While working on getting hplip ported I ran across a race condition in the ugen code that causes a crash. The following patch fixes a problem where read, write, and ioctl can be called during a detach since sc_dying isn't checked before bumping the reference count. This puts the sc_dying check before the *_do_* functions are called. This includes the patch from usb/81308 to prevent polling on the control endpoint. As well as a few NULL pointer checks from NetBSD. This patch is applicable to RELENG_6. http://am-productions.biz/docs/ugen-detach-race.patch This doesn't fix the case where an application has a read/write pending and then detach is called. In this case destroy_devl will just keep looping until the read/write completes. -- Anish Mistry
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:54 UTC