CVS commit: src/sys/kern

Wed, 02 Jun 2021 02:23:42 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Wed Jun  2 09:23:32 UTC 2021

Modified Files:
        src/sys/kern: subr_psref.c

Log Message:
psref(9): Make use-after-free panic message more obvious.

Previously it would almost always manifest as

        mismatched psref target class: 0x0 (ref) != 0x... (expected)

and now it will manifest as

        psref target already destroyed: 0x...


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/kern/subr_psref.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/subr_psref.c
diff -u src/sys/kern/subr_psref.c:1.13 src/sys/kern/subr_psref.c:1.14
--- src/sys/kern/subr_psref.c:1.13	Fri May 17 03:34:26 2019
+++ src/sys/kern/subr_psref.c	Wed Jun  2 09:23:32 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_psref.c,v 1.13 2019/05/17 03:34:26 ozaki-r Exp $	*/
+/*	$NetBSD: subr_psref.c,v 1.14 2021/06/02 09:23:32 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2016 The NetBSD Foundation, Inc.
@@ -64,7 +64,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_psref.c,v 1.13 2019/05/17 03:34:26 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_psref.c,v 1.14 2021/06/02 09:23:32 riastradh Exp $");
 
 #include <sys/types.h>
 #include <sys/condvar.h>
@@ -293,11 +293,11 @@ psref_acquire(struct psref *psref, const
 	    "passive references are CPU-local,"
 	    " but preemption is enabled and the caller is not"
 	    " in a softint or CPU-bound LWP");
+	KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
+	    target);
 	KASSERTMSG((target->prt_class == class),
 	    "mismatched psref target class: %p (ref) != %p (expected)",
 	    target->prt_class, class);
-	KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
-	    target);
 
 	/* Block interrupts and acquire the current CPU's reference list.  */
 	s = splraiseipl(class->prc_iplcookie);
@@ -516,13 +516,13 @@ psref_target_destroy(struct psref_target
 
 	ASSERT_SLEEPABLE();
 
+	KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
+	    target);
 	KASSERTMSG((target->prt_class == class),
 	    "mismatched psref target class: %p (ref) != %p (expected)",
 	    target->prt_class, class);
 
 	/* Request psref_release to notify us when done.  */
-	KASSERTMSG(!target->prt_draining, "psref target already destroyed: %p",
-	    target);
 	target->prt_draining = true;
 
 	/* Wait until there are no more references on any CPU.  */

Reply via email to