Date: Thu, 4 Jul 2019 15:42:02 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349733 - head/sys/kern Message-ID: <201907041542.x64Fg2gQ004638@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Thu Jul 4 15:42:02 2019 New Revision: 349733 URL: https://svnweb.freebsd.org/changeset/base/349733 Log: Defer funsetown() calls for a TTY to tty_rel_free(). We were otherwise failing to call funsetown() for some descriptors associated with a tty, such as pts descriptors. Then, if the descriptor is closed before the owner exits, we may get memory corruption. Reported by: syzbot+c9b6206303bf47bac87e@syzkaller.appspotmail.com Reviewed by: ed MFC after: 3 days Sponsored by: The FreeBSD Foundation Modified: head/sys/kern/tty.c Modified: head/sys/kern/tty.c ============================================================================== --- head/sys/kern/tty.c Thu Jul 4 15:26:02 2019 (r349732) +++ head/sys/kern/tty.c Thu Jul 4 15:42:02 2019 (r349733) @@ -238,9 +238,6 @@ ttydev_leave(struct tty *tp) tp->t_flags |= TF_OPENCLOSE; - /* Stop asynchronous I/O. */ - funsetown(&tp->t_sigio); - /* Remove console TTY. */ if (constty == tp) constty_clear(); @@ -1133,6 +1130,9 @@ tty_rel_free(struct tty *tp) tty_unlock(tp); return; } + + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); /* TTY can be deallocated. */ dev = tp->t_dev;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907041542.x64Fg2gQ004638>