Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 May 2021 15:03:05 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 53a9046635f1 - stable/12 - pipe: Avoid calling selrecord() on a closing pipe
Message-ID:  <202105051503.145F35km064292@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=53a9046635f1856e549f28fba20d9ffc068fa81e

commit 53a9046635f1856e549f28fba20d9ffc068fa81e
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-04-28 14:42:59 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-05 15:02:59 +0000

    pipe: Avoid calling selrecord() on a closing pipe
    
    pipe_poll() may add the calling thread to the selinfo lists of both ends
    of a pipe.  It is ok to do this for the local end, since we know we hold
    a reference on the file and so the local end is not closed.  It is not
    ok to do this for the remote end, which may already be closed and have
    called seldrain().  In this scenario, when the polling thread wakes up,
    it may end up referencing a freed selinfo.
    
    Guard the selrecord() call appropriately.
    
    Reviewed by:    kib
    Reported by:    syzkaller+KASAN
    Differential Revision:  https://reviews.freebsd.org/D30016
    
    (cherry picked from commit d1e9441583fd85c7de5f48197d80c287f1a9494b)
---
 sys/kern/sys_pipe.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index cb6c283d0e91..fefc16a9eb06 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -1456,7 +1456,8 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred,
 				rpipe->pipe_state |= PIPE_SEL;
 		}
 
-		if ((fp->f_flag & FWRITE) != 0) {
+		if ((fp->f_flag & FWRITE) != 0 &&
+		    wpipe->pipe_present == PIPE_ACTIVE) {
 			selrecord(td, &wpipe->pipe_sel);
 			if (SEL_WAITING(&wpipe->pipe_sel))
 				wpipe->pipe_state |= PIPE_SEL;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105051503.145F35km064292>