[dahdi-commits] fjoe: freebsd/trunk r8860 - /freebsd/trunk/drivers/dahdi/dahdi-base.c

SVN commits to the DAHDI project dahdi-commits at lists.digium.com
Tue Jul 6 16:12:04 CDT 2010


Author: fjoe
Date: Tue Jul  6 16:12:01 2010
New Revision: 8860

URL: http://svnview.digium.com/svn/dahdi?view=rev&rev=8860
Log:
Fix use of free'd memory by kern_poll() and friends after dahdi_free_pseudo() call:
'struct dahdi_chan' includes 'struct selinfo' which should not be free'd because
current thread can still have references to it after selrecord() call.

Modified:
    freebsd/trunk/drivers/dahdi/dahdi-base.c

Modified: freebsd/trunk/drivers/dahdi/dahdi-base.c
URL: http://svnview.digium.com/svn/dahdi/freebsd/trunk/drivers/dahdi/dahdi-base.c?view=diff&rev=8860&r1=8859&r2=8860
==============================================================================
--- freebsd/trunk/drivers/dahdi/dahdi-base.c (original)
+++ freebsd/trunk/drivers/dahdi/dahdi-base.c Tue Jul  6 16:12:01 2010
@@ -47,7 +47,6 @@
 #include <sys/module.h>
 #include <sys/poll.h>
 #include <net/ppp_defs.h>
-#include <sys/selinfo.h>
 
 #include "version.h"
 
@@ -358,6 +357,52 @@
 dahdi_copy_from_user(void *to, const void *from, int n)
 {
 	return copyin(from, to, n);
+}
+
+struct pseudo_free {
+	LIST_ENTRY(pseudo_free) pf_link;
+	struct dahdi_chan *pf_pseudo;
+	struct thread *pf_thread;
+};
+
+static DEFINE_SPINLOCK(pseudo_free_list_lock);
+
+static LIST_HEAD(, pseudo_free) pseudo_free_list =
+	LIST_HEAD_INITIALIZER(pseudo_free_list);
+
+static void
+free_pseudo(struct dahdi_chan *pseudo)
+{
+	unsigned long flags;
+	struct pseudo_free *pf;
+
+	pf = kmalloc(sizeof(*pf), GFP_KERNEL);
+	pf->pf_pseudo = pseudo;
+	pf->pf_thread = curthread;
+
+	spin_lock_irqsave(&pseudo_free_list_lock, flags);
+	LIST_INSERT_HEAD(&pseudo_free_list, pf, pf_link);
+	spin_unlock_irqrestore(&pseudo_free_list_lock, flags);
+}
+
+static eventhandler_tag free_pseudo_tag;
+
+static void
+thread_dtor_free_pseudo(void *arg, struct thread *td)
+{
+	unsigned long flags;
+	struct pseudo_free *pf, *pf_next;
+
+	spin_lock_irqsave(&pseudo_free_list_lock, flags);
+	LIST_FOREACH_SAFE(pf, &pseudo_free_list, pf_link, pf_next) {
+		if (pf->pf_thread != td)
+			continue;
+
+		LIST_REMOVE(pf, pf_link);
+		kfree(pf->pf_pseudo);
+		kfree(pf);
+	}
+	spin_unlock_irqrestore(&pseudo_free_list_lock, flags);
 }
 
 #else /* !__FreeBSD__ */
@@ -3146,7 +3191,11 @@
 {
 	if (pseudo) {
 		dahdi_chan_unreg(pseudo);
+#if defined(__FreeBSD__)
+		free_pseudo(pseudo);
+#else
 		kfree(pseudo);
+#endif
 	}
 }
 
@@ -5711,7 +5760,6 @@
 		int fflags = dahdi_get_flags(file->dev);
 
 		get_user(j, data);
-		printf("F_SETFL: 0x%x\n", j);
 
 		/*
 		 * XXX: On the moment we're interested only in O_NONBLOCK
@@ -9160,6 +9208,9 @@
 #endif
 
 #if defined(__FreeBSD__)
+	free_pseudo_tag = EVENTHANDLER_REGISTER(
+	    thread_dtor, thread_dtor_free_pseudo, NULL, EVENTHANDLER_PRI_ANY);
+
 	dev_ctl = make_dev(&dahdi_devsw, 0, UID_ROOT, GID_WHEEL, 0644, "dahdi/ctl");
 	{
 		struct cdev *dev;
@@ -9202,6 +9253,18 @@
 	coretimer_cleanup();
 
 #if defined(__FreeBSD__)
+	EVENTHANDLER_DEREGISTER(thread_dtor, free_pseudo_tag);
+
+	spin_lock_irqsave(&pseudo_free_list_lock, x);
+	while (!LIST_EMPTY(&pseudo_free_list)) {
+		struct pseudo_free *pf = LIST_FIRST(&pseudo_free_list);
+
+		LIST_REMOVE(pf, pf_link);
+		kfree(pf->pf_pseudo);
+		kfree(pf);
+	}
+	spin_unlock_irqrestore(&pseudo_free_list_lock, x);
+
 	if (dev_ctl != NULL) {
 		destroy_dev(dev_ctl);
 		dev_ctl = NULL;




More information about the dahdi-commits mailing list