Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 May 2021 15:02:01 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9d45365e3321 - stable/13 - pipe: Avoid calling selrecord() on a closing pipe
Message-ID:  <202105051502.145F21h7061733@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=9d45365e332114459e46509e4d9aa31c81ce32a7

commit 9d45365e332114459e46509e4d9aa31c81ce32a7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-04-28 14:42:59 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-05 15:01:43 +0000

    pipe: Avoid calling selrecord() on a closing pipe
    
    pipe_poll() may add the calling thread to the selinfo lists of both ends
    of a pipe.  It is ok to do this for the local end, since we know we hold
    a reference on the file and so the local end is not closed.  It is not
    ok to do this for the remote end, which may already be closed and have
    called seldrain().  In this scenario, when the polling thread wakes up,
    it may end up referencing a freed selinfo.
    
    Guard the selrecord() call appropriately.
    
    Reviewed by:    kib
    Reported by:    syzkaller+KASAN
    Differential Revision:  https://reviews.freebsd.org/D30016
    
    (cherry picked from commit d1e9441583fd85c7de5f48197d80c287f1a9494b)
---
 sys/kern/sys_pipe.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 558337794950..ec0fb3860eda 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -1470,7 +1470,8 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred,
 				rpipe->pipe_state |= PIPE_SEL;
 		}
 
-		if ((fp->f_flag & FWRITE) != 0) {
+		if ((fp->f_flag & FWRITE) != 0 &&
+		    wpipe->pipe_present == PIPE_ACTIVE) {
 			selrecord(td, &wpipe->pipe_sel);
 			if (SEL_WAITING(&wpipe->pipe_sel))
 				wpipe->pipe_state |= PIPE_SEL;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105051502.145F21h7061733>