git: d1e9441583fd - main - pipe: Avoid calling selrecord() on a closing pipe
Mark Johnston
markj at FreeBSD.org
Wed Apr 28 14:43:33 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=d1e9441583fd85c7de5f48197d80c287f1a9494b
commit d1e9441583fd85c7de5f48197d80c287f1a9494b
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-04-28 14:42:59 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-04-28 14:43:29 +0000
pipe: Avoid calling selrecord() on a closing pipe
pipe_poll() may add the calling thread to the selinfo lists of both ends
of a pipe. It is ok to do this for the local end, since we know we hold
a reference on the file and so the local end is not closed. It is not
ok to do this for the remote end, which may already be closed and have
called seldrain(). In this scenario, when the polling thread wakes up,
it may end up referencing a freed selinfo.
Guard the selrecord() call appropriately.
Reviewed by: kib
Reported by: syzkaller+KASAN
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30016
---
sys/kern/sys_pipe.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index fee9d95e179c..d226543c0118 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -1494,7 +1494,8 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred,
rpipe->pipe_state |= PIPE_SEL;
}
- if ((fp->f_flag & FWRITE) != 0) {
+ if ((fp->f_flag & FWRITE) != 0 &&
+ wpipe->pipe_present == PIPE_ACTIVE) {
selrecord(td, &wpipe->pipe_sel);
if (SEL_WAITING(&wpipe->pipe_sel))
wpipe->pipe_state |= PIPE_SEL;
More information about the dev-commits-src-all
mailing list