Bug #788
closed
Use after free in rcu_barrier()
Added by Mathieu Desnoyers about 10 years ago.
Updated about 10 years ago.
Description
Do not free the rcu_barrier() completion struct until all threads are done with it.
It cannot reside on the waiter's stack as rcu_barrier() may return before the call_rcu handlers have finished checking whether it needs a futex wakeup. Instead we dynamically allocate the structure and determine its lifetime with a reference count.
Issue reported by Keir Fraser.
- Status changed from In Progress to Resolved
Fixed by commit:
commit 81dd9134333f1c00117cf5addd2f193b89998201
Author: Keir Fraser <keir@cohodata.com>
Date: Sat Apr 19 15:59:01 2014 -0400
Fix: Use after free in rcu_barrier()
Do not free the rcu_barrier() completion struct until all threads are
done with it.
It cannot reside on the waiter's stack as rcu_barrier() may return
before the call_rcu handlers have finished checking whether it needs a
futex wakeup. Instead we dynamically allocate the structure and
determine its lifetime with a reference count.
Signed-off-by: Keir Fraser <keir@cohodata.com>
[ Edit by Mathieu Desnoyers: use urcu/ref.h. Cleanup: use
uatomic_sub_return() rather than uatomic_add_return() with negative
value. ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Also available in: Atom
PDF