Date: Wed, 5 Apr 2006 03:53:57 -0400 From: Anish Mistry <mistry.7@osu.edu> To: freebsd-current@freebsd.org Subject: [PATCH] ugen detach race Message-ID: <200604050354.19659.mistry.7@osu.edu>
next in thread | raw e-mail | index | archive | help
--nextPart4028611.KI2YrRSBHp Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline While working on getting hplip ported I ran across a race condition=20 in the ugen code that causes a crash. The following patch fixes a=20 problem where read, write, and ioctl can be called during a detach=20 since sc_dying isn't checked before bumping the reference count. =20 This puts the sc_dying check before the *_do_* functions are called. =20 This includes the patch from usb/81308 to prevent polling on the=20 control endpoint. As well as a few NULL pointer checks from NetBSD. =20 This patch is applicable to RELENG_6. http://am-productions.biz/docs/ugen-detach-race.patch This doesn't fix the case where an application has a read/write=20 pending and then detach is called. In this case destroy_devl will=20 just keep looping until the read/write completes. =2D-=20 Anish Mistry --nextPart4028611.KI2YrRSBHp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEM3erxqA5ziudZT0RAlGZAJ0TSVBxCXNRkQVXDwcGL7eGu93D6wCdExde JtVKuqPsDTCHhYN8fF0eGVs= =BEn/ -----END PGP SIGNATURE----- --nextPart4028611.KI2YrRSBHp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604050354.19659.mistry.7>