[PATCH] ugen detach race

Anish Mistry mistry.7 at osu.edu
Sat Apr 22 20:22:12 UTC 2006


On Saturday 22 April 2006 14:59, Anish Mistry wrote:
> On Wednesday 05 April 2006 04:44, Anish Mistry wrote:
> > On Wednesday 05 April 2006 03:53, Anish Mistry wrote:
> > > 	While working on getting hplip ported I ran across a race
> > > condition in the ugen code that causes a crash.  The following
> > > patch fixes a problem where read, write, and ioctl can be
> > > called during a detach since sc_dying isn't checked before
> > > bumping the reference count. This puts the sc_dying check
> > > before the *_do_* functions are called. This includes the patch
> > > from usb/81308 to prevent polling on the control endpoint.  As
> > > well as a few NULL pointer checks from NetBSD. This patch is
> > > applicable to RELENG_6.
> >
> > And CURRENT.
> >
> > > http://am-productions.biz/docs/ugen-detach-race.patch
> > >
> > > This doesn't fix the case where an application has a read/write
> > > pending and then detach is called.  In this case destroy_devl
> > > will just keep looping until the read/write completes.
>
> I've updated the patch.  It now includes the fix for the panic on
> detach when a process has a device open when a detach occurs.  ugen
> now no longer waits for the process to close the connection and
> just cuts it off.
> Applies to RELENG_6 and CURRENT.
>
> http://am-productions.biz/docs/ugen-detach-race.patch
>
> The patch should fix usb/93949 too.
> This seems to fix all the panics I'm seeing with the ugen device. 
> It would be nice if this could make it into 6.1.
I added another panic fix.  An error was introduced in rev 1.94 on 
ugen.c in the USB_SET_CONFIG ioctl case that calls 
ugen_make_devnodes.  This causes a panic since this logic was moved 
to ugen_set_config a while ago.  Removing the ugen_make_devnodes() 
call from ugen_do_ioctl fixes the problem.  This bug made it trivial 
to cause a panic when there was access to any ugen device.

http://am-productions.biz/docs/ugen-detach-race.patch

-- 
Anish Mistry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20060422/6042b596/attachment.pgp


More information about the freebsd-current mailing list