HomeFreeBSD

pipe: Avoid calling selrecord() on a closing pipe

Description

pipe: Avoid calling selrecord() on a closing pipe

pipe_poll() may add the calling thread to the selinfo lists of both ends
of a pipe. It is ok to do this for the local end, since we know we hold
a reference on the file and so the local end is not closed. It is not
ok to do this for the remote end, which may already be closed and have
called seldrain(). In this scenario, when the polling thread wakes up,
it may end up referencing a freed selinfo.

Guard the selrecord() call appropriately.

Reviewed by: kib
Reported by: syzkaller+KASAN
Differential Revision: https://reviews.freebsd.org/D30016

(cherry picked from commit d1e9441583fd85c7de5f48197d80c287f1a9494b)

Details

Provenance
markjAuthored on Apr 28 2021, 2:42 PM
Reviewer
kib
Differential Revision
D30016: pipe: Avoid calling selrecord() on a closing pipe
Parents
rGc69775749f2b: getdirentries.2: remove unnecessary space
Branches
Unknown
Tags
Unknown