git: 393ac29f0b8b - main - kqueue: on process exit, force-clear its registered signal events

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Fri, 24 Nov 2023 16:28:23 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=393ac29f0b8be068c8e46f76c2eeee07d20ea4df

commit 393ac29f0b8be068c8e46f76c2eeee07d20ea4df
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-11-24 06:41:58 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-11-24 16:26:53 +0000

    kqueue: on process exit, force-clear its registered signal events
    
    Normally, process already has all its kqueue fds destroyed at the moment
    p_klist is detached in exit flow. But, if the process was created with
    rfork(2) with shared file descriptors, its signal knotes can survive.
    Then, knlist_detach() does not destroy non-empty knlist. Later, when
    owning kqueue is closed, we access freed (or rather, reused, because
    struct proc is type-stable) memory by referencing p->p_klist from such
    knote.
    
    Handle this situation by deleting all knotes hanging from p_klist.
    
    PR:     275286
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D42745
---
 sys/kern/kern_exit.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 112f9c7b0f33..d7b45ee96654 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -985,6 +985,7 @@ proc_reap(struct thread *td, struct proc *p, int *status, int options)
 	proc_id_clear(PROC_ID_PID, p->p_pid);
 
 	PROC_LOCK(p);
+	knlist_delete(p->p_klist, td, 1);
 	knlist_detach(p->p_klist);
 	p->p_klist = NULL;
 	PROC_UNLOCK(p);