From nobody Mon Mar 31 09:06:36 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZR4xn1HgDz5rhmQ; Mon, 31 Mar 2025 09:06:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZR4xm5PpDz3YNq; Mon, 31 Mar 2025 09:06:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743411996; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xZ0+aScfAdkpMnBWQhyLhForPuI9yl0+uW73jBJ/Y8A=; b=R7foS0ik9VwRpxZxgb1FOLzsWMHc8zoYp1L5oBRNzAAiLPVw4iL5zEilYmr2PCgjP/xR/8 OWLHa0ZES+QN5HwUsRqbyvfgpUNvipZtoSQMGuGtaPnC93ysaJOvU8bHvfdUMMLvPjFwL/ KV5TejQHa175hU6s0/MWgZ1GQeKISCfRXeyMubKigFnXv3VRsVJSQ39gl8gLqaigtYk89x PoFcL4xMP6bL0vmVTzqH0t+eQmKAXUM1uNfuFaiZrJp0XRg0uodrSp2vi6taMBtrutl36S GpnZa+JcwrmXACph6KUsillENqz9yewbAJallg8Ksw9D7n/16mOHyvdQBtVfgw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743411996; a=rsa-sha256; cv=none; b=Z5GEj6P+VynA8zlr9gohHUa1oK7puvWqbfZ+aaKVG1JWJM1jKjjQi0RwuMUw4shH2KINuk bz8xpLLk/SFxfgDFVwluCLtvEvJXy5dUwFQpNzVYzfuaYdN0E09aqXzZKukLAclza1zh3P 7lQsOkxjNnQ2uQogyuWLyPQPeSFykja73OZ8pORklpqlRijIWTXF1ii1nL0IrPMiO0PLBh xLzI17I8diS3Th6tk3dZLFg3N7XOSuR/0lHhCJtFgA9wAHxA59+jTspC9HPNCbEpDR7uQm +pW3UwrCAA5nJCy1sLmEEi8MEIaRzryfP45Jtpfx0B/QpkZBsVGi5qRtlgXKlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743411996; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xZ0+aScfAdkpMnBWQhyLhForPuI9yl0+uW73jBJ/Y8A=; b=UR8vFuw/zqA1hhlHLbGZOU66Wkjr5zBZEqbBWIzXMpTXUt2PPhnS9S/uOBndEcNtjAJ01R hPVQoLWzct2TqpS4OgGzcn+Qu1lJ6oxAyoa8rHRyz9El8yAIzcscitkIA/lY8+fe+PcA09 /YbFgsVNtidyF6TURN0x5RcVxFRd26DC75E+Tp2K7WVhiBB83hJGc+gefSp/WAyhxAfwnh Yz3h/TuXnaesyS5h1t//TrX7DRuqixxrN18QWhI2KW+skcH8fE/hnADmbPtI8cxWvwilmm 6O5wg+/7hQFTFeTjdqTmNZ7D9NCYkDxyD+R29pt65uptEPEVW4qHLLOOQ8BGOw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZR4xm42hVzfgt; Mon, 31 Mar 2025 09:06:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52V96awH078881; Mon, 31 Mar 2025 09:06:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52V96a5t078878; Mon, 31 Mar 2025 09:06:36 GMT (envelope-from git) Date: Mon, 31 Mar 2025 09:06:36 GMT Message-Id: <202503310906.52V96a5t078878@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: a6268f89d58c - main - proc: Disallow re-enabling of process itimers during exit List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a6268f89d58c1962d2372a664a35eaecbf367fbb Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a6268f89d58c1962d2372a664a35eaecbf367fbb commit a6268f89d58c1962d2372a664a35eaecbf367fbb Author: Mark Johnston AuthorDate: 2025-03-31 01:22:14 +0000 Commit: Mark Johnston CommitDate: 2025-03-31 09:01:09 +0000 proc: Disallow re-enabling of process itimers during exit During process exit, it's possible for the exiting thread to send a signal to its process, via killjobc(). This happens after the itimer is drained. If itimers are stopped, i.e., P2_ITSTOPPED is set, then itimer_proc_continue() will resume the callout after it has been drained. Fix the problem by simply clearing P2_ITSTOPPED as part of the drain. Then, a signal received after that point will not re-enable the callout. For good measure, also make sure that we don't reset the itimer callout in an exiting process. Reported by: syzkaller Reviewed by: kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D49529 --- sys/kern/kern_exit.c | 1 + sys/kern/kern_time.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index a67d6b422964..54e3044ab093 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -375,6 +375,7 @@ exit1(struct thread *td, int rval, int signo) * Stop the real interval timer. If the handler is currently * executing, prevent it from rearming itself and let it finish. */ + p->p_flag2 &= ~P2_ITSTOPPED; if (timevalisset(&p->p_realtimer.it_value) && callout_stop(&p->p_itcallout) == 0) { timevalclear(&p->p_realtimer.it_interval); diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index c94ae49b6923..d7dc78366292 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -884,6 +884,8 @@ realitexpire_reset_callout(struct proc *p, sbintime_t *isbtp) { sbintime_t prec; + if ((p->p_flag & P_WEXIT) != 0) + return; prec = isbtp == NULL ? tvtosbt(p->p_realtimer.it_interval) : *isbtp; callout_reset_sbt(&p->p_itcallout, tvtosbt(p->p_realtimer.it_value), prec >> tc_precexp, realitexpire, p, C_ABSOLUTE);