From nobody Mon Feb 2 21:20:33 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f4ffV5Zq5z6QXrQ for ; Mon, 02 Feb 2026 21:20:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f4ffV11Xfz474x for ; Mon, 02 Feb 2026 21:20:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770067234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pP5ICkolVxKBhTPbdvIhDOTxO9HwPSxMoAq14EAZc7Q=; b=ZWB6DYVQPMVqeNOBRC8vWe5ki/1SRXKQk30VIXqZKaA1xlY5aF5SlPkasUqnhx+nMgVUUh wrgBudq/XdLOxsJrJ+HzGpdrUZgmq2EQahm9/j8wwWP3/Ds7UcDkge1UyOUQKGEnyp5sdO 6Jl8KvOviTBkfB+j7B4SVbi8T2n3nFbgPM/mxKS0JvKPgXbXdonQkjuoI7G9kSx66lBWzo 1WMUzMG0FCRuOOy1rRLo8SUX2Wm8qkSvV34Z/InqeV7WYQPMXmoh7XcUsrELvSqIYPHBkm Spp35QzRILiwySaGdsZ1w4BWFvKv0COUsTEhUJB4cX/MKCKsDTMGtUZKjiWaGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770067234; a=rsa-sha256; cv=none; b=YHzDOEw+DNH1xoaO3mGGlu50Vh5S4HeXq1d6ZwOWlAZ3INAkAExTjCFzGh6CI8edxzk6us 3jCw7Aqx8Gir/tqbvSKIrv8127dKPaZV0a6phjvmL+dkLmwe2CwxTTeGyuXCPTHLsevQ9r wsyEKarSYKo14O0ysC5fQhOpqFnVLDWQupeUeKb80DZ6gQxQcVa6Pg9P5EbBoeLCqLgv+i d2QL9I6wQ1/j+WyYIBS5R+E2JOM18QS9Fd2gI0UREE51l+vx8oJBRP4zozcRRCubggXFRh zlGVimjn9WiwIW5fT4WxkU1rjhXRmga+oCMEQ6g8BJ7qQEkCvohkiw09WqOU/g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770067234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pP5ICkolVxKBhTPbdvIhDOTxO9HwPSxMoAq14EAZc7Q=; b=OPOfXiDq6M04VU4Lp+7XvjsgQIQIyeWIm20+KLBmNCF7lRF8bZ2B7sPNQ2cZMNhevUan/c E2lFVHr+GNS7mwJVFXpgqV21sYY5vbWEes/A2VAKZNtVuuQ+0t0sUmJpFiTGYBD61RcL4q URnAtPsftSVyzaXrpSrefXZ/p89zgZuAyLu09B7YZYQCbFZXdtO8Gl4n+yIi2frP5M0pJ3 LkkKTqAEjh43DssCr337lHRx/+luR4wzdELB9gGYqEIe1chYvU2GIX3qIjmvmX9+eHATF6 7N/3t1SF+UjRiS5EcJkuo7n0KeSoEMFqdywjWHml/BcOeTuaNFskPwqzvcAN4g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f4ffT6wRZzjlJ for ; Mon, 02 Feb 2026 21:20:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 40578 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 02 Feb 2026 21:20:33 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Brooks Davis Subject: git: 47413f23e503 - main - clnt_broadcast(3): don't free function pointers List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brooks X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 47413f23e503e796989b35dfb04e453c5b6e2d01 Auto-Submitted: auto-generated Date: Mon, 02 Feb 2026 21:20:33 +0000 Message-Id: <69811521.40578.6fc3b83a@gitrepo.freebsd.org> The branch main has been updated by brooks: URL: https://cgit.FreeBSD.org/src/commit/?id=47413f23e503e796989b35dfb04e453c5b6e2d01 commit 47413f23e503e796989b35dfb04e453c5b6e2d01 Author: Brooks Davis AuthorDate: 2026-02-02 21:20:01 +0000 Commit: Brooks Davis CommitDate: 2026-02-02 21:20:01 +0000 clnt_broadcast(3): don't free function pointers Replace use of thr_getspecific/thr_setspecific to stash the function pointer we're smuggling between clnt_broadcast and rpc_wrap_bcast with a simple thread local variable. Clear it after use so the reference doesn't linger. In the relatively unlikely event clnt_broadcast was called from threads that exited prior to program termination, the previous code called free on a function pointer, which is undefined and might corrupted allocator state. Effort: CHERI upstreaming Reviewed by: glebius, jhb Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D54939 --- lib/libc/rpc/rpc_soc.c | 35 ++++++++++------------------------- 1 file changed, 10 insertions(+), 25 deletions(-) diff --git a/lib/libc/rpc/rpc_soc.c b/lib/libc/rpc/rpc_soc.c index c63b89594ce6..21a36cedf69f 100644 --- a/lib/libc/rpc/rpc_soc.c +++ b/lib/libc/rpc/rpc_soc.c @@ -307,19 +307,10 @@ registerrpc(int prognum, int versnum, int procnum, } /* - * All the following clnt_broadcast stuff is convulated; it supports - * the earlier calling style of the callback function + * Support the earlier calling style of the callback function with a + * per-thread temporary copy of the real callback. */ -static thread_key_t clnt_broadcast_key; -static resultproc_t clnt_broadcast_result_main; -static once_t clnt_broadcast_once = ONCE_INITIALIZER; - -static void -clnt_broadcast_key_init(void) -{ - - thr_keycreate(&clnt_broadcast_key, free); -} +static _Thread_local resultproc_t clnt_broadcast_result; /* * Need to translate the netbuf address into sockaddr_in address. @@ -334,14 +325,8 @@ rpc_wrap_bcast(char *resultp, struct netbuf *addr, struct netconfig *nconf) * struct netconfig *nconf; // Netconf of the transport */ { - resultproc_t clnt_broadcast_result; - if (strcmp(nconf->nc_netid, "udp")) return (FALSE); - if (thr_main()) - clnt_broadcast_result = clnt_broadcast_result_main; - else - clnt_broadcast_result = (resultproc_t)thr_getspecific(clnt_broadcast_key); return (*clnt_broadcast_result)(resultp, (struct sockaddr_in *)addr->buf); } @@ -363,16 +348,16 @@ clnt_broadcast(u_long prog, u_long vers, u_long proc, xdrproc_t xargs, * resultproc_t eachresult; // call with each result obtained */ { + enum clnt_stat ret; - if (thr_main()) - clnt_broadcast_result_main = eachresult; - else { - thr_once(&clnt_broadcast_once, clnt_broadcast_key_init); - thr_setspecific(clnt_broadcast_key, (void *) eachresult); - } - return rpc_broadcast((rpcprog_t)prog, (rpcvers_t)vers, + clnt_broadcast_result = eachresult; + + ret = rpc_broadcast((rpcprog_t)prog, (rpcvers_t)vers, (rpcproc_t)proc, xargs, argsp, xresults, resultsp, (resultproc_t) rpc_wrap_bcast, "udp"); + + clnt_broadcast_result = NULL; + return (ret); } /*