[src/trunk]: src/sys/kern psref(9): Make use-after-free panic message more ob...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ddaa6eeeac6b
branches:  trunk
changeset: 379478:ddaa6eeeac6b
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Wed Jun 02 09:23:32 2021 +0000

description:
psref(9): Make use-after-free panic message more obvious.

Previously it would almost always manifest as

        mismatched psref target class: 0x0 (ref) != 0x... (expected)

and now it will manifest as

        psref target already destroyed: 0x...

diffstat:

 sys/kern/subr_psref.c |  12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diffs (48 lines):

diff -r 5378ea1be275 -r ddaa6eeeac6b sys/kern/subr_psref.c
--- a/sys/kern/subr_psref.c     Wed Jun 02 08:46:16 2021 +0000
+++ b/sys/kern/subr_psref.c     Wed Jun 02 09:23:32 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_psref.c,v 1.13 2019/05/17 03:34:26 ozaki-r Exp $  */
+/*     $NetBSD: subr_psref.c,v 1.14 2021/06/02 09:23:32 riastradh Exp $        */
 
 /*-
  * Copyright (c) 2016 The NetBSD Foundation, Inc.
@@ -64,7 +64,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_psref.c,v 1.13 2019/05/17 03:34:26 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_psref.c,v 1.14 2021/06/02 09:23:32 riastradh Exp $");
 
 #include <sys/types.h>
 #include <sys/condvar.h>
@@ -293,11 +293,11 @@ psref_acquire(struct psref *psref, const
            "passive references are CPU-local,"
            " but preemption is enabled and the caller is not"
            " in a softint or CPU-bound LWP");
+       KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
+           target);
        KASSERTMSG((target->prt_class == class),
            "mismatched psref target class: %p (ref) != %p (expected)",
            target->prt_class, class);
-       KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
-           target);
 
        /* Block interrupts and acquire the current CPU's reference list.  */
        s = splraiseipl(class->prc_iplcookie);
@@ -516,13 +516,13 @@ psref_target_destroy(struct psref_target
 
        ASSERT_SLEEPABLE();
 
+       KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
+           target);
        KASSERTMSG((target->prt_class == class),
            "mismatched psref target class: %p (ref) != %p (expected)",
            target->prt_class, class);
 
        /* Request psref_release to notify us when done.  */
-       KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
-           target);
        target->prt_draining = true;
 
        /* Wait until there are no more references on any CPU.  */