CVS commit: src/sys/kern

["Jason R Thorpe" <thorpej%netbsd.org@localhost>]

Module Name:    src
Committed By:   thorpej
Date:           Tue Jul 19 01:03:05 UTC 2022

Modified Files:
        src/sys/kern: kern_event.c

Log Message:
Fix a problem whereby detaching a device that has open kevent
registrations can result in a UAF: When a device detaches, it
calls seldestroy(), which calls knote_fini(), and when that
returns, the softc that contained the selinfo and klist are freed.
However, any knotes that were registered still linger on with the
kq descriptor they're were associated with, and when the file
descriptors close, those knotes will be f_detach'd, which will
call into the driver instance that no longer exists.

Address this problem by adding a "foplock" mutex to the knote.
This foplock must be held when calling into filter_attach(),
filter_detach(), and filter_event() (XXX not filter_touch();
see code for details).  Now, in klist_fini(), for each knote
that is on the klist that's about to be blown away, acquire
the foplock, replace the knote's filterops with a do-nothing
stub, and release the foplock.

The end result is that:
==> The foplock ensures that calls into filter_*() will get EITHER
    the real backing object's filterops OR the nop stubs.
==> Holing the foplock across the filter_*() calls ensures that
    klist_fini() will not complete until there are no callers inside
    the filterops that are about to be blown away.


To generate a diff of this commit:
cvs rdiff -u -r1.144 -r1.145 src/sys/kern/kern_event.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.