Re: kern/151758: [panic] tmux kernel panic,
The following reply was made to PR kern/151758; it has been noted by GNATS.
From: John Baldwin <jhb@FreeBSD.org>
To: bug-followup@FreeBSD.org, andrey@shidakov.ru,
Konstantin Belousov <kib@freebsd.org>
Cc:
Subject: Re: kern/151758: [panic] tmux kernel panic, with out root privilegies
Date: Thu, 08 Dec 2011 10:24:56 -0500
The bug is that during unp_gc(), we pass NULL as the thread to closef()
(to disable certain locking stuff, and because the thread performing the
gc doesn't "own" orphaned file descriptors in a closed UNIX domain
socket). That resulted in the 'td' argument passed to devfs_close_f()
being NULL, so td->td_fpop would fault. The patch I have (untested) is
to force devfs_close_f() to always use curthread instead of trusting the
td argument it is given.
Index: /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c
===================================================================
--- /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c (revision
228311)
+++ /home/jhb/work/freebsd/svn/head/sys/fs/devfs/devfs_vnops.c (working
copy)
@@ -602,6 +602,11 @@
int error;
struct file *fpop;
+ /*
+ * NB: td may be NULL if this descriptor is closed due to
+ * garbage collection from a closed UNIX domain socket.
+ */
+ td = curthread;
fpop = td->td_fpop;
td->td_fpop = fp;
error = vnops.fo_close(fp, td);
--
John Baldwin
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 5 之 6 篇):