From owner-cvs-all@FreeBSD.ORG  Tue Jan  8 04:53:29 2008
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 770FB16A419;
	Tue,  8 Jan 2008 04:53:29 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 6E61013C45A;
	Tue,  8 Jan 2008 04:53:29 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m084rTFK081530;
	Tue, 8 Jan 2008 04:53:29 GMT (envelope-from jhb@repoman.freebsd.org)
Received: (from jhb@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m084rTGa081529;
	Tue, 8 Jan 2008 04:53:29 GMT (envelope-from jhb)
Message-Id: <200801080453.m084rTGa081529@repoman.freebsd.org>
From: John Baldwin <jhb@FreeBSD.org>
Date: Tue, 8 Jan 2008 04:53:29 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/kern tty.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2008 04:53:29 -0000

jhb         2008-01-08 04:53:29 UTC

  FreeBSD src repository

  Modified files:
    sys/kern             tty.c 
  Log:
  Close a race in the kern.ttys sysctl handler that resulted in panics in
  dev2udev() when a tty was being detached concurrently with the sysctl
  handler:
  - Hold the 'tty_list_mutex' lock while we read all the fields out of the
    struct tty for copying out later.  Previously the pty(4) and pts(4)
    destroy routines could set t_dev to NULL, drop their reference on the
    tty and destroy the cdev while the sysctl handler was attempting to
    invoke dev2udev() on the cdev being destroyed.  This happened when the
    sysctl handler read the value of t_dev prior to it being set to NULL
    either due to it being stale or due to timing races.  By holding the
    list lock we guarantee that the destroy routines will block in ttyrel()
    in that case and not destroy the cdev until after we've copied all of our
    data.  We may see a NULL cdev pointer or we may see the previous value,
    but the previous value will no longer point to a destroyed cdev if we
    see it.
  - Fix the ttyfree() routine used by tty device drivers in their detach
    methods to use ttyrel() on the tty so we don't leak them.  Also, fix it
    to use the same order of operations as pty/pts destruction (set t_dev
    NULL, ttyrel(), destroy_dev()) so it cooperates with the sysctl handler.
  
  MFC after:      3 days
  Tested by:      avatar
  
  Revision  Changes    Path
  1.274     +20 -3     src/sys/kern/tty.c