kernel - Fix rare token overwrite race
td_toks_stop was being decremented prior to releasing the token reference
and cleaning up the optional mp lock. This left a very small
one-instruction opening where the following sequence of events could
occur:
* While releasing the ref in 'if (tok->t_ref == ref) tok->t_ref = NULL;'
a fast interrupt could come along, acquire a token reusing our ref,
then release it.
* A thread on another cpu then successfully acquires the now released
token.
* The fast interrupt returns our interrupted thread resumes with the
execution of 'tok->t_ref = NULL;'.
* The other thread asserts on the missing token ref or otherwise performs
actions which assume the token is still held when it is not due to
the first thread blowing it up.
Reported-by: Francois Tigeot <ftigeot@wolfpond.org>
projects / dragonfly.git / commit