Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern when updating the per-uid "semcnt", decrement the c...
details: https://anonhg.NetBSD.org/src/rev/1c946ece04e7
branches: trunk
changeset: 947524:1c946ece04e7
user: chs <chs%NetBSD.org@localhost>
date: Mon Dec 14 23:12:12 2020 +0000
description:
when updating the per-uid "semcnt", decrement the counter for the uid
that created the ksem, not the uid of the process freeing the ksem.
fixes PR 55509.
Reported-by: syzbot+9d04b3ef2ca180ef9b06%syzkaller.appspotmail.com@localhost
diffstat:
sys/kern/uipc_sem.c | 15 +++++++--------
1 files changed, 7 insertions(+), 8 deletions(-)
diffs (58 lines):
diff -r cf679cf44e85 -r 1c946ece04e7 sys/kern/uipc_sem.c
--- a/sys/kern/uipc_sem.c Mon Dec 14 22:17:11 2020 +0000
+++ b/sys/kern/uipc_sem.c Mon Dec 14 23:12:12 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_sem.c,v 1.59 2020/05/04 13:58:48 riastradh Exp $ */
+/* $NetBSD: uipc_sem.c,v 1.60 2020/12/14 23:12:12 chs Exp $ */
/*-
* Copyright (c) 2011, 2019 The NetBSD Foundation, Inc.
@@ -60,7 +60,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_sem.c,v 1.59 2020/05/04 13:58:48 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_sem.c,v 1.60 2020/12/14 23:12:12 chs Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -469,8 +469,6 @@
len = 0;
}
- chgsemcnt(kauth_cred_getuid(l->l_cred), 1);
-
ks = kmem_zalloc(sizeof(ksem_t), KM_SLEEP);
mutex_init(&ks->ks_lock, MUTEX_DEFAULT, IPL_NONE);
cv_init(&ks->ks_cv, "psem");
@@ -483,8 +481,9 @@
uc = l->l_cred;
ks->ks_uid = kauth_cred_geteuid(uc);
ks->ks_gid = kauth_cred_getegid(uc);
+ chgsemcnt(ks->ks_uid, 1);
+ atomic_inc_uint(&nsems_total);
- atomic_inc_uint(&nsems_total);
*ksret = ks;
return 0;
}
@@ -495,6 +494,9 @@
KASSERT(!cv_has_waiters(&ks->ks_cv));
+ chgsemcnt(ks->ks_uid, -1);
+ atomic_dec_uint(&nsems_total);
+
if (ks->ks_pshared_id) {
KASSERT(ks->ks_pshared_proc == NULL);
ksem_remove_pshared(ks);
@@ -506,9 +508,6 @@
mutex_destroy(&ks->ks_lock);
cv_destroy(&ks->ks_cv);
kmem_free(ks, sizeof(ksem_t));
-
- atomic_dec_uint(&nsems_total);
- chgsemcnt(kauth_cred_getuid(curproc->p_cred), -1);
}
#define KSEM_ID_IS_PSHARED(id) \
Home |
Main Index |
Thread Index |
Old Index