From owner-freebsd-current@FreeBSD.ORG Tue Jul 10 16:41:32 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C0F116A469 for ; Tue, 10 Jul 2007 16:41:32 +0000 (UTC) (envelope-from peter@wemm.org) Received: from canning.wemm.org (canning.wemm.org [192.203.228.65]) by mx1.freebsd.org (Postfix) with ESMTP id 75C8213C44C for ; Tue, 10 Jul 2007 16:41:32 +0000 (UTC) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (canning.wemm.org [192.203.228.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by canning.wemm.org (Postfix) with ESMTP id 2A11B46B69 for ; Tue, 10 Jul 2007 09:41:32 -0700 (PDT) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (localhost [127.0.0.1]) by overcee.wemm.org (8.14.1/8.14.1) with ESMTP id l6AGfVGx002324; Tue, 10 Jul 2007 09:41:31 -0700 (PDT) (envelope-from peter@wemm.org) Received: from localhost (localhost [[UNIX: localhost]]) by overcee.wemm.org (8.14.1/8.14.1/Submit) id l6AGfVM9002323; Tue, 10 Jul 2007 09:41:31 -0700 (PDT) (envelope-from peter@wemm.org) X-Authentication-Warning: overcee.wemm.org: peter set sender to peter@wemm.org using -f From: Peter Wemm To: current@freebsd.org Date: Tue, 10 Jul 2007 09:41:31 -0700 User-Agent: KMail/1.9.6 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200707100941.31421.peter@wemm.org> Cc: peter@wemm.org Subject: Re: kqueue bug in 7.x with "things" that go away. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 16:41:32 -0000 Initial patch that fixes the crashes: http://people.freebsd.org/~peter/tty.diff Problems: ttyfree() was freeing the cdev(). But if there were pending kevents, filt_ttyrdetach() etc would later attempt to dereference cdev->si_tty, causing a 0xdeadc0de dereference. Also, ttygone() merely issued a bunch of wakeup() calls. That woke things that were blocked in various states, but nothing was done about getting the attention of select(), sigio or kevent() users. I added code to wake them up. Also, the kevent filters didn't check TS_GONE. If its set, I made it return EV_EOF immediately. Problems not solved: The 'struct tty' obtained by drivers from ttyalloc() is not freed in a bunch of cases. I think ttyfree() should call ttyrel() to release the reference count that ttyalloc() implicitly returned with. If there are still other references, then that is tough luck, we'd have leaked it anyway. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5