kqueue bug in 7.x with "things" that go away.
Peter Wemm
peter at wemm.org
Tue Jul 10 16:41:32 UTC 2007
Initial patch that fixes the crashes:
http://people.freebsd.org/~peter/tty.diff
Problems:
ttyfree() was freeing the cdev(). But if there were pending kevents,
filt_ttyrdetach() etc would later attempt to dereference cdev->si_tty,
causing a 0xdeadc0de dereference.
Also, ttygone() merely issued a bunch of wakeup() calls. That woke
things that were blocked in various states, but nothing was done about
getting the attention of select(), sigio or kevent() users. I added
code to wake them up.
Also, the kevent filters didn't check TS_GONE. If its set, I made it
return EV_EOF immediately.
Problems not solved: The 'struct tty' obtained by drivers from
ttyalloc() is not freed in a bunch of cases. I think ttyfree() should
call ttyrel() to release the reference count that ttyalloc() implicitly
returned with. If there are still other references, then that is tough
luck, we'd have leaked it anyway.
--
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5
More information about the freebsd-current
mailing list