Module Name: src Committed By: hannken Date: Tue Aug 20 08:12:50 UTC 2019
Modified Files: src/external/cddl/osnet/sys/kern: taskq.c Log Message: task_executor: prevent use after free, the task function may free the tasq entry. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/external/cddl/osnet/sys/kern/taskq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/cddl/osnet/sys/kern/taskq.c diff -u src/external/cddl/osnet/sys/kern/taskq.c:1.10 src/external/cddl/osnet/sys/kern/taskq.c:1.11 --- src/external/cddl/osnet/sys/kern/taskq.c:1.10 Tue Jun 11 09:05:33 2019 +++ src/external/cddl/osnet/sys/kern/taskq.c Tue Aug 20 08:12:50 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: taskq.c,v 1.10 2019/06/11 09:05:33 hannken Exp $ */ +/* $NetBSD: taskq.c,v 1.11 2019/08/20 08:12:50 hannken Exp $ */ /*- * Copyright (c) 2019 The NetBSD Foundation, Inc. @@ -75,6 +75,7 @@ task_executor(struct threadpool_job *job struct taskq_executor *state = (struct taskq_executor *)job; taskq_t *tq = state->te_self; taskq_ent_t *tqe; + bool is_dynamic; int error; lwp_setspecific(taskq_lwp_key, tq); @@ -97,13 +98,14 @@ task_executor(struct threadpool_job *job tqe = SIMPLEQ_FIRST(&tq->tq_list); KASSERT(tqe != NULL); SIMPLEQ_REMOVE_HEAD(&tq->tq_list, tqent_list); + is_dynamic = tqe->tqent_dynamic; tqe->tqent_queued = 0; mutex_exit(&tq->tq_lock); (*tqe->tqent_func)(tqe->tqent_arg); mutex_enter(&tq->tq_lock); - if (tqe->tqent_dynamic) + if (is_dynamic) kmem_free(tqe, sizeof(*tqe)); tq->tq_active--; }