NULL deref when creating an IDLE kthread(9)

[Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>]

Dear kernel gurus,

When creating an IDLE kthread without having a CPU specified, the actual 
code in kthread_create(9) will lead to a NULL deref [1].

My knowledge about the kthread machinery being very limited, I am not 
sure that the patch below is right.

As lwp_create() spawns LSIDL LWPs by default, I suppose that requesting 
a new IDLE kthread can end up in the following two cases:

- if CPU is explicitly set, lwp_unlock_to() the mutex protecting the 
running LWPs of the targeted CPU, else

- if CPU is NULL, just unlock the LWP without touching its l_stat.

Comments?

[1] http://nxr.netbsd.org/xref/src/sys/kern/kern_kthread.c#143

Index: kern_kthread.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_kthread.c,v
retrieving revision 1.37
diff -u -p -r1.37 kern_kthread.c
--- kern_kthread.c      29 Oct 2011 20:11:08 -0000      1.37
+++ kern_kthread.c      29 Oct 2011 21:32:03 -0000
@@ -140,8 +140,12 @@ kthread_create(pri_t pri, int flag, stru
                l->l_stat = LSRUN;
                sched_enqueue(l, false);
                lwp_unlock(l);
-       } else
-               lwp_unlock_to(l, ci->ci_schedstate.spc_lwplock);
+       } else {
+               if (ci != NULL)
+                       lwp_unlock_to(l, ci->ci_schedstate.spc_lwplock);
+               else
+                       lwp_unlock(l);
+       }
        mutex_exit(proc0.p_lock);

        /* All done! */


--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost