proc: fix refcounting bug in proc_get_set()
authorBarret Rhoden <brho@cs.berkeley.edu>
Fri, 17 May 2019 03:03:11 +0000 (23:03 -0400)
committerBarret Rhoden <brho@cs.berkeley.edu>
Fri, 17 May 2019 03:03:11 +0000 (23:03 -0400)
You can't blindly incref when iterating over the procs.  You need to
hold the hash lock, then call kref_get_not_zero.  You're synchronizing
with __proc_free().

Reported-by: syzbot+4ea9ed2220ee4d513e0b@syzkaller.appspotmail.com
Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>
kern/src/process.c

index 3e4398d..4531acb 100644 (file)
@@ -2429,7 +2429,8 @@ void proc_get_set(struct process_set *pset)
                struct process_set *pset = (struct process_set *) opaque;
 
                if (pset->num_processes < pset->size) {
                struct process_set *pset = (struct process_set *) opaque;
 
                if (pset->num_processes < pset->size) {
-                       proc_incref(p, 1);
+                       if (!kref_get_not_zero(&p->p_kref, 1))
+                               return;
 
                        pset->procs[pset->num_processes] = p;
                        pset->num_processes++;
 
                        pset->procs[pset->num_processes] = p;
                        pset->num_processes++;