Page MenuHomeFreeBSD
Differential D30016

pipe: Avoid calling selrecord() on a closing pipe
ClosedPublic
Actions

Authored by markj on Apr 27 2021, 9:33 PM.
Tags
None
Referenced Files
F147347144: D30016.id88278.diff
Tue, Mar 10, 5:03 AM
F147323751: D30016.id88278.diff
Mon, Mar 9, 11:45 PM
F147267945: D30016.id88328.diff
Mon, Mar 9, 1:59 PM
Unknown Object (File)
Mon, Mar 9, 2:06 AM
Unknown Object (File)
Thu, Mar 5, 8:54 AM
Unknown Object (File)
Thu, Feb 26, 9:50 PM
Unknown Object (File)
Thu, Feb 26, 6:25 PM
Unknown Object (File)
Jan 17 2026, 8:31 PM
View All Files
Subscribers
imp

Details

Reviewers
kib
mjg
Commits
rG53a9046635f1: pipe: Avoid calling selrecord() on a closing pipe
rG9d45365e3321: pipe: Avoid calling selrecord() on a closing pipe
rGd1e9441583fd: pipe: Avoid calling selrecord() on a closing pipe
Summary

pipe_poll() may add the calling thread to the selinfo lists of both ends
of a pipe. It is ok to do this for the local end, since we know we hold
a reference on the file and so the local end is not closed. It is not
ok to do this for the remote end, which may already be closed and have
called seldrain(). In this scenario, when the polling thread wakes up,
it may end up referencing a freed selinfo.

Guard the selrecord() call appropriately.

Reported by: syzkaller+KASAN

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 38896
Build 35785: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
kern/
3 lines

Diff 88278

View Options

sys/kern/sys_pipe.c

Loading...