From owner-dev-commits-src-branches@freebsd.org Wed May 5 15:03:05 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5CAEA5F9B77; Wed, 5 May 2021 15:03:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fb0MF23lxz4RZK; Wed, 5 May 2021 15:03:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 39F4B26A7C; Wed, 5 May 2021 15:03:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 145F35VL064293; Wed, 5 May 2021 15:03:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 145F35km064292; Wed, 5 May 2021 15:03:05 GMT (envelope-from git) Date: Wed, 5 May 2021 15:03:05 GMT Message-Id: <202105051503.145F35km064292@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 53a9046635f1 - stable/12 - pipe: Avoid calling selrecord() on a closing pipe MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 53a9046635f1856e549f28fba20d9ffc068fa81e Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2021 15:03:05 -0000 The branch stable/12 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=53a9046635f1856e549f28fba20d9ffc068fa81e commit 53a9046635f1856e549f28fba20d9ffc068fa81e Author: Mark Johnston AuthorDate: 2021-04-28 14:42:59 +0000 Commit: Mark Johnston CommitDate: 2021-05-05 15:02:59 +0000 pipe: Avoid calling selrecord() on a closing pipe pipe_poll() may add the calling thread to the selinfo lists of both ends of a pipe. It is ok to do this for the local end, since we know we hold a reference on the file and so the local end is not closed. It is not ok to do this for the remote end, which may already be closed and have called seldrain(). In this scenario, when the polling thread wakes up, it may end up referencing a freed selinfo. Guard the selrecord() call appropriately. Reviewed by: kib Reported by: syzkaller+KASAN Differential Revision: https://reviews.freebsd.org/D30016 (cherry picked from commit d1e9441583fd85c7de5f48197d80c287f1a9494b) --- sys/kern/sys_pipe.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index cb6c283d0e91..fefc16a9eb06 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1456,7 +1456,8 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred, rpipe->pipe_state |= PIPE_SEL; } - if ((fp->f_flag & FWRITE) != 0) { + if ((fp->f_flag & FWRITE) != 0 && + wpipe->pipe_present == PIPE_ACTIVE) { selrecord(td, &wpipe->pipe_sel); if (SEL_WAITING(&wpipe->pipe_sel)) wpipe->pipe_state |= PIPE_SEL;