When a process has been waiting on a condition variable or mutex the

td_wmesg field in the thread structure points to the description string of the condition variable or mutex. If the condvar or the mutex had been initialized from a loadable module that was unloaded in the meantime, td_wmesg may now point to invalid memory. Retrieving the process table now may panic the kernel (or access junk). Setting the td_wmesg field to NULL after unblocking on the condvar/mutex prevents this panic. PR: kern/47408 Approved by: jake (mentor)
2003-02-27 08:43:27 +00:00 · 2003-02-27 08:43:27 +00:00 · b89bc9e62b
commit b89bc9e62b
parent 04a2863cfd
2 changed files with 3 additions and 0 deletions
--- a/sys/kern/kern_condvar.c
+++ b/sys/kern/kern_condvar.c
@ -535,6 +535,7 @@ cv_waitq_remove(struct thread *td)
 	if ((cvp = td->td_wchan) != NULL && td->td_flags & TDF_CVWAITQ) {
 		TAILQ_REMOVE(&cvp->cv_waitq, td, td_slpq);
 		td->td_flags &= ~TDF_CVWAITQ;
+		td->td_wmesg = NULL;
 		TD_CLR_ON_SLEEPQ(td);
 	}
 }
--- a/sys/kern/kern_synch.c
+++ b/sys/kern/kern_synch.c
@ -330,6 +330,7 @@ endtsleep(arg)
 		TAILQ_REMOVE(&slpque[LOOKUP(td->td_wchan)], td, td_slpq);
 		TD_CLR_ON_SLEEPQ(td);
 		td->td_flags |= TDF_TIMEOUT;
+		td->td_wmesg = NULL;
 	} else {
 		td->td_flags |= TDF_TIMOFAIL;
 	}
@ -374,6 +375,7 @@ unsleep(struct thread *td)
 	if (TD_ON_SLEEPQ(td)) {
 		TAILQ_REMOVE(&slpque[LOOKUP(td->td_wchan)], td, td_slpq);
 		TD_CLR_ON_SLEEPQ(td);
+		td->td_wmesg = NULL;
 	}
 	mtx_unlock_spin(&sched_lock);
 }