diff options
author | Konstantin Belousov <kib@FreeBSD.org> | 2012-12-04 20:49:39 +0000 |
---|---|---|
committer | Konstantin Belousov <kib@FreeBSD.org> | 2012-12-04 20:49:39 +0000 |
commit | f7e50ea72295c39c2d6c2a092171941d095a0230 (patch) | |
tree | be5ca68461521c9d13f018cf6445647db4335cf1 /sys/mips/rmi/dev/xlr/rge.c | |
parent | 9bdf6ccab3f1b80221eada9fe11b62e899de8e7f (diff) | |
download | src-f7e50ea72295c39c2d6c2a092171941d095a0230.tar.gz src-f7e50ea72295c39c2d6c2a092171941d095a0230.zip |
Fix a race between kern_setitimer() and realitexpire(), where the
callout is started before kern_setitimer() acquires process mutex, but
looses a race and kern_setitimer() gets the process mutex before the
callout. Then, assuming that new specified struct itimerval has
it_interval zero, but it_value non-zero, the callout, after it starts
executing again, clears p->p_realtimer.it_value, but kern_setitimer()
already rescheduled the callout.
As the result of the race, both p_realtimer is zero, and the callout
is rescheduled. Then, in the exit1(), the exit code sees that it_value
is zero and does not even try to stop the callout. This allows the
struct proc to be reused and eventually the armed callout is
re-initialized. The consequence is the corrupted callwheel tailq.
Use process mutex to interlock the callout start, which fixes the race.
Reported and tested by: pho
Reviewed by: jhb
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=243869
Diffstat (limited to 'sys/mips/rmi/dev/xlr/rge.c')
0 files changed, 0 insertions, 0 deletions