Now
MAIN commitmail json YAML
autoconf(9): Avoid potential ABA bug in config_makeroom.
When we unlock alldevs_lock to allocate a new cd_devs array nsp,
other threads may have:
1. freed the old one (osp),
2. done some other memory allocation,
3. allocated a new _larger_ array whose address happens to concide
with osp (e.g., in (2) the page was recycled for a different pool
cache), and
4. updated cd_devs back to osp but increased cd_ndevs.
In that case, the memory may be corrupted: we try to copy the wrong
number of device_t pointers into nsp and we free osp with the wrong
(stale) length.
Avoid this by checking whether cd_ndevs has changed too -- if not,
osp might have been recycled but at least the lengths we're about to
copy and free are still correct so there's no harm in an ABA
situation.
XXX pullup-8
XXX pullup-9
XXX pullup-10
When we unlock alldevs_lock to allocate a new cd_devs array nsp,
other threads may have:
1. freed the old one (osp),
2. done some other memory allocation,
3. allocated a new _larger_ array whose address happens to concide
with osp (e.g., in (2) the page was recycled for a different pool
cache), and
4. updated cd_devs back to osp but increased cd_ndevs.
In that case, the memory may be corrupted: we try to copy the wrong
number of device_t pointers into nsp and we free osp with the wrong
(stale) length.
Avoid this by checking whether cd_ndevs has changed too -- if not,
osp might have been recycled but at least the lengths we're about to
copy and free are still correct so there's no harm in an ABA
situation.
XXX pullup-8
XXX pullup-9
XXX pullup-10