git: 393ac29f0b8b - main - kqueue: on process exit, force-clear its registered signal events
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 24 Nov 2023 16:28:23 UTC
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=393ac29f0b8be068c8e46f76c2eeee07d20ea4df commit 393ac29f0b8be068c8e46f76c2eeee07d20ea4df Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2023-11-24 06:41:58 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2023-11-24 16:26:53 +0000 kqueue: on process exit, force-clear its registered signal events Normally, process already has all its kqueue fds destroyed at the moment p_klist is detached in exit flow. But, if the process was created with rfork(2) with shared file descriptors, its signal knotes can survive. Then, knlist_detach() does not destroy non-empty knlist. Later, when owning kqueue is closed, we access freed (or rather, reused, because struct proc is type-stable) memory by referencing p->p_klist from such knote. Handle this situation by deleting all knotes hanging from p_klist. PR: 275286 Reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D42745 --- sys/kern/kern_exit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 112f9c7b0f33..d7b45ee96654 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -985,6 +985,7 @@ proc_reap(struct thread *td, struct proc *p, int *status, int options) proc_id_clear(PROC_ID_PID, p->p_pid); PROC_LOCK(p); + knlist_delete(p->p_klist, td, 1); knlist_detach(p->p_klist); p->p_klist = NULL; PROC_UNLOCK(p);