GNOME Bugzilla – Bug 795193
Race in _kqsub_cancel() leads to a segfault
Last modified: 2018-04-23 19:10:43 UTC
Created attachment 370840 [details] [review] Fix a race in _kqsub_cancel() The kqueue(2) rewrite commited in aa39a0557c679fc345b0ba72a87c33152eb8ebcd introduced an obvious race reported on bugs@openbsd.org: https://marc.info/?l=openbsd-bugs&m=152331924527698&w=2 The problem is that the current order of operations in _kqsub_cancel() is incorrect. _km_remove() must be called before freeing `sub->deps' otherwise the timeout might modify the list while it is beeing freed. While here we should remove the event from the kqueue(2) and close the file descriptor first. Because that what remove pending events from the queue. Here's what the kevent(2) manual says: "Calling close() on a file descriptor will remove any kevents that reference the descriptor." The attached patch do that and prevent the segfault reported above. It is also committed in OpenBSD's port tree.
I can confirm this fixes the sefgault I've been seeing on OpenBSD. Thanks Martin. Can we get an OK^LGTM for pushing this? Thanks :-)
Review of attachment 370840 [details] [review]: Sure. Thanks for reviewing and testing it.
Pushed to master.
git-bz is not behaving. Pushed as: ab179184b (HEAD -> master, origin/master, origin/HEAD) Reorder operations in _kqsub_cancel() to prevent races.