Diffusion FreeBSD src repository - subversion rS285310

Cover a race between doselwakeup() and selfdfree(). If doselwakeup()
rS285310
Actions

Description

Cover a race between doselwakeup() and selfdfree(). If doselwakeup()
loop finds the selfd entry and clears its sf_si pointer, which is
handled by selfdfree() in parallel, NULL sf_si makes selfdfree() free
the memory. The result is the race and accesses to the freed memory.

Refcount the selfd ownership. One reference is for the sf_link
linkage, which is unconditionally dereferenced by selfdfree().
Another reference is for sf_threads, both selfdfree() and
doselwakeup() race to deref it, the winner unlinks and than frees the
selfd entry.

Reported by: Larry Rosenman <ler@lerctr.org>
Tested by: Larry Rosenman <ler@lerctr.org>, pho
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks

Details

Provenance

kib	Authored on

Parents

rS285309: Add forward declaration of struct thread.

Branches

Unknown

Tags

Unknown

Event Timeline

kib committed rS285310: Cover a race between doselwakeup() and selfdfree(). If doselwakeup().Jul 9 2015, 9:22 AM

Changes (1)

Path

Size

head/

sys/

kern/

sys_generic.c

rS285310

View Options

head/sys/kern/sys_generic.c