device_delete_child works by starting with the grandchildren working back towards the immediate child. Several drivers (i.e. if_xl.c, if_wx.c, iicbb.c) have code similar to: xxx_attach() { ... sc->child_dev = device_add_child ... } xxx_detach() { bus_generic_detach (); if (sc->child_dev) device_delete_child ... } The problem is using device_delete_child on one of these drivers causes the grandchild to be freed twice. When device_delete_child is called for xxx, it recurses since xxx has a child. The grandchild is detached and deleted. xxx_detach is then called which calls device_delete_child for the grandchild a second time causing a panic. It seems to me that any driver which calls device_delete_child as part of detaching must also implement something like: xxx_child_detached() { if (child == sc->child_dev) sc->child_dev = NULL; } xxx_detach() { /* * Remember the child so we can delete it (bus_generic_detach * indirectly zeroes sc->child_dev). */ child = sc->child_dev; bus_generic_detach(); if (child) device_delete_child ... } or am I missing something? -- John ------------------------------------------------------------------------- | Feith Systems | Voice: 1-215-646-8000 | Email: john_at_feith.com | | John Wehle | Fax: 1-215-540-5495 | | -------------------------------------------------------------------------Received on Wed Jan 28 2004 - 21:35:27 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:40 UTC