kern/99758: chown/chmod pty slave side in kernel
Atsuo Ohki
ohki at gssm.otsuka.tsukuba.ac.jp
Sun Jul 9 13:20:24 UTC 2006
The following reply was made to PR kern/99758; it has been noted by GNATS.
From: Atsuo Ohki <ohki at gssm.otsuka.tsukuba.ac.jp>
To: "Wojciech A. Koszek" <wkoszek at FreeBSD.org>
Cc: Robert Watson <rwatson at FreeBSD.org>, freebsd-gnats-submit at FreeBSD.org,
freebsd-bugs at FreeBSD.org
Subject: Re: kern/99758: chown/chmod pty slave side in kernel
Date: Sun, 09 Jul 2006 22:19:42 +0900
"Wojciech A. Koszek" writes:
> Sure. I'm willing to hear more about your changes and patches! To reproduce
> problems I've seen, try to download Peter Wemm's stress suite, compile it,
> and run PTY code. As I recall, after unpacking stress2.tgz you'll have
> run.sh script and pty<some_extension>. You run it by typing: ./run
> ./pty<some_extension_maybe_conf>. Try to switch to other virtual terminal
> and login.
I got stress2.tgz and done `./run.sh pty.cfg' and got the message like
Memory modified after free ...
Most recently used by DEVFS1
The reason for this panic is devfs_close() in fs/devfs/devfs_vnops.c.
As you see, devfs_close() eventually calls ptcclose()/ptsclose()
which calls pty_maybecleanup() destroying devs for ptc&pts, but
devfs_close() then calls dev_relthread() which may access just freeed dev.
I'm afraid that devfs is not designed to handle destroing dev during
close operation.
I'm working on this problem with the idea:
i) destory_dev() should not free dev, but just mark inactive.
ii) devfs_populate() should actually free an inactive dev.
iii) modify devfs_find() and other routines to take care of an inactive dev.
But no success yet ;-<
More information about the freebsd-bugs
mailing list