Date: Sat, 22 Apr 2006 16:22:07 -0400 From: Anish Mistry <mistry.7@osu.edu> To: freebsd-current@freebsd.org Cc: Ian Dowse <iedowse@freebsd.org> Subject: Re: [PATCH] ugen detach race Message-ID: <200604221622.14785.mistry.7@osu.edu> In-Reply-To: <200604221459.43050.mistry.7@osu.edu> References: <200604050354.19659.mistry.7@osu.edu> <200604050444.51670.mistry.7@osu.edu> <200604221459.43050.mistry.7@osu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2894474.2X4GNkXOg8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 22 April 2006 14:59, Anish Mistry wrote: > On Wednesday 05 April 2006 04:44, Anish Mistry wrote: > > On Wednesday 05 April 2006 03:53, Anish Mistry wrote: > > > While working on getting hplip ported I ran across a race > > > condition in the ugen code that causes a crash. The following > > > patch fixes a problem where read, write, and ioctl can be > > > called during a detach since sc_dying isn't checked before > > > bumping the reference count. This puts the sc_dying check > > > before the *_do_* functions are called. This includes the patch > > > from usb/81308 to prevent polling on the control endpoint. As > > > well as a few NULL pointer checks from NetBSD. This patch is > > > applicable to RELENG_6. > > > > And CURRENT. > > > > > http://am-productions.biz/docs/ugen-detach-race.patch > > > > > > This doesn't fix the case where an application has a read/write > > > pending and then detach is called. In this case destroy_devl > > > will just keep looping until the read/write completes. > > I've updated the patch. It now includes the fix for the panic on > detach when a process has a device open when a detach occurs. ugen > now no longer waits for the process to close the connection and > just cuts it off. > Applies to RELENG_6 and CURRENT. > > http://am-productions.biz/docs/ugen-detach-race.patch > > The patch should fix usb/93949 too. > This seems to fix all the panics I'm seeing with the ugen device.=20 > It would be nice if this could make it into 6.1. I added another panic fix. An error was introduced in rev 1.94 on=20 ugen.c in the USB_SET_CONFIG ioctl case that calls=20 ugen_make_devnodes. This causes a panic since this logic was moved=20 to ugen_set_config a while ago. Removing the ugen_make_devnodes()=20 call from ugen_do_ioctl fixes the problem. This bug made it trivial=20 to cause a panic when there was access to any ugen device. http://am-productions.biz/docs/ugen-detach-race.patch =2D-=20 Anish Mistry --nextPart2894474.2X4GNkXOg8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBESpB2xqA5ziudZT0RAv9aAJ0aBxdC0p7IAQj58SkJBGE7CkaitwCgnPbG iW0iIu5sylGeWWVQLVSrQiY= =4rh2 -----END PGP SIGNATURE----- --nextPart2894474.2X4GNkXOg8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604221622.14785.mistry.7>