kern/151758: [panic] tmux kernel panic, with out root privilegies

John Baldwin jhb at
Thu Dec 8 15:30:11 UTC 2011

The following reply was made to PR kern/151758; it has been noted by GNATS.

From: John Baldwin <jhb at>
To: bug-followup at, andrey at, 
 Konstantin Belousov <kib at>
Subject: Re: kern/151758: [panic] tmux kernel panic, with out root privilegies
Date: Thu, 08 Dec 2011 10:24:56 -0500

 The bug is that during unp_gc(), we pass NULL as the thread to closef() 
 (to disable certain locking stuff, and because the thread performing the 
 gc doesn't "own" orphaned file descriptors in a closed UNIX domain 
 socket).  That resulted in the 'td' argument passed to devfs_close_f() 
 being NULL, so td->td_fpop would fault.  The patch I have (untested) is 
 to force devfs_close_f() to always use curthread instead of trusting the 
 td argument it is given.
 Index: /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c
 --- /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c	(revision 
 +++ /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c	(working 
 @@ -602,6 +602,11 @@
   	int error;
   	struct file *fpop;
 +	/*
 +	 * NB: td may be NULL if this descriptor is closed due to
 +	 * garbage collection from a closed UNIX domain socket.
 +	 */
 +	td = curthread;
   	fpop = td->td_fpop;
   	td->td_fpop = fp;
   	error = vnops.fo_close(fp, td);
 John Baldwin

More information about the freebsd-bugs mailing list