From owner-freebsd-bugs@FreeBSD.ORG Thu Jun 18 21:25:03 2015 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53734E72 for ; Thu, 18 Jun 2015 21:25:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35544859 for ; Thu, 18 Jun 2015 21:25:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t5ILP3Ic026340 for ; Thu, 18 Jun 2015 21:25:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200958] filemon has insufficient proc locking Date: Thu, 18 Jun 2015 21:25:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: peter@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 21:25:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200958 Bug ID: 200958 Summary: filemon has insufficient proc locking Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: peter@FreeBSD.org sys/dev/filemon_wrapper.c:filemon_pid_check() walks the curproc->p_pptr chain without the required proc locking. proc.h: * c - locked by proc mtx .. * e - locked by proctree_lock lock .. * If the locking key specifies two identifiers (for example, p_pptr) then * either lock is sufficient for read access, but both locks must be held * for write access. .. struct proc *p_pptr; /* (c + e) Pointer to parent process. */ The p_pptr scanner in filemon_pid_check() probably needs to hold a read rwlock of proctree_lock. This normally works fine, except when ptrace is involved. With ptrace actively reparenting things it can end up where it sits in an infinite loop in filemon_pid_check(). Tracing pid 97757 tid 100728 td 0xfffff8012938a980 kdb_alt_break_internal() at kdb_alt_break_internal+0x197/frame 0xfffffe085fac7730 kdb_alt_break() at kdb_alt_break+0xb/frame 0xfffffe085fac7740 uart_intr_rxready() at uart_intr_rxready+0x99/frame 0xfffffe085fac7770 uart_intr() at uart_intr+0x111/frame 0xfffffe085fac77b0 intr_event_handle() at intr_event_handle+0x9b/frame 0xfffffe085fac7800 intr_execute_handlers() at intr_execute_handlers+0x48/frame 0xfffffe085fac7830 lapic_handle_intr() at lapic_handle_intr+0x3f/frame 0xfffffe085fac7850 Xapic_isr1() at Xapic_isr1+0xba/frame 0xfffffe085fac7850 --- interrupt, rip = 0xffffffff805244ed, rsp = 0xfffffe085fac7910, rbp = 0xfffffe085fac7990 --- filemon_wrapper_freebsd32_stat() at filemon_wrapper_freebsd32_stat+0x6d/frame 0xfffffe085fac7990 ia32_syscall() at ia32_syscall+0x41b/frame 0xfffffe085fac7ab0 Xint0x80_syscall() at Xint0x80_syscall+0x95/frame 0xfffffe085fac7ab0 --- syscall (188, FreeBSD ELF32, filemon_wrapper_freebsd32_stat), rip = 0x284aa6d7, rsp = 0xffff987c, rbp = 0xffff9918 --- In this case, it is looping infinitely in filemon_pid_check() and the process in question is gdb from the gdb test suite. On the ref* machines we ended up with 8 gdb processes all consuming 100% cpu in this function. -- You are receiving this mail because: You are the assignee for the bug.