diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2023-11-24 06:41:58 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2023-11-24 16:26:53 +0000 |
| commit | 393ac29f0b8be068c8e46f76c2eeee07d20ea4df (patch) | |
| tree | 71978e139f8e12a72c10a83c459732d48ab61857 | |
| parent | 50335b1ae4e48712f831e85ddfa7b00da0af382c (diff) | |
| download | src-393ac29f0b8be068c8e46f76c2eeee07d20ea4df.tar.gz src-393ac29f0b8be068c8e46f76c2eeee07d20ea4df.zip | |
kqueue: on process exit, force-clear its registered signal events
Normally, process already has all its kqueue fds destroyed at the moment
p_klist is detached in exit flow. But, if the process was created with
rfork(2) with shared file descriptors, its signal knotes can survive.
Then, knlist_detach() does not destroy non-empty knlist. Later, when
owning kqueue is closed, we access freed (or rather, reused, because
struct proc is type-stable) memory by referencing p->p_klist from such
knote.
Handle this situation by deleting all knotes hanging from p_klist.
PR: 275286
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D42745
| -rw-r--r-- | sys/kern/kern_exit.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 112f9c7b0f33..d7b45ee96654 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -985,6 +985,7 @@ proc_reap(struct thread *td, struct proc *p, int *status, int options) proc_id_clear(PROC_ID_PID, p->p_pid); PROC_LOCK(p); + knlist_delete(p->p_klist, td, 1); knlist_detach(p->p_klist); p->p_klist = NULL; PROC_UNLOCK(p); |