On Mon, Jun 11, 2012 at 03:27:39PM -0700, Steven Haber wrote: > > I do not understand what you are proposing. Could you, please, show > > the patch ? > > --- > src/sys/geom/geom_dev.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/sys/geom/geom_dev.c b/src/sys/geom/geom_dev.c > index 38251e1..787235a 100644 > --- a/src/sys/geom/geom_dev.c > +++ b/src/sys/geom/geom_dev.c > @@ -497,7 +497,7 @@ g_dev_orphan(struct g_consumer *cp) > > /* Destroy the struct cdev *so we get no more requests */ > unit = dev2unit(dev); > - destroy_dev(dev); > + destroy_dev_sched(dev); > free_unr(unithdr, unit); > > /* Wait for the cows to come home */
Did you noted the comment above the block you changing ? The patch would cause races allowing arbitrary kernel memory corruption. The moment when the cdev is destroyed is somewhere in future, while structures that the cdev reference are freed synchronously. I tried to put some safety measures into destroy_dev_sched(9), namely CDP_SCHED_DTR flag that somewhat reduces the possibility of usermode accessing cdev after destroy_dev_sched(), but this cannot be eliminated entirely.
pgp0q3vTgrC3V.pgp
Description: PGP signature
