From owner-freebsd-stable@FreeBSD.ORG  Sat Oct 23 16:56:06 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 73DED16A4CE
	for <freebsd-stable@freebsd.org>;
	Sat, 23 Oct 2004 16:56:06 +0000 (GMT)
Received: from park.rambler.ru (park.rambler.ru [81.19.64.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1511F43D3F
	for <freebsd-stable@freebsd.org>;
	Sat, 23 Oct 2004 16:56:05 +0000 (GMT)
	(envelope-from is@rambler-co.ru)
Received: from is.park.rambler.ru (is.park.rambler.ru [81.19.64.102])
	by park.rambler.ru (8.12.6/8.12.6) with ESMTP id i9NGtwis020660;
	Sat, 23 Oct 2004 20:55:58 +0400 (MSD)
	(envelope-from is@rambler-co.ru)
Date: Sat, 23 Oct 2004 20:55:58 +0400 (MSD)
From: Igor Sysoev <is@rambler-co.ru>
X-X-Sender: is@is.park.rambler.ru
To: Uwe Doering <gemini@geminix.org>
In-Reply-To: <417A6347.8090207@geminix.org>
Message-ID: <20041023204914.S6546@is.park.rambler.ru>
References: <20041023003246.Y91215@is.park.rambler.ru>
	<417A6347.8090207@geminix.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-stable@freebsd.org
Subject: Re: panic caused by EVFILT_SIGNAL detaching in rfork()ed thread
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Oct 2004 16:56:06 -0000

On Sat, 23 Oct 2004, Uwe Doering wrote:

> Igor Sysoev wrote:
> > Here is more correct patch to fix the panic in 4.x reported in
> > http://freebsd.rambler.ru/bsdmail/freebsd-hackers_2004/msg02732.html
> >
> > -------------------------
> > --- src/sys/kern/kern_event.c   Sun Oct 10 12:17:55 2004
> > +++ src/sys/kern/kern_event.c   Sun Oct 10 12:19:29 2004
> > @@ -794,7 +794,8 @@
> >             while (kn != NULL) {
> >                 kn0 = SLIST_NEXT(kn, kn_link);
> >                 if (kq == kn->kn_kq) {
> > -                   kn->kn_fop->f_detach(kn);
> > +                   if (!(kn->kn_status & KN_DETACHED))
> > +                       kn->kn_fop->f_detach(kn);
> >         /* XXX non-fd release of kn->kn_ptr */
> >                     knote_free(kn);
> >                     *knp = kn0;
> > -------------------------
>
> Your patch appears to be an excerpt from the fix to RELENG_5.  May I
> suggest a different approach for RELENG_4?  My reasoning is that the
> implementation of kevents differs between RELENG_4 and RELENG_5.

I agree with your patch. It is similar to my early patch, however,
I think that is more correctly to check (kn->kn_status & KN_DETACHED)
instead of !SLIST_EMPTY(&p->p_klist).

> Also, it would probably be a good idea to fix RELENG_4 swiftly (and
> possibly release a security advisory) because this flaw is certainly a
> great DoS opportunity for maliciously minded shell users ...

Yes.


Igor Sysoev
http://sysoev.ru/en/