ftigeot's projects / dragonfly.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2deaa56) | patch
kernel - Fix rare ucred race
authorMatthew Dillon <dillon@apollo.backplane.com>
Wed, 18 Jun 2014 18:47:45 +0000 (11:47 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Wed, 18 Jun 2014 18:47:45 +0000 (11:47 -0700)
commit24207b1ee46484aeffdfac2916da94579c862327
tree61e8cdd4ddc231124618f6663f31f7a76bca13detree | snapshot
parent2deaa56139e608480a8d0f8d4d8ba811d386e342commit | diff
kernel - Fix rare ucred race

* In a threaded program if one thread is modifying the ucred, e.g.
  changing the uid or gid or something like that, and another thread
  enters a system call at the same time, the second thread can wind
  up trying to hold a stale ucred kfree()'d by the first thread.

* Very rare race on top of a ~2-instruction window.

* Fix the problem by obtaining proc->p_spin when updating the per-thread
  ucred cache (td->td_ucred) from p->p_ucred, as well as when replacing
  p_ucred.

  These fixes do NOT impose any critical-path overhead.  For the case where
  a thread already has the current p_ucred cached on entry to a system call,
  absolutely nothing needs to be done.

Reported-by: joris (Joris Giovannangeli)
sys/kern/kern_exec.c diff | blob | blame | history
sys/kern/kern_jail.c diff | blob | blame | history
sys/kern/kern_prot.c diff | blob | blame | history
sys/platform/pc32/i386/trap.c diff | blob | blame | history
sys/platform/pc64/x86_64/trap.c diff | blob | blame | history
sys/sys/ucred.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.