When asked to use kqueue, AIO stores its internal state in the

`kn_sdata' member of the newly registered knote. The problem is that this member is overwritten by a call to kevent(2) with the EV_ADD flag, targetted at the same kevent/knote. For instance, a userland application may set the pointer to NULL, leading to a panic. A testcase was provided by the submitter. PR: kern/118911 Submitted by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp> MFC after: 1 day
author: dumbbell <dumbbell@FreeBSD.org> 2008-01-24 17:10:19 +0000
committer: dumbbell <dumbbell@FreeBSD.org> 2008-01-24 17:10:19 +0000
commit: ba3df23cb8fa4355a16820390afdd590e0a58be7 (patch)
tree: 7068fef549babbf1bf671437caf732a4825b963a /sys/sys/event.h
parent: 17d99001fab69e948489158a3aa6caf948b0b996 (diff)
download: FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.zip
FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/sys/event.h b/sys/sys/event.h
index d34edee..81edb10 100644
--- a/sys/sys/event.h
+++ b/sys/sys/event.h
@@ -181,6 +181,8 @@ struct knote {
 	union {
 		struct		file *p_fp;	/* file data pointer */
 		struct		proc *p_proc;	/* proc pointer */
+		struct		aiocblist *p_aio;	/* AIO job pointer */
+		struct		aioliojob *p_lio;	/* LIO job pointer */ 
 	} kn_ptr;
 	struct			filterops *kn_fop;
 	void			*kn_hook;
author	dumbbell <dumbbell@FreeBSD.org>	2008-01-24 17:10:19 +0000
committer	dumbbell <dumbbell@FreeBSD.org>	2008-01-24 17:10:19 +0000
commit	ba3df23cb8fa4355a16820390afdd590e0a58be7 (patch)
tree	7068fef549babbf1bf671437caf732a4825b963a /sys/sys/event.h
parent	17d99001fab69e948489158a3aa6caf948b0b996 (diff)
download	FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.zip FreeBSD-src-ba3df23cb8fa4355a16820390afdd590e0a58be7.tar.gz