projects / dragonfly.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bc3396b)
kernel - Fix lwp_create() kernel corruption and panic in error path
authorMatthew Dillon <dillon@apollo.backplane.com>
Wed, 9 Nov 2011 00:10:38 +0000 (16:10 -0800)
committerMatthew Dillon <dillon@apollo.backplane.com>
Wed, 9 Nov 2011 00:10:38 +0000 (16:10 -0800)
* We were forgetting to remove the lwp's thread from gd_tdallq, resulting
  in corruption of the queue.

Reported-by: swildner
sys/kern/kern_fork.c patch | blob | blame | history

diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index 89a2bd1..9abddd0 100644 (file)
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -198,6 +198,8 @@ sys_lwp_create(struct lwp_create_args *uap)
        plimit_lwp_fork(p);     /* force exclusive access */
        lp = lwp_fork(curthread->td_lwp, p, RFPROC);
        error = cpu_prepare_lwp(lp, &params);
+       if (error)
+               goto fail;
        if (params.tid1 != NULL &&
            (error = copyout(&lp->lwp_tid, params.tid1, sizeof(lp->lwp_tid))))
                goto fail;
@@ -223,6 +225,7 @@ fail:
        /* lwp_dispose expects an exited lwp, and a held proc */
        lp->lwp_flag |= LWP_WEXIT;
        lp->lwp_thread->td_flags |= TDF_EXITING;
+       lwkt_remove_tdallq(lp->lwp_thread);
        PHOLD(p);
        lwp_dispose(lp);
        lwkt_reltoken(&p->p_token);
DragonFly Project Source