From owner-freebsd-current@FreeBSD.ORG Wed Apr 5 07:54:23 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F0FA16A401 for ; Wed, 5 Apr 2006 07:54:23 +0000 (UTC) (envelope-from mistry.7@osu.edu) Received: from mail.united-ware.com (am-productions.biz [69.61.164.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF6EF43D45 for ; Wed, 5 Apr 2006 07:54:22 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from [192.168.1.100] (am-productions.biz [69.61.164.22]) (authenticated bits=0) by mail.united-ware.com (8.13.4/8.13.4) with ESMTP id k3589SFM021827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 5 Apr 2006 04:09:34 -0400 (EDT) (envelope-from mistry.7@osu.edu) From: Anish Mistry To: freebsd-current@freebsd.org Date: Wed, 5 Apr 2006 03:53:57 -0400 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4028611.KI2YrRSBHp"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200604050354.19659.mistry.7@osu.edu> X-Spam-Status: No, score=-8.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, MYFREEBSD2 autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.united-ware.com X-Virus-Scanned: ClamAV 0.88/1376/Wed Apr 5 01:51:25 2006 on mail.united-ware.com X-Virus-Status: Clean Subject: [PATCH] ugen detach race X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2006 07:54:23 -0000 --nextPart4028611.KI2YrRSBHp Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline While working on getting hplip ported I ran across a race condition=20 in the ugen code that causes a crash. The following patch fixes a=20 problem where read, write, and ioctl can be called during a detach=20 since sc_dying isn't checked before bumping the reference count. =20 This puts the sc_dying check before the *_do_* functions are called. =20 This includes the patch from usb/81308 to prevent polling on the=20 control endpoint. As well as a few NULL pointer checks from NetBSD. =20 This patch is applicable to RELENG_6. http://am-productions.biz/docs/ugen-detach-race.patch This doesn't fix the case where an application has a read/write=20 pending and then detach is called. In this case destroy_devl will=20 just keep looping until the read/write completes. =2D-=20 Anish Mistry --nextPart4028611.KI2YrRSBHp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEM3erxqA5ziudZT0RAlGZAJ0TSVBxCXNRkQVXDwcGL7eGu93D6wCdExde JtVKuqPsDTCHhYN8fF0eGVs= =BEn/ -----END PGP SIGNATURE----- --nextPart4028611.KI2YrRSBHp--