Project

General

Profile

Actions

Bug #788

closed

Use after free in rcu_barrier()

Added by Mathieu Desnoyers over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Target version:
-
Start date:
04/20/2014
Due date:
% Done:

0%

Estimated time:

Description

Do not free the rcu_barrier() completion struct until all threads are done with it.

It cannot reside on the waiter's stack as rcu_barrier() may return before the call_rcu handlers have finished checking whether it needs a futex wakeup. Instead we dynamically allocate the structure and determine its lifetime with a reference count.

Issue reported by Keir Fraser.

Actions

Also available in: Atom PDF