From owner-cvs-all  Sat Aug 14  6:24:47 1999
Delivered-To: cvs-all@freebsd.org
Received: from ns.skylink.it (ns.skylink.it [194.177.113.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8944B14C20; Sat, 14 Aug 1999 06:24:40 -0700 (PDT)
	(envelope-from n_hibma@skylink.it)
Received: from heidi.plazza.it (va-148.skylink.it [194.185.55.148])
	by ns.skylink.it (8.9.1/8.8.8) with ESMTP id PAA04457;
	Sat, 14 Aug 1999 15:23:37 +0200
Received: from localhost (localhost [127.0.0.1])
	by heidi.plazza.it (8.9.3/8.8.5) with ESMTP id NAA00984;
	Sat, 14 Aug 1999 13:14:25 GMT
Date: Sat, 14 Aug 1999 13:14:24 +0000 (GMT)
From: Nick Hibma <n_hibma@skylink.it>
X-Sender: n_hibma@heidi.plazza.it
Reply-To: Nick Hibma <hibma@skylink.it>
To: Bill Paul <wpaul@FreeBSD.org>
Cc: CVS Committers FreeBSD <cvs-committers@FreeBSD.org>,
	cvs-all@FreeBSD.org, Doug Rabson <dfr@FreeBSD.org>
Subject: Re: cvs commit: src/sys/kern subr_bus.c
In-Reply-To: <199908140511.WAA70637@freefall.freebsd.org>
Message-ID: <Pine.BSF.4.10.9908141313150.350-100000@heidi.plazza.it>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk


Nasty one. I suggest the following patch as a follow up, I think this
is where the confusion came from:


RCS file: /home/ncvs/src/sys/kern/subr_bus.c,v
retrieving revision 1.36
diff -u -r1.36 subr_bus.c
--- subr_bus.c  1999/08/14 05:11:01     1.36
+++ subr_bus.c  1999/08/14 13:12:51
@@ -128,7 +128,7 @@
            desc->offset = m->offset;
            desc->method = m;
            m->refs++;
-           PDEBUG(("methods %p has the same name, %s, with offset %d",
+           PDEBUG(("method %p has the same name, %s, with offset %d",
                    (void *)m, desc->name, desc->offset));
            return;
        }
@@ -154,11 +154,11 @@
 static void
 unregister_method(struct device_op_desc *desc)
 {
-    struct method *m = desc->method;
-    m->refs--;
-    if (m->refs == 0) {
-       LIST_REMOVE(m, link);
-       free(m, M_DEVBUF);
+    desc->method->refs--;
+    if (desc->method->refs == 0) {
+       PDEBUG(("method %s, reached refcount 0", desc->name));
+       LIST_REMOVE(desc->method, link);
+       free(desc->method, M_DEVBUF);
        desc->method = 0;
     }
 }


Nick


On Fri, 13 Aug 1999, Bill Paul wrote:

> wpaul       1999/08/13 22:11:02 PDT
> 
>   Modified files:
>     sys/kern             subr_bus.c 
>   Log:
>   Grrrr. Fix a really lame bug that I tripped over while testing my miibus
>   stuff: unregister_methods() is horribly broken. The idea, if I'm not mistaken,
>   is that the refcount on a method is decremented, and only when it reaches
>   zero is the method freed. However desc->method is set to NULL unconditionally
>   regardless of the refcount, which means the method pointer is trashed the
>   first time the method is deallocated. The obvious detrimental effect is
>   that memory is leaked. The not so obvious effect is that when you call
>   unregister_method() the second time on the same method, you get a NULL
>   pointer dereference and a panic.
>   
>   Now I can successfully unload network device drivers and the miibus module
>   without crashing the system.
>   
>   *sigh*
>   
>   Revision  Changes    Path
>   1.36      +2 -2      src/sys/kern/subr_bus.c
> 
> 
> 

-- 
e-Mail: hibma@skylink.it



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message