racing with the kernel
3 views
Skip to first unread message
Mark Heily
Apr 25, 2011, 9:00:58 PM4/25/11
to libk...@googlegroups.com
On all platforms, the address of each knote object is passed back and forth
from the kernel. This means that there is a race condition between userspace
and the kernel whenever a knote object is freed. Here is the basic problem
illustrated using a timer:
from the kernel. This means that there is a race condition between userspace
and the kernel whenever a knote object is freed. Here is the basic problem
illustrated using a timer:
USERSPACE KERNEL
------------------------------------------
1. kevent(EV_ADD, ...)
2. kn = knote_new()
3. start kernel timer
4. kernel timer fires
5. kevent(EV_DELETE, ...)
6. knote_free(&kn)
7. notify userspace
8. kevent_copyout(&kn)
This could cause a use-after-free bug in userspace. To avoid this problem,
I'm going to:
1) implement proper locking and reference counting for the knote
structure; and
2) set a knote flag named KNOTE_DELETED when a knote is deleted
(primarily via EV_DELETE); and
3) after acquiring the knote lock, verify that the KNOTE_DELETED flag
is not set.
Reply all
Reply to author
Forward
0 new messages