From owner-freebsd-hackers@FreeBSD.ORG  Tue Oct  7 16:22:32 2014
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 422467AE;
 Tue,  7 Oct 2014 16:22:32 +0000 (UTC)
Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1BE5898D;
 Tue,  7 Oct 2014 16:22:32 +0000 (UTC)
Received: from jhbbsd.localnet (unknown [209.249.190.124])
 by bigwig.baldwin.cx (Postfix) with ESMTPSA id 13FB4B99A;
 Tue,  7 Oct 2014 12:22:31 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: freebsd-hackers@freebsd.org
Subject: Re: fork: hold newly created processes
Date: Tue, 7 Oct 2014 11:24:50 -0400
User-Agent: KMail/1.13.5 (FreeBSD/8.4-CBSD-20140415; KDE/4.5.5; amd64; ; )
References: <20141005102912.GB9262@dft-labs.eu>
In-Reply-To: <20141005102912.GB9262@dft-labs.eu>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201410071124.50230.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (bigwig.baldwin.cx); Tue, 07 Oct 2014 12:22:31 -0400 (EDT)
Cc: Mateusz Guzik <mjguzik@gmail.com>, kib@freebsd.org
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 16:22:32 -0000

On Sunday, October 05, 2014 6:29:12 am Mateusz Guzik wrote:
> fork: hold newly created processes
> 
> Consumers of fork1 -> do_fork receive new proc pointer, but nothing
> guarnatees its stability at that time.
> 
> New process could already exit and be waited for, in which case we get a
> use after free.
> 
> This is a temporary fix.

As Konstantin noted, this is just a bug in the callers.  If they want to 
access the proc pointer after calling fork(), they should use RF_STOPPED
and setrunqueue() the first thread after they are finished working with it.

-- 
John Baldwin