aboutsummaryrefslogtreecommitdiff
path: root/sys/sys/refcount.h
diff options
context:
space:
mode:
authorMateusz Guzik <mjg@FreeBSD.org>2020-02-16 03:14:55 +0000
committerMateusz Guzik <mjg@FreeBSD.org>2020-02-16 03:14:55 +0000
commit890611286ee256314407bbcf64ad74956939eac7 (patch)
tree2ddb521bc612eb54e81044cc5f7d5a0608ef5d90 /sys/sys/refcount.h
parent6d88d784f8a5401cfb6fd48bacea1ba6fd9d87c1 (diff)
downloadsrc-890611286ee256314407bbcf64ad74956939eac7.tar.gz
src-890611286ee256314407bbcf64ad74956939eac7.zip
refcount: add missing release fence to refcount_release_if_gt
The CPU succeeding in releasing the not last reference can still have pending stores to the object protected by the affected counter. This opens a time window where another CPU can release the last reference and free the object, resulting in use-after-free. On top of that this prevents the compiler from generating more accesses to the object regardless of how atomic_fcmpset_rel_int is implemented (of course as long as it provides the release semantic). Reviewed by: markj
Notes
Notes: svn path=/head/; revision=357989
Diffstat (limited to 'sys/sys/refcount.h')
-rw-r--r--sys/sys/refcount.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/sys/refcount.h b/sys/sys/refcount.h
index 24fa14dbb3a5..9173793c3280 100644
--- a/sys/sys/refcount.h
+++ b/sys/sys/refcount.h
@@ -198,7 +198,7 @@ refcount_release_if_gt(volatile u_int *count, u_int n)
return (false);
if (__predict_false(REFCOUNT_SATURATED(old)))
return (true);
- if (atomic_fcmpset_int(count, &old, old - 1))
+ if (atomic_fcmpset_rel_int(count, &old, old - 1))
return (true);
}
}