Date: Tue, 10 Jul 2007 09:41:31 -0700 From: Peter Wemm <peter@wemm.org> To: current@freebsd.org Cc: peter@wemm.org Subject: Re: kqueue bug in 7.x with "things" that go away. Message-ID: <200707100941.31421.peter@wemm.org>
next in thread | raw e-mail | index | archive | help
Initial patch that fixes the crashes: http://people.freebsd.org/~peter/tty.diff Problems: ttyfree() was freeing the cdev(). But if there were pending kevents, filt_ttyrdetach() etc would later attempt to dereference cdev->si_tty, causing a 0xdeadc0de dereference. Also, ttygone() merely issued a bunch of wakeup() calls. That woke things that were blocked in various states, but nothing was done about getting the attention of select(), sigio or kevent() users. I added code to wake them up. Also, the kevent filters didn't check TS_GONE. If its set, I made it return EV_EOF immediately. Problems not solved: The 'struct tty' obtained by drivers from ttyalloc() is not freed in a bunch of cases. I think ttyfree() should call ttyrel() to release the reference count that ttyalloc() implicitly returned with. If there are still other references, then that is tough luck, we'd have leaked it anyway. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707100941.31421.peter>