kern/151758: [panic] tmux kernel panic,
with out root privilegies
John Baldwin
jhb at FreeBSD.org
Thu Dec 8 15:30:11 UTC 2011
The following reply was made to PR kern/151758; it has been noted by GNATS.
From: John Baldwin <jhb at FreeBSD.org>
To: bug-followup at FreeBSD.org, andrey at shidakov.ru,
Konstantin Belousov <kib at freebsd.org>
Cc:
Subject: Re: kern/151758: [panic] tmux kernel panic, with out root privilegies
Date: Thu, 08 Dec 2011 10:24:56 -0500
The bug is that during unp_gc(), we pass NULL as the thread to closef()
(to disable certain locking stuff, and because the thread performing the
gc doesn't "own" orphaned file descriptors in a closed UNIX domain
socket). That resulted in the 'td' argument passed to devfs_close_f()
being NULL, so td->td_fpop would fault. The patch I have (untested) is
to force devfs_close_f() to always use curthread instead of trusting the
td argument it is given.
Index: /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c
===================================================================
--- /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c (revision
228311)
+++ /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c (working
copy)
@@ -602,6 +602,11 @@
int error;
struct file *fpop;
+ /*
+ * NB: td may be NULL if this descriptor is closed due to
+ * garbage collection from a closed UNIX domain socket.
+ */
+ td = curthread;
fpop = td->td_fpop;
td->td_fpop = fp;
error = vnops.fo_close(fp, td);
--
John Baldwin
More information about the freebsd-bugs
mailing list