Initial patch that fixes the crashes: http://people.freebsd.org/~peter/tty.diff Problems: ttyfree() was freeing the cdev(). But if there were pending kevents, filt_ttyrdetach() etc would later attempt to dereference cdev->si_tty, causing a 0xdeadc0de dereference. Also, ttygone() merely issued a bunch of wakeup() calls. That woke things that were blocked in various states, but nothing was done about getting the attention of select(), sigio or kevent() users. I added code to wake them up. Also, the kevent filters didn't check TS_GONE. If its set, I made it return EV_EOF immediately. Problems not solved: The 'struct tty' obtained by drivers from ttyalloc() is not freed in a bunch of cases. I think ttyfree() should call ttyrel() to release the reference count that ttyalloc() implicitly returned with. If there are still other references, then that is tough luck, we'd have leaked it anyway. -- Peter Wemm - peter_at_wemm.org; peter_at_FreeBSD.org; peter_at_yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5Received on Tue Jul 10 2007 - 14:41:32 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC