HomeFreeBSD
Diffusion FreeBSD src repository d2c1d1b2bc47

kthread: Set *newtdp earlier in kthread_add1()
d2c1d1b2bc47
Actions

Description

kthread: Set *newtdp earlier in kthread_add1()

syzbot reported a single boot-time crash in g_event_procbody(), a page
fault when dereferencing g_event_td. g_event_td is initialized by the
kproc_kthread_add() call which creates the GEOM event thread:

kproc_kthread_add(g_event_procbody, NULL, &g_proc, &g_event_td,
    RFHIGHPID, 0, "geom", "g_event");

I believe that the caller of kproc_kthread_add() was preempted after
adding the new thread to the scheduler, and before setting *newtdp,
which is equal to g_event_td. Thus, since the first action of the GEOM
event thread is to lock itself, it ended up dereferencing a NULL
pointer.

Fix the problem simply by initializing *newtdp earlier. I see no harm
in that, and it matches kproc_create1(). The scheduler provides
sufficient synchronization to ensure that the store is visible to the
new thread, wherever it happens to run.

Reported by: syzbot+5397f4d39219b85a9409@syzkaller.appspotmail.com
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42986

(cherry picked from commit ae77041e0714627f9ec8045ca9ee2b6ea563138e)

Details

Provenance
markjAuthored on Dec 9 2023, 3:22 PM
Reviewer
kib
Differential Revision
D42986: kthread: Set *newtdb earlier in kthread_add1()
Parents
rGc92ac2c311c6: netlink: fix snl_writer and linear_buffer re-allocation logic
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
kern/

rGd2c1d1b2bc47

View Options

sys/kern/kern_kthread.c

Loading...