Author: markj
Date: Thu Jul 4 15:42:02 2019
New Revision: 349733
URL: https://svnweb.freebsd.org/changeset/base/349733
Log:
Defer funsetown() calls for a TTY to tty_rel_free().
We were otherwise failing to call funsetown() for some descriptors
associated with a tty, such as pts descriptors. Then, if the
descriptor is closed before the owner exits, we may get memory
corruption.
Reported by: syzbot+c9b6206303bf47bac...@syzkaller.appspotmail.com
Reviewed by: ed
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/kern/tty.c
Modified: head/sys/kern/tty.c
==============================================================================
--- head/sys/kern/tty.c Thu Jul 4 15:26:02 2019 (r349732)
+++ head/sys/kern/tty.c Thu Jul 4 15:42:02 2019 (r349733)
@@ -238,9 +238,6 @@ ttydev_leave(struct tty *tp)
tp->t_flags |= TF_OPENCLOSE;
- /* Stop asynchronous I/O. */
- funsetown(&tp->t_sigio);
-
/* Remove console TTY. */
if (constty == tp)
constty_clear();
@@ -1133,6 +1130,9 @@ tty_rel_free(struct tty *tp)
tty_unlock(tp);
return;
}
+
+ /* Stop asynchronous I/O. */
+ funsetown(&tp->t_sigio);
/* TTY can be deallocated. */
dev = tp->t_dev;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
