From owner-freebsd-bugs@FreeBSD.ORG  Thu Jan 18 03:10:22 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id ED84E16A494
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 18 Jan 2007 03:10:21 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id B852813C4A7
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 18 Jan 2007 03:10:21 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0I3ALxU070483
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 18 Jan 2007 03:10:21 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0I3ALTF070482;
	Thu, 18 Jan 2007 03:10:21 GMT (envelope-from gnats)
Resent-Date: Thu, 18 Jan 2007 03:10:21 GMT
Resent-Message-Id: <200701180310.l0I3ALTF070482@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Xin LI <delphij@tarsier.delphij.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6132816A494
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 03:02:51 +0000 (UTC)
	(envelope-from delphij@tarsier.delphij.net)
Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229])
	by mx1.freebsd.org (Postfix) with ESMTP id 0CC0913C442
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 03:02:51 +0000 (UTC)
	(envelope-from delphij@tarsier.delphij.net)
Received: from localhost (tarsier.geekcn.org [210.51.165.229])
	by tarsier.geekcn.org (Postfix) with ESMTP id BB213EB09FC
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 11:02:47 +0800 (CST)
Received: from tarsier.geekcn.org ([210.51.165.229])
	by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new,
	port 10024)
	with ESMTP id U3EYL3O9pRC2 for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 11:02:34 +0800 (CST)
Received: from tarsier.delphij.net (tarsier.geekcn.org [210.51.165.229])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tarsier.geekcn.org (Postfix) with ESMTP id 53A10EB08F3
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 11:02:33 +0800 (CST)
Received: from tarsier.delphij.net (localhost [127.0.0.1])
	by tarsier.delphij.net (8.13.8/8.13.8) with ESMTP id l0I32WQu059497
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Jan 2007 11:02:32 +0800 (CST)
	(envelope-from delphij@tarsier.delphij.net)
Received: (from delphij@localhost)
	by tarsier.delphij.net (8.13.8/8.13.8/Submit) id l0I32S4H059407;
	Thu, 18 Jan 2007 11:02:28 +0800 (CST) (envelope-from delphij)
Message-Id: <200701180302.l0I32S4H059407@tarsier.delphij.net>
Date: Thu, 18 Jan 2007 11:02:28 +0800 (CST)
From: Xin LI <delphij@tarsier.delphij.net>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/108071: [PATCH] Panic in [sg]etpriority() due to NULL pointer
	deference
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Xin LI <delphij@tarsier.delphij.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2007 03:10:22 -0000


>Number:         108071
>Category:       kern
>Synopsis:       [PATCH] Panic in [sg]etpriority() due to NULL pointer deference
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 18 03:10:20 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Xin LI
>Release:        FreeBSD 6.2-RELEASE i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD tarsier.delphij.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 12:23:27 CST 2007 delphij@tarsier.delphij.net:/usr/obj/usr/src/sys/TARSIER i386


>Description:
	There is a race between fork(2) and [sg]etpriority where when a
newly born process in allproc list, [sg]etpriority could end up with a
NULL deference which would lead to a panic.
>How-To-Repeat:
	The following shell script would demostrate the race and can easily
trigger panic with non-privileged user, on a multi-core system, in my case
Dell 2950:

--- demo.sh begins here ---
#!/bin/sh

P=0

while [ ${P} -lt 200 ];
do
        sleep 3 &
        renice +4 -u delphij &
        sleep 3 &
        renice +4 -u delphij &
        sleep 3 &
        renice +4 -u delphij &
        sleep 3 &
        renice +4 -u delphij &
        P=`expr ${P} + 1`
done
--- demo.sh ends here ---

>Fix:
	An easy fix for this would be to guard with PRS_NEW state
by just skipping it.  However, we are still looking for better
solution for the issue.

--- patch-kern_resource.c begins here ---
Index: kern_resource.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_resource.c,v
retrieving revision 1.164
diff -u -p -r1.164 kern_resource.c
--- kern_resource.c	6 Dec 2006 06:34:55 -0000	1.164
+++ kern_resource.c	18 Jan 2007 02:27:53 -0000
@@ -143,6 +143,8 @@ getpriority(td, uap)
 			uap->who = td->td_ucred->cr_uid;
 		sx_slock(&allproc_lock);
 		LIST_FOREACH(p, &allproc, p_list) {
+			if (p->p_state == PRS_NEW)
+				continue;
 			PROC_LOCK(p);
 			if (!p_cansee(td, p) &&
 			    p->p_ucred->cr_uid == uap->who) {
@@ -230,6 +232,8 @@ setpriority(td, uap)
 			uap->who = td->td_ucred->cr_uid;
 		sx_slock(&allproc_lock);
 		FOREACH_PROC_IN_SYSTEM(p) {
+			if (p->p_state == PRS_NEW)
+				continue;
 			PROC_LOCK(p);
 			if (p->p_ucred->cr_uid == uap->who &&
 			    !p_cansee(td, p)) {
--- patch-kern_resource.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: