John Wehle wrote this message on Thu, Jan 29, 2004 at 01:35 -0500: > device_delete_child works by starting with the grandchildren > working back towards the immediate child. Several drivers > (i.e. if_xl.c, if_wx.c, iicbb.c) have code similar to: > > xxx_attach() > { > > ... > sc->child_dev = device_add_child ... > } > > xxx_detach() > { > > bus_generic_detach (); > if (sc->child_dev) > device_delete_child ... > } > > The problem is using device_delete_child on one of these > drivers causes the grandchild to be freed twice. When > device_delete_child is called for xxx, it recurses since > xxx has a child. The grandchild is detached and deleted. > xxx_detach is then called which calls device_delete_child > for the grandchild a second time causing a panic. Yes, I know about this problem. One of the problems with this also is that the newbus code isn't properly locked, nor are ref counts kept on who has a pointer, so that as device_delete_child happen, you can easily end up accessing a free'd device as you point out... There are many issues with the code, if you are interested in fixing these, drop me an email and I'll tell you more about them. I ran into these issues myself when writing my Zoran driver and working with the iicbus code. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Mon Feb 09 2004 - 12:03:07 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:42 UTC