[Bug 251915] TOCTOU race between tty_signal_sessleader() and killjobc()

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251915

--- Comment #5 from Konstantin Belousov <kib at FreeBSD.org> ---
(In reply to Jakub Piecuch from comment #4)
You talked about a race with zeroing s_leader, but comment now mention
t_session.

I reformulated the comment, and also read t_session into local, just to
shorten the lines and make this fragment easier to read.

Also, atomics come from sys/systm.h already.

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 7526638b921..8d4d25a4ac0 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -1474,6 +1474,7 @@ void
 tty_signal_sessleader(struct tty *tp, int sig)
 {
        struct proc *p;
+       struct session *s;

        tty_assert_locked(tp);
        MPASS(sig >= 1 && sig < NSIG);
@@ -1482,8 +1483,14 @@ tty_signal_sessleader(struct tty *tp, int sig)
        tp->t_flags &= ~TF_STOPPED;
        tp->t_termios.c_lflag &= ~FLUSHO;

-       if (tp->t_session != NULL && tp->t_session->s_leader != NULL) {
-               p = tp->t_session->s_leader;
+       /*
+        * Load s_leader exactly once to avoid race where s_leader is
+        * set to NULL by a concurrent invocation of killjobc() by the
+        * session leader.  Note that we are not holding t_session's
+        * lock for the read.
+        */
+       if ((s = tp->t_session) != NULL &&
+           (p = atomic_load_ptr(&s->s_leader)) != NULL) {
                PROC_LOCK(p);
                kern_psignal(p, sig);
                PROC_UNLOCK(p);

-- 
You are receiving this mail because:
You are the assignee for the bug.