diff options
| author | Mateusz Guzik <mjg@FreeBSD.org> | 2018-11-23 04:38:50 +0000 |
|---|---|---|
| committer | Mateusz Guzik <mjg@FreeBSD.org> | 2018-11-23 04:38:50 +0000 |
| commit | e3d3e8289bb51e5cbf1709ed699a6a2ad5ea9b76 (patch) | |
| tree | 93b4adaab4c3bec0ce887b6281beee1bd057b13d /sys/kern/subr_syscall.c | |
| parent | e9e747efe2883a97910bbf49e8b356cc5ba3480f (diff) | |
| download | src-e3d3e8289bb51e5cbf1709ed699a6a2ad5ea9b76.tar.gz src-e3d3e8289bb51e5cbf1709ed699a6a2ad5ea9b76.zip | |
Revert "fork: fix use-after-free with vfork"
This unreliably breaks libc handling of vfork where forking succeded,
but execve did not.
vfork code in libc performs waitpid with WNOHANG in case of failed exec.
With the fix exit codepath was waking up the parent before the child
fully transitioned to a zombie. Woken up parent would waitpid, which
could find a not-yet-zombie child and fail to reap it due to the WNOHANG
flag.
While removing the flag fixes the problem, it is not an option due to older
releases which would still suffer from the kernel change.
Revert the fix until a solution can be worked out.
Note that while use-after-free which gets back due to the revert is a real
bug, it's side-effects are limited due to the fact that struct proc memory
is never released by UMA.
Notes
Notes:
svn path=/head/; revision=340793
Diffstat (limited to 'sys/kern/subr_syscall.c')
| -rw-r--r-- | sys/kern/subr_syscall.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/sys/kern/subr_syscall.c b/sys/kern/subr_syscall.c index d6ab0bc7d275..9bfd4e965da2 100644 --- a/sys/kern/subr_syscall.c +++ b/sys/kern/subr_syscall.c @@ -257,7 +257,6 @@ again: } cv_timedwait(&p2->p_pwait, &p2->p_mtx, hz); } - _PRELE(p2); PROC_UNLOCK(p2); if (td->td_dbgflags & TDB_VFORK) { |