mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-12-02 12:53:33 +00:00
435cdf88ea
code. The bug: There exists a race condition for timeout/untimeout(9) due to the way that the softclock thread dequeues timeouts. The softclock thread sets the c_func and c_arg of the callout to NULL while holding the callout lock but not Giant. It then drops the callout lock and acquires Giant. It is at this point where untimeout(9) on another cpu/thread could be called. Since c_arg and c_func are cleared, untimeout(9) does not touch the callout and returns as if the callout is canceled. The softclock then tries to acquire Giant and likely blocks due to the other cpu/thread holding it. The other cpu/thread then likely deallocates the backing store that c_arg points to and finishes working and hence drops Giant. Softclock resumes and acquires giant and calls the function with the now free'd c_arg and we have corruption/crash. The fix: We need to track curr_callout even for timeout(9) (LOCAL_ALLOC) callouts. We need to free the callout after the softclock processes it to deal with the race here. Obtained from: Juniper Networks, iedowse Reviewed by: jhb, iedowse MFC After: 2 weeks. |
||
|---|---|---|
| .. | ||
| amd64 | ||
| arm | ||
| boot | ||
| bsm | ||
| cam | ||
| cddl | ||
| compat | ||
| conf | ||
| contrib | ||
| crypto | ||
| ddb | ||
| dev | ||
| fs | ||
| gdb | ||
| geom | ||
| gnu | ||
| i4b | ||
| i386 | ||
| ia64 | ||
| isa | ||
| kern | ||
| libkern | ||
| modules | ||
| net | ||
| net80211 | ||
| netatalk | ||
| netatm | ||
| netgraph | ||
| netinet | ||
| netinet6 | ||
| netipsec | ||
| netipx | ||
| netnatm | ||
| netncp | ||
| netsmb | ||
| nfs | ||
| nfs4client | ||
| nfsclient | ||
| nfsserver | ||
| opencrypto | ||
| pc98 | ||
| pccard | ||
| pci | ||
| powerpc | ||
| rpc | ||
| security | ||
| sparc64 | ||
| sun4v | ||
| sys | ||
| tools | ||
| ufs | ||
| vm | ||
| Makefile | ||