[Bug 293382] Dead lock and kernel crash around closefp_impl

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382

--- Comment #26 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=8f3227f527567aef53da845ab78da8e16d9051c1

commit 8f3227f527567aef53da845ab78da8e16d9051c1
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-03-27 00:24:18 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-03-27 00:24:18 +0000

    kqueue: Fix a race when adding an fd-based knote to a queue

    When registering a new kevent backed by a file descriptor, we first look
    up the file description with fget(), then lock the kqueue, then see if a
    corresponding knote is already registered.  If not, and KN_ADD is
    specified, we add the knote to the kqueue.

    closefp_impl() interlocks with this process by calling knote_fdclose(),
    which locks each kqueue and checks to see if the fd is registered with a
    knote.  But, if userspace closes an fd while a different thread is
    registering it, i.e., after fget() succeeds but before the kqueue is
    locked, then we may end up with a mismatch in the knote table, where the
    knote kn_fp field points to a different file description than the knote
    ident.

    Fix the problem by double-checking before registering a knote.  Add a
    new fget_noref_unlocked() helper for this purpose.  It is a clone of
    fget_noref().  We could simply use fget_noref(), but I like having an
    explicit unlocked variant.

    PR:             293382
    Reviewed by:    kib
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D55852

 sys/kern/kern_event.c | 14 +++++++++++++-
 sys/sys/filedesc.h    | 17 +++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.