svn commit: r349733 - head/sys/kern
Mark Johnston
markj at FreeBSD.org
Thu Jul 4 15:42:03 UTC 2019
Author: markj
Date: Thu Jul 4 15:42:02 2019
New Revision: 349733
URL: https://svnweb.freebsd.org/changeset/base/349733
Log:
Defer funsetown() calls for a TTY to tty_rel_free().
We were otherwise failing to call funsetown() for some descriptors
associated with a tty, such as pts descriptors. Then, if the
descriptor is closed before the owner exits, we may get memory
corruption.
Reported by: syzbot+c9b6206303bf47bac87e at syzkaller.appspotmail.com
Reviewed by: ed
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/kern/tty.c
Modified: head/sys/kern/tty.c
==============================================================================
--- head/sys/kern/tty.c Thu Jul 4 15:26:02 2019 (r349732)
+++ head/sys/kern/tty.c Thu Jul 4 15:42:02 2019 (r349733)
@@ -238,9 +238,6 @@ ttydev_leave(struct tty *tp)
tp->t_flags |= TF_OPENCLOSE;
- /* Stop asynchronous I/O. */
- funsetown(&tp->t_sigio);
-
/* Remove console TTY. */
if (constty == tp)
constty_clear();
@@ -1133,6 +1130,9 @@ tty_rel_free(struct tty *tp)
tty_unlock(tp);
return;
}
+
+ /* Stop asynchronous I/O. */
+ funsetown(&tp->t_sigio);
/* TTY can be deallocated. */
dev = tp->t_dev;
More information about the svn-src-head
mailing list