Defer funsetown() calls for a TTY to tty_rel_free().

We were otherwise failing to call funsetown() for some descriptors associated with a tty, such as pts descriptors. Then, if the descriptor is closed before the owner exits, we may get memory corruption. Reported by: syzbot+c9b6206303bf47bac87e@syzkaller.appspotmail.com Reviewed by: ed MFC after: 3 days Sponsored by: The FreeBSD Foundation
svn path=/head/; revision=349733
2019-07-04 15:42:02 +00:00 · 2019-07-04 15:42:02 +00:00 · 6a01874c5a · 2020-12-20 02:59:44 +00:00
commit 6a01874c5a
parent 17f1623d42
1 changed files with 3 additions and 3 deletions
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@ -238,9 +238,6 @@ ttydev_leave(struct tty *tp)

 	tp->t_flags |= TF_OPENCLOSE;

-	/* Stop asynchronous I/O. */
-	funsetown(&tp->t_sigio);
-
 	/* Remove console TTY. */
 	if (constty == tp)
 		constty_clear();
@ -1134,6 +1131,9 @@ tty_rel_free(struct tty *tp)
 		return;
 	}

+	/* Stop asynchronous I/O. */
+	funsetown(&tp->t_sigio);
+
 	/* TTY can be deallocated. */
 	dev = tp->t_dev;
 	tp->t_dev = NULL;