Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern Acquire shmseg uobj reference while we hold shm_lock.



details:   https://anonhg.NetBSD.org/src/rev/13a8796e2fc1
branches:  trunk
changeset: 964530:13a8796e2fc1
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Tue Aug 06 15:48:06 2019 +0000

description:
Acquire shmseg uobj reference while we hold shm_lock.

Otherwise nothing prevents it from being detached under our feet when
we drop shm_lock.

Reported-by: syzbot+a76c618a6808a0fda475%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/sysv_shm.c |  17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

diffs (42 lines):

diff -r cff9189f4cee -r 13a8796e2fc1 sys/kern/sysv_shm.c
--- a/sys/kern/sysv_shm.c       Tue Aug 06 15:47:55 2019 +0000
+++ b/sys/kern/sysv_shm.c       Tue Aug 06 15:48:06 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sysv_shm.c,v 1.135 2019/06/10 00:35:47 chs Exp $       */
+/*     $NetBSD: sysv_shm.c,v 1.136 2019/08/06 15:48:06 riastradh Exp $ */
 
 /*-
  * Copyright (c) 1999, 2007 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.135 2019/06/10 00:35:47 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.136 2019/08/06 15:48:06 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_sysv.h"
@@ -425,14 +425,19 @@
        shmseg->shm_lpid = p->p_pid;
        shmseg->shm_nattch++;
        shm_realloc_disable++;
+
+       /*
+        * Add a reference to the uvm object while we hold the
+        * shm_lock.
+        */
+       uobj = shmseg->_shm_internal;
+       uao_reference(uobj);
        mutex_exit(&shm_lock);
 
        /*
-        * Add a reference to the memory object, map it to the
-        * address space, and lock the memory, if needed.
+        * Drop the shm_lock to map it into the address space, and lock
+        * the memory, if needed (XXX where does this lock memory?).
         */
-       uobj = shmseg->_shm_internal;
-       uao_reference(uobj);
        error = uvm_map(&vm->vm_map, &attach_va, size, uobj, 0, 0,
            UVM_MAPFLAG(prot, prot, UVM_INH_SHARE, UVM_ADV_RANDOM, flags));
        if (error)



Home | Main Index | Thread Index | Old Index