diff options
author | mbr <mbr@FreeBSD.org> | 2006-09-10 16:51:56 +0000 |
---|---|---|
committer | mbr <mbr@FreeBSD.org> | 2006-09-10 16:51:56 +0000 |
commit | eecf512f8fd435eef8ae035d571433b73f5f2959 (patch) | |
tree | 721801b921fbb554499b09e7091f8e58f1d08f7c /sys | |
parent | 9ae25ad61426f09189fb3734c918a5d473f588c1 (diff) | |
download | FreeBSD-src-eecf512f8fd435eef8ae035d571433b73f5f2959.zip FreeBSD-src-eecf512f8fd435eef8ae035d571433b73f5f2959.tar.gz |
Fix locking race in ttymodem(). The locking of the proctree happens too late
and opens a small race window before tp->t_session->s_leader is accessed. In case
tp->t_session has just been set to NULL elsewhere, we get a panic().
This fix is a bandaid until someone else fixes the whole locking in the tty subsystem.
Definitly more work needs to be done.
MFC after: 1 week
Reviewed by: mlaier
PR: kern/103101
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/tty.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/tty.c b/sys/kern/tty.c index f5b7d91..4b86857 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1639,8 +1639,8 @@ ttymodem(struct tty *tp, int flag) !ISSET(tp->t_cflag, CLOCAL)) { SET(tp->t_state, TS_ZOMBIE); CLR(tp->t_state, TS_CONNECTED); + sx_slock(&proctree_lock); /* XXX: protect t_session */ if (tp->t_session) { - sx_slock(&proctree_lock); if (tp->t_session->s_leader) { struct proc *p; @@ -1649,8 +1649,8 @@ ttymodem(struct tty *tp, int flag) psignal(p, SIGHUP); PROC_UNLOCK(p); } - sx_sunlock(&proctree_lock); } + sx_sunlock(&proctree_lock); ttyflush(tp, FREAD | FWRITE); return (0); } |