diff options
| author | kib <kib@FreeBSD.org> | 2015-07-09 09:22:21 +0000 |
|---|---|---|
| committer | kib <kib@FreeBSD.org> | 2015-07-09 09:22:21 +0000 |
| commit | 58e696649e35af551042cee351aacf02aefae047 (patch) | |
| tree | 6e14f4d8834f38bedaf603f5f9e76845a11cba26 /contrib/llvm/include/llvm-c/LinkTimeOptimizer.h | |
| parent | 6dc0345fb09cf1296ee10f919071f1e146ae33f7 (diff) | |
| download | FreeBSD-src-58e696649e35af551042cee351aacf02aefae047.zip FreeBSD-src-58e696649e35af551042cee351aacf02aefae047.tar.gz | |
Cover a race between doselwakeup() and selfdfree(). If doselwakeup()
loop finds the selfd entry and clears its sf_si pointer, which is
handled by selfdfree() in parallel, NULL sf_si makes selfdfree() free
the memory. The result is the race and accesses to the freed memory.
Refcount the selfd ownership. One reference is for the sf_link
linkage, which is unconditionally dereferenced by selfdfree().
Another reference is for sf_threads, both selfdfree() and
doselwakeup() race to deref it, the winner unlinks and than frees the
selfd entry.
Reported by: Larry Rosenman <ler@lerctr.org>
Tested by: Larry Rosenman <ler@lerctr.org>, pho
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Diffstat (limited to 'contrib/llvm/include/llvm-c/LinkTimeOptimizer.h')
0 files changed, 0 insertions, 0 deletions
