Date: Fri, 10 Oct 2003 22:31:21 -0700 From: Tim Kientzle <kientzle@acm.org> To: kientzle@acm.org Cc: freebsd-hackers@freebsd.org Subject: Re: Dynamic reads without locking. Message-ID: <3F8795A9.5020409@acm.org> In-Reply-To: <3F875172.5010309@acm.org> References: <20031008083059.GA520@garage.freebsd.pl> <20031008114506.I63940@beagle.fokus.fraunhofer.de> <20031008101251.GG6524@saboteur.dek.spc.org> <3F875172.5010309@acm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Bruce M Simpson wrote: >> >> Or keep a generation count to detect pre-emption (the devstat code does >> this, amongst other things), and try again if you lost the race. On further inspection, I'm pretty sure that sys/kern/subr_devstat.c is not correct. In particular, sysctl_devstat writes out a node's data without holding the lock. (I believe this is the whole point of all the "generation count" machinery.) It seems possible for devstat_remove_entry to remove that entry, free the storage, and have that storage recycled just before it gets written out. In this particular case, it means random kernel data gets written out from the kernel to userspace. (Which in some circles would be considered a security problem, though it's hard to see how anyone could possibly exploit it.) Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F8795A9.5020409>