On Saturday 22 April 2006 14:59, Anish Mistry wrote: > On Wednesday 05 April 2006 04:44, Anish Mistry wrote: > > On Wednesday 05 April 2006 03:53, Anish Mistry wrote: > > > While working on getting hplip ported I ran across a race > > > condition in the ugen code that causes a crash. The following > > > patch fixes a problem where read, write, and ioctl can be > > > called during a detach since sc_dying isn't checked before > > > bumping the reference count. This puts the sc_dying check > > > before the *_do_* functions are called. This includes the patch > > > from usb/81308 to prevent polling on the control endpoint. As > > > well as a few NULL pointer checks from NetBSD. This patch is > > > applicable to RELENG_6. > > > > And CURRENT. > > > > > http://am-productions.biz/docs/ugen-detach-race.patch > > > > > > This doesn't fix the case where an application has a read/write > > > pending and then detach is called. In this case destroy_devl > > > will just keep looping until the read/write completes. > > I've updated the patch. It now includes the fix for the panic on > detach when a process has a device open when a detach occurs. ugen > now no longer waits for the process to close the connection and > just cuts it off. > Applies to RELENG_6 and CURRENT. > > http://am-productions.biz/docs/ugen-detach-race.patch > > The patch should fix usb/93949 too. > This seems to fix all the panics I'm seeing with the ugen device. > It would be nice if this could make it into 6.1. I added another panic fix. An error was introduced in rev 1.94 on ugen.c in the USB_SET_CONFIG ioctl case that calls ugen_make_devnodes. This causes a panic since this logic was moved to ugen_set_config a while ago. Removing the ugen_make_devnodes() call from ugen_do_ioctl fixes the problem. This bug made it trivial to cause a panic when there was access to any ugen device. http://am-productions.biz/docs/ugen-detach-race.patch -- Anish Mistry
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:55 UTC