cvs commit: src/sys/kern tty_pty.c

Kris Kennaway kris at obsecurity.org
Fri Sep 29 11:43:42 PDT 2006


On Fri, Sep 29, 2006 at 08:26:40PM +0200, Martin Blapp wrote:
> 
> Hi all,
> 
> > Free tty struct after last close. This should fix the pty-leak by numbers.
> > Remove workarounds for tty_refcount beeing 0, this will be fixed 
> > differently
> > later.
> >
> > Back out rev 1.145 since we initialize the tty struct from scratch and bad
> > things can't happen anymore.
> >
> 
> Sigh. Peter Holmes stress tests did show that we still have problems. With 
> the beckout of rev. 1.145 we get again the same panics as the pty_pts code 
> does.
> This is deep somewhere in the devfs code. It does happen with/without 
> freeing
> struct tty.
> 
> Memory modified after free 0xc45b7d00(252) val=deadc0dd @ 0xc45b7d70
> panic: Most recently used by DEVFS1

You can identify precisely where the use-after-free occurs by
configuring DEBUG_MEMGUARD; I posted a trace of what is probably the
same bug once to current@ once but don't have it to hand.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20060929/583acfca/attachment.pgp


More information about the cvs-src mailing list