen) Date: Thu, 4 Jan 2007 17:52:08 +0700 From: Eugene Grosbein To: Kostik Belousov Message-ID: <20070104105208.GA78979@svzserv.kemerovo.su> References: <20070103141820.GA1014@grosbein.pp.ru> <200701031601.05541.jhb@freebsd.org> <20070104040727.GD21325@deviant.kiev.zoral.com.ua> <20070104103708.GF21325@deviant.kiev.zoral.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070104103708.GF21325@deviant.kiev.zoral.com.ua> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Thu, 04 Jan 2007 12:25:16 +0000 Cc: freebsd-hackers@freebsd.org, Eugene Grosbein Subject: Re: WITNESS & RELENG_6 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2007 11:02:36 -0000 On Thu, Jan 04, 2007 at 12:37:08PM +0200, Kostik Belousov wrote: > The problem is revealed by INVARIANTS option, not by WITNESS, and is definitely the use-after-free. > > in src/nvidia_dev.c, nvidia_dev_close(), that is cdevsw.d_close proc, > the destroy_dev() is called. Please, apply rev. 1.199 of sys/kern/kern_conf.c. > I expect that crashes shall stop, but non-killable processes (in the "devdrn") > state would accumulate. > > Please, confirm. I've tried to apply 1.199 to RELENG_6 but failed: one of three chunks has been rejected. Eugene