When a process has been waiting on a condition variable or mutex the

td_wmesg field in the thread structure points to the description string of
the condition variable or mutex. If the condvar or the mutex had been
initialized from a loadable module that was unloaded in the meantime,
td_wmesg may now point to invalid memory. Retrieving the process table now
may panic the kernel (or access junk). Setting the td_wmesg field to NULL
after unblocking on the condvar/mutex prevents this panic.

PR:		kern/47408
Approved by:	jake (mentor)

2 files changed, 3 insertions, 0 deletions

diff --git a/sys/kern/kern_condvar.c b/sys/kern/kern_condvar.c
index e943e3d..87c2840 100644
--- a/sys/kern/kern_condvar.c
+++ b/sys/kern/kern_condvar.c
@@ -535,6 +535,7 @@ cv_waitq_remove(struct thread *td)
 	if ((cvp = td->td_wchan) != NULL && td->td_flags & TDF_CVWAITQ) {
 		TAILQ_REMOVE(&cvp->cv_waitq, td, td_slpq);
 		td->td_flags &= ~TDF_CVWAITQ;
+		td->td_wmesg = NULL;
 		TD_CLR_ON_SLEEPQ(td);
 	}
 }
diff --git a/sys/kern/kern_synch.c b/sys/kern/kern_synch.c
index 2a89dde..c626f7a 100644
--- a/sys/kern/kern_synch.c
+++ b/sys/kern/kern_synch.c
@@ -330,6 +330,7 @@ endtsleep(arg)
 		TAILQ_REMOVE(&slpque[LOOKUP(td->td_wchan)], td, td_slpq);
 		TD_CLR_ON_SLEEPQ(td);
 		td->td_flags |= TDF_TIMEOUT;
+		td->td_wmesg = NULL;
 	} else {
 		td->td_flags |= TDF_TIMOFAIL;
 	}
@@ -374,6 +375,7 @@ unsleep(struct thread *td)
 	if (TD_ON_SLEEPQ(td)) {
 		TAILQ_REMOVE(&slpque[LOOKUP(td->td_wchan)], td, td_slpq);
 		TD_CLR_ON_SLEEPQ(td);
+		td->td_wmesg = NULL;
 	}
 	mtx_unlock_spin(&sched_lock);
 }