Project

General

Profile

Actions
Copy link

Bug #788

closed

Use after free in rcu_barrier()

Added by Mathieu Desnoyers about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Mathieu Desnoyers
Target version:
-
Start date:
04/20/2014
Due date:
% Done:

0%

Estimated time:

Description

Do not free the rcu_barrier() completion struct until all threads are done with it.

It cannot reside on the waiter's stack as rcu_barrier() may return before the call_rcu handlers have finished checking whether it needs a futex wakeup. Instead we dynamically allocate the structure and determine its lifetime with a reference count.

Issue reported by Keir Fraser.

Actions
Copy link
 #1

Updated by Mathieu Desnoyers about 10 years ago

  • Status changed from In Progress to Resolved

Fixed by commit:

commit 81dd9134333f1c00117cf5addd2f193b89998201
Author: Keir Fraser <keir@cohodata.com>
Date:   Sat Apr 19 15:59:01 2014 -0400

    Fix: Use after free in rcu_barrier()

    Do not free the rcu_barrier() completion struct until all threads are
    done with it.

    It cannot reside on the waiter's stack as rcu_barrier() may return
    before the call_rcu handlers have finished checking whether it needs a
    futex wakeup. Instead we dynamically allocate the structure and
    determine its lifetime with a reference count.

    Signed-off-by: Keir Fraser <keir@cohodata.com>
    [ Edit by Mathieu Desnoyers: use urcu/ref.h. Cleanup: use
      uatomic_sub_return() rather than uatomic_add_return() with negative
      value. ]
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Actions
Copy link

Also available in: Atom PDF