panic caused by EVFILT_SIGNAL detaching in rfork()ed thread
Uwe Doering
gemini at geminix.org
Sat Oct 23 06:57:31 PDT 2004
Igor Sysoev wrote:
> Here is more correct patch to fix the panic in 4.x reported in
> http://freebsd.rambler.ru/bsdmail/freebsd-hackers_2004/msg02732.html
>
> -------------------------
> --- src/sys/kern/kern_event.c Sun Oct 10 12:17:55 2004
> +++ src/sys/kern/kern_event.c Sun Oct 10 12:19:29 2004
> @@ -794,7 +794,8 @@
> while (kn != NULL) {
> kn0 = SLIST_NEXT(kn, kn_link);
> if (kq == kn->kn_kq) {
> - kn->kn_fop->f_detach(kn);
> + if (!(kn->kn_status & KN_DETACHED))
> + kn->kn_fop->f_detach(kn);
> /* XXX non-fd release of kn->kn_ptr */
> knote_free(kn);
> *knp = kn0;
> -------------------------
Your patch appears to be an excerpt from the fix to RELENG_5. May I
suggest a different approach for RELENG_4? My reasoning is that the
implementation of kevents differs between RELENG_4 and RELENG_5.
In RELENG_5 the flag KN_DETACHED is used in a more general way. It gets
set by knlist_add() and cleared by knlist_remove(), in sync with list
insertion and removal. As far as I can tell these routines have
originally been introduced in order to centralize the locking for kevent
list manipulations, and they don't exist in RELENG_4.
Now, the proper way to MFC the RELENG_5 fix to RELENG_4 more or less
unchanged would be to MFC the whole knlist_add()/knlist_remove()
business as well (w/o the locking stuff), which, however, would be
overkill for RELENG_4's single threaded kernel.
In RELENG_4's implementation of kevents, the only case in which
KN_DETACHED gets set is when a process exits and posts a NOTE_EXIT
event. That is, the meaning of KN_DETACHED is much narrower than in
RELENG_5. For this reason I believe the most appropriate fix would be
to check for KN_DETACHED in filt_sigdetach() in the same way it is
already done in filt_procdetach(). In fact, if you compare the two
routines it becomes pretty obvious that they should have been identical
in the first place, and that the absence of said check from
filt_sigdetach() is most likely just an oversight.
Therefore, I suggest to adopt the attached patch and leave the rest of
RELENG_4's kevent code alone. I checked the kernel sources and found
that filt_procdetach() and filt_sigdetach() are in fact the only
f_detach() routines that deal with a process' p_klist field, and
therefore need this kind of safeguard.
Also, it would probably be a good idea to fix RELENG_4 swiftly (and
possibly release a security advisory) because this flaw is certainly a
great DoS opportunity for maliciously minded shell users ...
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
-------------- next part --------------
--- src/sys/kern/kern_sig.c.orig Thu Feb 5 23:26:48 2004
+++ src/sys/kern/kern_sig.c Sat Oct 23 11:15:30 2004
@@ -1739,6 +1739,10 @@
{
struct proc *p = kn->kn_ptr.p_proc;
+ if (kn->kn_status & KN_DETACHED)
+ return;
+
+ /* XXX locking? this might modify another process. */
SLIST_REMOVE(&p->p_klist, kn, knote, kn_selnext);
}
More information about the freebsd-stable
mailing list