CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2018/08/07 06:38:15
Modified files:
sys/kern : kern_event.c
Log message:
Fix dangling knote references.
kqueue_close() does not take into account that the kqueue instance may
have queued knotes. This can cause a use-after-free if new knotes are
enqueued on the kqueue as a result of file closing.
Correct the error by dequeueing each knote before freeing it.
Since r1.93 of kern_event.c, each kqueue instance has its knotes
in nonshared lists kq_knhash and kq_knlist, so kqueue_close() does
not have to skip other kqueues' knotes any longer. The code can be
simplified by using knote_remove() for clearing the knote lists.
The function uses knote_drop() which takes care of knote dequeueing.
Found and initial analysis by anton@
OK anton@, mpi@
