From owner-svn-src-all@freebsd.org Fri Nov 23 04:38:52 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 056F6113A929; Fri, 23 Nov 2018 04:38:52 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 99BFC758B8; Fri, 23 Nov 2018 04:38:51 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 629F919B9E; Fri, 23 Nov 2018 04:38:51 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAN4cpaX055420; Fri, 23 Nov 2018 04:38:51 GMT (envelope-from mjg@FreeBSD.org) Received: (from mjg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAN4coTa055417; Fri, 23 Nov 2018 04:38:50 GMT (envelope-from mjg@FreeBSD.org) Message-Id: <201811230438.wAN4coTa055417@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mjg set sender to mjg@FreeBSD.org using -f From: Mateusz Guzik Date: Fri, 23 Nov 2018 04:38:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r340793 - head/sys/kern X-SVN-Group: head X-SVN-Commit-Author: mjg X-SVN-Commit-Paths: head/sys/kern X-SVN-Commit-Revision: 340793 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 99BFC758B8 X-Spamd-Result: default: False [1.67 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.42)[0.420,0]; NEURAL_SPAM_SHORT(0.52)[0.517,0]; NEURAL_SPAM_MEDIUM(0.74)[0.738,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2018 04:38:52 -0000 Author: mjg Date: Fri Nov 23 04:38:50 2018 New Revision: 340793 URL: https://svnweb.freebsd.org/changeset/base/340793 Log: Revert "fork: fix use-after-free with vfork" This unreliably breaks libc handling of vfork where forking succeded, but execve did not. vfork code in libc performs waitpid with WNOHANG in case of failed exec. With the fix exit codepath was waking up the parent before the child fully transitioned to a zombie. Woken up parent would waitpid, which could find a not-yet-zombie child and fail to reap it due to the WNOHANG flag. While removing the flag fixes the problem, it is not an option due to older releases which would still suffer from the kernel change. Revert the fix until a solution can be worked out. Note that while use-after-free which gets back due to the revert is a real bug, it's side-effects are limited due to the fact that struct proc memory is never released by UMA. Modified: head/sys/kern/kern_exit.c head/sys/kern/kern_fork.c head/sys/kern/subr_syscall.c Modified: head/sys/kern/kern_exit.c ============================================================================== --- head/sys/kern/kern_exit.c Fri Nov 23 03:42:05 2018 (r340792) +++ head/sys/kern/kern_exit.c Fri Nov 23 04:38:50 2018 (r340793) @@ -285,15 +285,6 @@ exit1(struct thread *td, int rval, int signo) wakeup(&p->p_stype); /* - * If P_PPWAIT is set our parent holds us with p_lock and may - * be waiting on p_pwait. - */ - if (p->p_flag & P_PPWAIT) { - p->p_flag &= ~P_PPWAIT; - cv_broadcast(&p->p_pwait); - } - - /* * Wait for any processes that have a hold on our vmspace to * release their reference. */ @@ -338,9 +329,13 @@ exit1(struct thread *td, int rval, int signo) */ EVENTHANDLER_DIRECT_INVOKE(process_exit, p); + /* + * If parent is waiting for us to exit or exec, + * P_PPWAIT is set; we will wakeup the parent below. + */ PROC_LOCK(p); stopprofclock(p); - p->p_flag &= ~(P_TRACED | P_PPTRACE); + p->p_flag &= ~(P_TRACED | P_PPWAIT | P_PPTRACE); p->p_ptevents = 0; /* @@ -641,6 +636,7 @@ exit1(struct thread *td, int rval, int signo) * proc lock. */ wakeup(p->p_pptr); + cv_broadcast(&p->p_pwait); sched_exit(p->p_pptr, td); PROC_SLOCK(p); p->p_state = PRS_ZOMBIE; Modified: head/sys/kern/kern_fork.c ============================================================================== --- head/sys/kern/kern_fork.c Fri Nov 23 03:42:05 2018 (r340792) +++ head/sys/kern/kern_fork.c Fri Nov 23 04:38:50 2018 (r340793) @@ -720,7 +720,6 @@ do_fork(struct thread *td, struct fork_req *fr, struct dtrace_fasttrap_fork(p1, p2); #endif if (fr->fr_flags & RFPPWAIT) { - _PHOLD(p2); td->td_pflags |= TDP_RFPPWAIT; td->td_rfppwait_p = p2; td->td_dbgflags |= TDB_VFORK; Modified: head/sys/kern/subr_syscall.c ============================================================================== --- head/sys/kern/subr_syscall.c Fri Nov 23 03:42:05 2018 (r340792) +++ head/sys/kern/subr_syscall.c Fri Nov 23 04:38:50 2018 (r340793) @@ -257,7 +257,6 @@ again: } cv_timedwait(&p2->p_pwait, &p2->p_mtx, hz); } - _PRELE(p2); PROC_UNLOCK(p2); if (td->td_dbgflags & TDB_VFORK) {