From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 9 13:03:07 2004 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B5516A4CF for ; Mon, 9 Feb 2004 13:03:07 -0800 (PST) Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E10343D2F for ; Mon, 9 Feb 2004 13:03:07 -0800 (PST) (envelope-from jmg@hydrogen.funkthat.com) Received: (qmail 28557 invoked from network); 9 Feb 2004 21:03:06 -0000 Received: from dsl017-045-168.spk4.dsl.speakeasy.net (HELO hydrogen.funkthat.com) ([69.17.45.168]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 9 Feb 2004 21:03:06 -0000 Received: from hydrogen.funkthat.com (xeryjg@localhost.funkthat.com [127.0.0.1])i19L357Y095528; Mon, 9 Feb 2004 13:03:05 -0800 (PST) (envelope-from jmg@hydrogen.funkthat.com) Received: (from jmg@localhost) by hydrogen.funkthat.com (8.12.10/8.12.10/Submit) id i19L34Cr095527; Mon, 9 Feb 2004 13:03:04 -0800 (PST) Date: Mon, 9 Feb 2004 13:03:04 -0800 From: John-Mark Gurney To: John Wehle Message-ID: <20040209210304.GF85686@funkthat.com> Mail-Followup-To: John Wehle , bugs@freebsd.org, current@freebsd.org References: <200401290635.i0T6ZO224579@jwlab.FEITH.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200401290635.i0T6ZO224579@jwlab.FEITH.COM> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.2-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html cc: bugs@freebsd.org cc: current@freebsd.org Subject: Re: nasty device_delete_child interaction X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: John-Mark Gurney List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 21:03:07 -0000 John Wehle wrote this message on Thu, Jan 29, 2004 at 01:35 -0500: > device_delete_child works by starting with the grandchildren > working back towards the immediate child. Several drivers > (i.e. if_xl.c, if_wx.c, iicbb.c) have code similar to: > > xxx_attach() > { > > ... > sc->child_dev = device_add_child ... > } > > xxx_detach() > { > > bus_generic_detach (); > if (sc->child_dev) > device_delete_child ... > } > > The problem is using device_delete_child on one of these > drivers causes the grandchild to be freed twice. When > device_delete_child is called for xxx, it recurses since > xxx has a child. The grandchild is detached and deleted. > xxx_detach is then called which calls device_delete_child > for the grandchild a second time causing a panic. Yes, I know about this problem. One of the problems with this also is that the newbus code isn't properly locked, nor are ref counts kept on who has a pointer, so that as device_delete_child happen, you can easily end up accessing a free'd device as you point out... There are many issues with the code, if you are interested in fixing these, drop me an email and I'll tell you more about them. I ran into these issues myself when writing my Zoran driver and working with the iicbus code. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."