Subject: kern/30566: Bugs in various poll routines
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <ws@tools.de>
List: netbsd-bugs
Date: 06/20/2005 15:46:01 
>Number:         30566
>Category:       kern
>Synopsis:       Bugs in various poll routines
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 20 15:46:01 +0000 2005
>Originator:     Wolfgang Solfrank
>Release:        NetBSD 3.99.6
>Organization:
TooLs GmbH
>Environment:
System: NetBSD fred.tools.de 3.99.6 NetBSD 3.99.6 (fred) #9: Fri Jun 17 13:34:58 MEST 2005 ws@fred.tools.de:/src/obj/sys/arch/i386/compile/fred i386
Architecture: i386
Machine: i386

>Description:
	The poll entry points in struct fileops, struct vnode, struct
	cdevsw and struct linesw are not allowed to return error codes,
	but should only return the events that are available on a
	particular file.  There are quite some places where this
	protocol isn't honoured.

	Most of these try to indicate an error by returning some E*
	value from <sys/errno.h>.  In some cases, the success of
	a test is indicated by a 1 instead of the event being tested.

>How-To-Repeat:
	Code inspection.

	A coarse reading through the source reveals that at least the
	following routines are affected (filename, routine):

		arch/amiga/dev/mfc.c, mfcspoll
		arch/amiga/dev/msc.c, mscpoll
		arch/arm/ep93xx/epcom.c, epcompoll
		arch/arm/iomd/console/console.c, physconpoll
		arch/arm/ixp12x0/ixp12x0_com.c, ixpcompoll
		arch/arm/s3c2xx0/sscom.c, sscompoll
		arch/arm/sa11x0/sa11x0_com.c, sacompoll
		arch/evbarm/dev/plcom.c, plcompoll
		arch/mac68k/dev/ite_compat.c, itepoll
		arch/mips/alchemy/dev/aucom.c, compoll
		arch/pmax/dev/fb_usrreq.c, fbpoll
		arch/sh5/dev/dtfcons.c, dtfconspoll
		coda/coda_psdev.c, vc_nb_poll
		dev/audio.c, audiopoll
		dev/bluetooth/bthci.c, bthcipoll
		dev/cons.c, cnpoll
		dev/gpib/gpib.c, gpibpoll
		dev/ic/com.c, compoll
		dev/ir/cir.c, cirpoll
		dev/ir/irframe.c, irframepoll
		dev/midi.c, midipoll
		dev/usb/ucom.c, ucompoll
		dev/usb/ugen.c, ugenpoll
		dev/usb/uhid.c, uhidpoll
		dev/usb/usb.c, usbpoll
		dev/usb/uscanner.c, uscannerpoll
		dev/wscons/wsdisplay.c, wsdisplaypoll
		dev/wscons/wskbd.c, wskbdpoll
		dev/wscons/wsmouse.c, wsmousepoll
		dev/wscons/wsmux.c, wsmuxpoll
		kern/tty_conf.c, ttyerrpoll
		kern/tty_pty.c, ptspoll
		miscfs/portal/portal_vnops.c, portal_poll
		miscfs/specfs/spec_vnops.c, spec_poll
		net/if_tap.c, tap_dev_poll
		netisdn/i4b_i4bdrv.c, isdnpoll

>Fix:
	The various error cases need to return POLLERR or POLLHUP.
	The return of a 1 needs to be replaced with the appropriate
	bit from the events argument.