git: kernel - Fix rare token overwrite race
Matthew Dillon
dillon at crater.dragonflybsd.org
Sat Sep 25 16:17:54 PDT 2010
commit b528f10fca490702489154b515758fc09439a0aa
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Sat Sep 25 16:10:48 2010 -0700
kernel - Fix rare token overwrite race
td_toks_stop was being decremented prior to releasing the token reference
and cleaning up the optional mp lock. This left a very small
one-instruction opening where the following sequence of events could
occur:
* While releasing the ref in 'if (tok->t_ref == ref) tok->t_ref = NULL;'
a fast interrupt could come along, acquire a token reusing our ref,
then release it.
* A thread on another cpu then successfully acquires the now released
token.
* The fast interrupt returns our interrupted thread resumes with the
execution of 'tok->t_ref = NULL;'.
* The other thread asserts on the missing token ref or otherwise performs
actions which assume the token is still held when it is not due to
the first thread blowing it up.
Reported-by: Francois Tigeot <ftigeot at wolfpond.org>
Summary of changes:
sys/kern/lwkt_token.c | 29 +++++++++++++++++++----------
1 files changed, 19 insertions(+), 10 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/b528f10fca490702489154b515758fc09439a0aa
--
DragonFly BSD source repository
More information about the Commits
mailing list