Date: Thu, 17 Dec 2020 19:22:20 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 251915] TOCTOU race between tty_signal_sessleader() and killjobc() Message-ID: <bug-251915-227-u0l7Ukvs0H@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-251915-227@https.bugs.freebsd.org/bugzilla/> References: <bug-251915-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251915 --- Comment #5 from Konstantin Belousov <kib@FreeBSD.org> --- (In reply to Jakub Piecuch from comment #4) You talked about a race with zeroing s_leader, but comment now mention t_session. I reformulated the comment, and also read t_session into local, just to shorten the lines and make this fragment easier to read. Also, atomics come from sys/systm.h already. diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 7526638b921..8d4d25a4ac0 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1474,6 +1474,7 @@ void tty_signal_sessleader(struct tty *tp, int sig) { struct proc *p; + struct session *s; tty_assert_locked(tp); MPASS(sig >=3D 1 && sig < NSIG); @@ -1482,8 +1483,14 @@ tty_signal_sessleader(struct tty *tp, int sig) tp->t_flags &=3D ~TF_STOPPED; tp->t_termios.c_lflag &=3D ~FLUSHO; - if (tp->t_session !=3D NULL && tp->t_session->s_leader !=3D NULL) { - p =3D tp->t_session->s_leader; + /* + * Load s_leader exactly once to avoid race where s_leader is + * set to NULL by a concurrent invocation of killjobc() by the + * session leader. Note that we are not holding t_session's + * lock for the read. + */ + if ((s =3D tp->t_session) !=3D NULL && + (p =3D atomic_load_ptr(&s->s_leader)) !=3D NULL) { PROC_LOCK(p); kern_psignal(p, sig); PROC_UNLOCK(p); --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251915-227-u0l7Ukvs0H>