Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern when updating the per-uid "semcnt", decrement the c...



details:   https://anonhg.NetBSD.org/src/rev/940f40cc5cc3
branches:  trunk
changeset: 957908:940f40cc5cc3
user:      chs <chs%NetBSD.org@localhost>
date:      Mon Dec 14 23:12:12 2020 +0000

description:
when updating the per-uid "semcnt", decrement the counter for the uid
that created the ksem, not the uid of the process freeing the ksem.
fixes PR 55509.

Reported-by: syzbot+9d04b3ef2ca180ef9b06%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/uipc_sem.c |  15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

diffs (58 lines):

diff -r 1d06506666c6 -r 940f40cc5cc3 sys/kern/uipc_sem.c
--- a/sys/kern/uipc_sem.c       Mon Dec 14 22:17:11 2020 +0000
+++ b/sys/kern/uipc_sem.c       Mon Dec 14 23:12:12 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uipc_sem.c,v 1.59 2020/05/04 13:58:48 riastradh Exp $  */
+/*     $NetBSD: uipc_sem.c,v 1.60 2020/12/14 23:12:12 chs Exp $        */
 
 /*-
  * Copyright (c) 2011, 2019 The NetBSD Foundation, Inc.
@@ -60,7 +60,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_sem.c,v 1.59 2020/05/04 13:58:48 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_sem.c,v 1.60 2020/12/14 23:12:12 chs Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -469,8 +469,6 @@
                len = 0;
        }
 
-       chgsemcnt(kauth_cred_getuid(l->l_cred), 1);
-
        ks = kmem_zalloc(sizeof(ksem_t), KM_SLEEP);
        mutex_init(&ks->ks_lock, MUTEX_DEFAULT, IPL_NONE);
        cv_init(&ks->ks_cv, "psem");
@@ -483,8 +481,9 @@
        uc = l->l_cred;
        ks->ks_uid = kauth_cred_geteuid(uc);
        ks->ks_gid = kauth_cred_getegid(uc);
+       chgsemcnt(ks->ks_uid, 1);
+       atomic_inc_uint(&nsems_total);
 
-       atomic_inc_uint(&nsems_total);
        *ksret = ks;
        return 0;
 }
@@ -495,6 +494,9 @@
 
        KASSERT(!cv_has_waiters(&ks->ks_cv));
 
+       chgsemcnt(ks->ks_uid, -1);
+       atomic_dec_uint(&nsems_total);
+
        if (ks->ks_pshared_id) {
                KASSERT(ks->ks_pshared_proc == NULL);
                ksem_remove_pshared(ks);
@@ -506,9 +508,6 @@
        mutex_destroy(&ks->ks_lock);
        cv_destroy(&ks->ks_cv);
        kmem_free(ks, sizeof(ksem_t));
-
-       atomic_dec_uint(&nsems_total);
-       chgsemcnt(kauth_cred_getuid(curproc->p_cred), -1);
 }
 
 #define        KSEM_ID_IS_PSHARED(id)          \



Home | Main Index | Thread Index | Old Index