kern/99758: chown/chmod pty slave side in kernel

Atsuo Ohki ohki at
Sun Jul 9 13:20:24 UTC 2006

The following reply was made to PR kern/99758; it has been noted by GNATS.

From: Atsuo Ohki <ohki at>
To: "Wojciech A. Koszek" <wkoszek at>
Cc: Robert Watson <rwatson at>, freebsd-gnats-submit at,
        freebsd-bugs at
Subject: Re: kern/99758: chown/chmod pty slave side in kernel
Date: Sun, 09 Jul 2006 22:19:42 +0900

 "Wojciech A. Koszek" writes:
 > Sure. I'm willing to hear more about your changes and patches! To reproduce
 > problems I've seen, try to download Peter Wemm's stress suite, compile it,
 > and run PTY code. As I recall, after unpacking stress2.tgz you'll have
 > script and pty<some_extension>. You run it by typing: ./run
 > ./pty<some_extension_maybe_conf>. Try to switch to other virtual terminal
 > and login.
  I got stress2.tgz and done `./ pty.cfg' and got the message like
 	Memory modified after free ...
 	Most recently used by DEVFS1
  The reason for this panic is devfs_close() in fs/devfs/devfs_vnops.c.
  As you see, devfs_close() eventually calls ptcclose()/ptsclose()
  which calls pty_maybecleanup() destroying devs for ptc&pts, but
  devfs_close() then calls dev_relthread() which may access just freeed dev.
  I'm afraid that devfs is not designed to handle destroing dev during
  close operation.
  I'm working on this problem with the idea:
   i) destory_dev() should not free dev, but just mark inactive.
   ii) devfs_populate() should actually free an inactive dev.
   iii) modify devfs_find() and other routines to take care of an inactive dev.
  But no success yet ;-<

More information about the freebsd-bugs mailing list