Date: Sun, 16 Dec 2007 03:27:43 +0100 (CET) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: i386/118737: [ PATCH ] Panic due double free within detach of cpufreq/est Message-ID: <200712160227.lBG2RhFn001201@kulesh.obluda.cz> Resent-Message-ID: <200712160230.lBG2U1MP099134@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118737
>Category: i386
>Synopsis: [ PATCH ] Panic due double free within detach of cpufreq/est
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Dec 16 02:30:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 6.3-PRERELEASE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 6.3-PRERELEASE #18: Sun Dec 16 03:05:00 CET 2007 i386
src/sys/i386/cpufreq/est.c,v 1.7.2.1 2006/05/29 22:40:03 njl
As far as I know the problem apply to CURRENT as well
>Description:
on est_detach the sc->freq_list freed but driver cease to detach (ENXIO)
on second try to unload driver the memory is freed second time causing
the panic()
>How-To-Repeat:
On hardware supported by est driver unload cpufreq module - it fail with ENXIO
unload it second time - it will panic
>Fix:
Unregister the driver properly then return NOERROR to upper layer.
--- sys/i386/cpufreq/est.c.ORIG 2007-12-16 02:13:42.000000000 +0100
+++ sys/i386/cpufreq/est.c 2007-12-16 02:26:46.000000000 +0100
@@ -1032,11 +1032,14 @@
est_detach(device_t dev)
{
struct est_softc *sc;
+ int error;
sc = device_get_softc(dev);
- if (sc->acpi_settings)
+
+ error = cpufreq_unregister(dev);
+ if (!error && sc->acpi_settings)
free(sc->freq_list, M_DEVBUF);
- return (ENXIO);
+ return (error);
}
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712160227.lBG2RhFn001201>