thomson (12/20/82)
Running 4.1bsd's pty.c (4.7 81/03/11) we have had panics from system
calls in kernel mode. They occur when the controlling device is closed
while a write is in progress on the slave. The problem is that the
close can occur while the slave is blocked waiting for the outq to drain;
ptcclose() flushes the queues and sets tp->t_oproc to 0 to mark the
device closed. The slave then wakes and tries to use the now corrupt
tp->t_oproc, thereby entering the user program in kernel mode.
We 'fixed' this by de-conceiving ptys, since they weren't in use.
However, I hear that 4.1a does use them and may not have fixed this bug;
my humble suggestion is:
1) don't clear tp->t_oproc ever
2) change instances of if(tp->t_oproc) to if(tp->t_state&CARR_ON)
3) make ptsstart(tp) do
if((tp->t_state&CARR_ON) == 0)
flushtty(tp, FWRITE);
to throw away remnants of the last slave write() call.
Brian Thomson
CSRG University of Toronto
utcsrgv!thomson