Date: Thu, 4 Jan 2007 13:02:08 +0200 From: Kostik Belousov <kostikbel@gmail.com> To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su> Cc: freebsd-hackers@freebsd.org, Eugene Grosbein <eugen@kuzbass.ru> Subject: Re: WITNESS & RELENG_6 Message-ID: <20070104110208.GG21325@deviant.kiev.zoral.com.ua> In-Reply-To: <20070104105208.GA78979@svzserv.kemerovo.su> References: <20070103141820.GA1014@grosbein.pp.ru> <200701031601.05541.jhb@freebsd.org> <20070104040727.GD21325@deviant.kiev.zoral.com.ua> <20070104103708.GF21325@deviant.kiev.zoral.com.ua> <20070104105208.GA78979@svzserv.kemerovo.su>
next in thread | previous in thread | raw e-mail | index | archive | help
--719vRtZnJj4YbTia
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jan 04, 2007 at 05:52:08PM +0700, Eugene Grosbein wrote:
> On Thu, Jan 04, 2007 at 12:37:08PM +0200, Kostik Belousov wrote:
>=20
> > The problem is revealed by INVARIANTS option, not by WITNESS, and is de=
finitely the use-after-free.
> >=20
> > in src/nvidia_dev.c, nvidia_dev_close(), that is cdevsw.d_close proc,
> > the destroy_dev() is called. Please, apply rev. 1.199 of sys/kern/kern_=
conf.c.
> > I expect that crashes shall stop, but non-killable processes (in the "d=
evdrn")
> > state would accumulate.
> >=20
> > Please, confirm.
>=20
> I've tried to apply 1.199 to RELENG_6 but failed:
> one of three chunks has been rejected.
>=20
Hmm, it needs 1.198 as well. Below is aggregated patch against RELENG_6.
Index: kern_conf.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/local/arch/ncvs/src/sys/kern/kern_conf.c,v
retrieving revision 1.186.2.7
diff -u -r1.186.2.7 kern_conf.c
--- kern_conf.c 30 Oct 2006 15:43:56 -0000 1.186.2.7
+++ kern_conf.c 4 Jan 2007 10:59:33 -0000
@@ -676,16 +676,20 @@
dev->si_flags &=3D ~SI_CLONELIST;
}
=20
+ dev->si_refcount++; /* Avoid race with dev_rel() */
csw =3D dev->si_devsw;
dev->si_devsw =3D NULL; /* already NULL for SI_ALIAS */
while (csw !=3D NULL && csw->d_purge !=3D NULL && dev->si_threadcount) {
- printf("Purging %lu threads from %s\n",
- dev->si_threadcount, devtoname(dev));
csw->d_purge(dev);
msleep(csw, &devmtx, PRIBIO, "devprg", hz/10);
+ if (dev->si_threadcount)
+ printf("Still %lu threads in %s\n",
+ dev->si_threadcount, devtoname(dev));
+ }
+ while (dev->si_threadcount !=3D 0) {
+ /* Use unique dummy wait ident */
+ msleep(&csw, &devmtx, PRIBIO, "devdrn", hz / 10);
}
- if (csw !=3D NULL && csw->d_purge !=3D NULL)
- printf("All threads purged from %s\n", devtoname(dev));
=20
dev->si_drv1 =3D 0;
dev->si_drv2 =3D 0;
@@ -700,6 +704,7 @@
fini_cdevsw(csw);
}
dev->si_flags &=3D ~SI_ALIAS;
+ dev->si_refcount--; /* Avoid race with dev_rel() */
=20
if (dev->si_refcount > 0) {
LIST_INSERT_HEAD(&dead_cdevsw.d_devs, dev, si_list);
--719vRtZnJj4YbTia
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFFnN6wC3+MBN1Mb4gRApPjAKCt66RlKWkHZE7fNYxvHsnxrD0WvACfRzLl
cLbrG/qv/LLo87HEaNAD4A0=
=ZIUk
-----END PGP SIGNATURE-----
--719vRtZnJj4YbTia--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070104110208.GG21325>