diff options
author | dumbbell <dumbbell@FreeBSD.org> | 2008-01-24 17:10:19 +0000 |
---|---|---|
committer | dumbbell <dumbbell@FreeBSD.org> | 2008-01-24 17:10:19 +0000 |
commit | ba3df23cb8fa4355a16820390afdd590e0a58be7 (patch) | |
tree | 7068fef549babbf1bf671437caf732a4825b963a /sys/sys/event.h | |
parent | 17d99001fab69e948489158a3aa6caf948b0b996 (diff) | |
download | FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.zip FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.tar.gz |
When asked to use kqueue, AIO stores its internal state in the
`kn_sdata' member of the newly registered knote. The problem is that
this member is overwritten by a call to kevent(2) with the EV_ADD flag,
targetted at the same kevent/knote. For instance, a userland application
may set the pointer to NULL, leading to a panic.
A testcase was provided by the submitter.
PR: kern/118911
Submitted by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp>
MFC after: 1 day
Diffstat (limited to 'sys/sys/event.h')
-rw-r--r-- | sys/sys/event.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/sys/event.h b/sys/sys/event.h index d34edee..81edb10 100644 --- a/sys/sys/event.h +++ b/sys/sys/event.h @@ -181,6 +181,8 @@ struct knote { union { struct file *p_fp; /* file data pointer */ struct proc *p_proc; /* proc pointer */ + struct aiocblist *p_aio; /* AIO job pointer */ + struct aioliojob *p_lio; /* LIO job pointer */ } kn_ptr; struct filterops *kn_fop; void *kn_hook; |