diff options
author | bde <bde@FreeBSD.org> | 2002-04-25 13:17:33 +0000 |
---|---|---|
committer | bde <bde@FreeBSD.org> | 2002-04-25 13:17:33 +0000 |
commit | c7cc23aacfe96fb2f1f02fc3b3ffea759471c3a7 (patch) | |
tree | a8ee076e124fba0fc7f2f7873be3623b50aa6f6e /sys/kern/kern_conf.c | |
parent | 0153568c1096747e800124f5206748b198704ff3 (diff) | |
download | FreeBSD-src-c7cc23aacfe96fb2f1f02fc3b3ffea759471c3a7.zip FreeBSD-src-c7cc23aacfe96fb2f1f02fc3b3ffea759471c3a7.tar.gz |
Break the following implementation of panic(3):
#!bin/sh
# Original version of this by Michael Reifenberger
# <root@nihil.plaut.de>.
mdconfig -d -u 11 >/dev/null 2>&1
dd if=/dev/zero of=zz bs=1m count=1
while :
do
mdconfig -a -t vnode -f zz -u 11
fdisk -f - -iv /dev/md11 <<EOF1
g c1 h64 s32
p 1 165 0 2048
a 1
EOF1
mdconfig -d -u 11
done
Garbage pointers in __si_u were not cleared by destroy_dev(). Not
clearing si_disk made the above fatal because the disk layer uses
si_disk as a flag to indicate that the dev_t has been completely
initialized. disk_destroy() clears si_disk for the parent dev_t
but doesn't get called for children.
Not fixed:
- setting the undocumented sysctl debug.free_devt should cause more
complete destruction of the dev_t including clearing of __si_u, but
actually causes the above to panic a little earlier.
- the loop leaks 10 memory allocations per iteration (4 DEVFS, 2 devbuf
and 4 dev_t).
Reviewed by: timeout by MAINTAINER after 3 months
Diffstat (limited to 'sys/kern/kern_conf.c')
-rw-r--r-- | sys/kern/kern_conf.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/kern/kern_conf.c b/sys/kern/kern_conf.c index d0c988b..d1ce2fc 100644 --- a/sys/kern/kern_conf.c +++ b/sys/kern/kern_conf.c @@ -398,6 +398,7 @@ destroy_dev(dev_t dev) dev->si_drv1 = 0; dev->si_drv2 = 0; dev->si_devsw = 0; + bzero(&dev->__si_u, sizeof(dev->__si_u)); dev->si_flags &= ~SI_NAMED; dev->si_flags &= ~SI_ALIAS; freedev(dev); |