Crash with FreeBSD 6.1 STABLE of today

Gavin Atkinson gavin.atkinson at
Fri Jun 23 16:04:01 UTC 2006

On Fri, 2006-06-23 at 13:46 +0200, Martin Blapp wrote:
> Hi,
> Maybe this is the solution ? IMHO there is a race window
> open between the first tp->t_session test and the locking
> of the proc tree.

I'm not sure if t_session is supposed to be protected by the proctree
lock though.  With an initial glance of the code, it would seem odd to
be protected by the proctree lock, although I can't see any other locks
Someone with more knowledge of this code will probably know the answer
to this.  

There does seem to be a worrying comment above tty_close (which is the
only place that t_session seems to be set to NULL):

 * XXX our caller should have done `spltty(); l_close(); tty_close();'
 * and l_close() should have flushed, but we repeat the spltty() and
 * the flush in case there are buggy callers.

As I understand it, spltty() is now a no-op.  Does this mean that this
code is now essentially running without any locks that were used to
serialise changes to struct tty in days gone by?  Or is the whole tty
subsystem still running under Giant?


> +++ src/sys/kern/tty.c
> --- src/sys/kern/tty.c
> +                       sx_slock(&proctree_lock);
>                          if (tp->t_session) {
> -				sx_slock(&proctree_lock);
>                                  if (tp->t_session->s_leader) {
>                                          struct proc *p;
>                                          p = tp->t_session->s_leader;
>                                          PROC_LOCK(p);
>                                          psignal(p, SIGHUP);
>                                          PROC_UNLOCK(p);
>                                  }
> -				sx_sunlock(&proctree_lock);
>                          }
> +                       sx_sunlock(&proctree_lock);

More information about the freebsd-stable mailing list