> FWIW, what I'm seeing there is chan_interrupt() with tty that has definitely > been kfree'd. What happens is that we have several opened files for > given tty and they all get closed in parallel. Now, ->release() of > tty calls ->close() of driver (line_close() in this case) and then > gets around to decrementing tty->count. As the result, *all* callers > of line_close() see line->tty->count > 1 and leave line->tty not reset to > NULL. Oops... > > Moral: do not use the counters on upper layer objects unless you know > what you are doing *and* know what will happen to that upper layer in > years to come...
Fixed and pushed (um-header.git #master); however, looking around that area shows more races ;-/ Incidentally, why the hell is ->chan_list a cyclic list? Holding at most two elements... Why not an array of two possibly NULL pointers? And what is chan->primary? Unless I'm seriously misreading that code, it's always 1; moreover, all instances of the method that gets ->primary value as argument ignore that argument completely... ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ User-mode-linux-devel mailing list User-mode-linux-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
