From frodef@dslab7.cs.uit.no Wed Mar 10 13:34:41 1999
Return-Path: <frodef@dslab7.cs.uit.no>
Received: from dslab7.cs.uit.no (dslab7.cs.UiT.No [129.242.16.27])
	by hub.freebsd.org (Postfix) with ESMTP id 196A81520F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 10 Mar 1999 13:34:30 -0800 (PST)
	(envelope-from frodef@dslab7.cs.uit.no)
Received: (from frodef@localhost)
	by dslab7.cs.uit.no (8.9.2/8.9.1) id WAA08519;
	Wed, 10 Mar 1999 22:32:41 +0100 (CET)
	(envelope-from frodef)
Message-Id: <199903102132.WAA08519@dslab7.cs.uit.no>
Date: Wed, 10 Mar 1999 22:32:41 +0100 (CET)
From: Frode Vatvedt Fjeld <frodef@dslab7.cs.uit.no>
Reply-To: frodef@dslab7.cs.uit.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: meteor driver panics
X-Send-Pr-Version: 3.2

>Number:         10533
>Category:       i386
>Synopsis:       A bug in the meteor driver causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 10 13:40:00 PST 1999
>Closed-Date:    Tue Jun 29 10:20:37 PDT 1999
>Last-Modified:  Tue Jun 29 10:21:14 PDT 1999
>Originator:     Frode Vatvedt Fjeld
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
>Environment:

	FreeBSD-stable i386 with meteor video-grabber device.

>Description:

	The meteor driver (sys/pci/meteor.c) provides an ioctl
	SSIGNAL for specifying a signal to send to the process
	when a video frame is delivered. When this ioctl is used,
	the kernel will (more often than not) panic (pagefault)
	just when the process exits. 

>How-To-Repeat:

	main() {
		open device
		ioctl (SSIGNAL)
		ioctl (CAPTUR)
		exit
	}

>Fix:
	
	Adding a line "mtr -> proc = NULL;" somewhere in
	meteor_close() seems to remove the symptom. However,
	I guess the real problem is somewhere else.

	Also, the SSIGNAL ioctl interface is broken, as there
	is no way to return the device-driver to the original
	state (i.e. mtr -> proc == NULL) once this ioctl is
	used by a process. The code in meteor_ioctl() should
	go something like this:

	case SSIGNAL:
		mtr -> signal = arg;
		if (mtr -> signal) {
			mtr -> proc = p;
		} else {
			mtr -> proc = NULL;
		}
		break;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: roger 
State-Changed-When: Tue Jun 29 10:20:37 PDT 1999 
State-Changed-Why:  
Patch committed to 4.x-current 
>Unformatted:
