refcount: add missing release fence to refcount_release_if_gt

The CPU succeeding in releasing the not last reference can still have pending stores to the object protected by the affected counter. This opens a time window where another CPU can release the last reference and free the object, resulting in use-after-free. On top of that this prevents the compiler from generating more accesses to the object regardless of how atomic_fcmpset_rel_int is implemented (of course as long as it provides the release semantic). Reviewed by: markj
2020-02-16 03:14:55 +00:00 · 2020-02-16 03:14:55 +00:00 · 890611286e
commit 890611286e
parent 6d88d784f8
1 changed files with 1 additions and 1 deletions
--- a/sys/sys/refcount.h
+++ b/sys/sys/refcount.h
@ -198,7 +198,7 @@ refcount_release_if_gt(volatile u_int *count, u_int n)
 			return (false);
 		if (__predict_false(REFCOUNT_SATURATED(old)))
 			return (true);
-		if (atomic_fcmpset_int(count, &old, old - 1))
+		if (atomic_fcmpset_rel_int(count, &old, old - 1))
 			return (true);
 	}
 }