fbsd/hbsd: WITH_SSP_STRONG -- -fstack-protector-strong #7
Comments
opntr
added a commit
that referenced
this issue
Aug 19, 2016
unp_dispose and unp_gc could race to teardown the same mbuf chains, which can lead to dereferencing freed filedesc pointers. This patch adds an IGNORE_RIGHTS flag on unpcbs marking the unpcb's RIGHTS as invalid/freed. The flag is protected by UNP_LIST_LOCK. To serialize against unp_gc, unp_dispose needs the socket object. Change the dom_dispose() KPI to take a socket object instead of an mbuf chain directly. PR: 194264 Differential Revision: https://reviews.freebsd.org/D3044 Reviewed by: mjg (earlier version) Approved by: markj (mentor) Obtained from: mjg MFC after: 1 month Sponsored by: EMC / Isilon Storage Division This commit was never MFCd to 10-STABLE, and the issue is still reproducible in 2016, with the linked test program from FreeBSD's phabricator. --8<-- Unread portion of the kernel message buffer: [206] [206] [206] Fatal trap 9: general protection fault while in kernel mode [206] cpuid = 1; apic id = 01 [206] instruction pointer = 0x20:0xffffffff809e10e8 [206] stack pointer = 0x28:0xfffffe002bd96960 [206] frame pointer = 0x28:0xfffffe002bd969e0 [206] code segment = base 0x0, limit 0xfffff, type 0x1b [206] = DPL 0, pres 1, long 1, def32 0, gran 1 [206] processor eflags = interrupt enabled, resume, IOPL = 0 [206] current process = 0 (thread taskq) [206] trap number = 9 [206] panic: general protection fault [206] cpuid = 1 [206] KDB: stack backtrace: [206] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [206] #1 0xffffffff80953ed6 at vpanic+0x126 [206] #2 0xffffffff80953f63 at panic+0x43 [206] #3 0xffffffff80d6b2cb at trap_fatal+0x36b [206] #4 0xffffffff80d6af49 at trap+0x839 [206] #5 0xffffffff80d4f3ec at calltrap+0x8 [206] #6 0xffffffff809a2940 at taskqueue_run_locked+0xf0 [206] #7 0xffffffff809a32ab at taskqueue_thread_loop+0x9b [206] #8 0xffffffff8091c144 at fork_exit+0x84 [206] freebsd#9 0xffffffff80d4f92e at fork_trampoline+0xe [206] Uptime: 3m26s [206] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit 576619e) Signed-off-by: Oliver Pinter <[email protected]> CC: Bryan Drewery <[email protected]> CC: Mark Johnston <[email protected]>
opntr
added a commit
that referenced
this issue
Aug 19, 2016
…unix socket. - by markj@ If the listening socket is closed while sonewconn() is executing, the nascent child socket is aborted, which results in recursion on the unp_link lock when the child's pru_detach method is invoked. Fix this by using a flag to mark such sockets, and skip a part of the socket's teardown during detach. Reported by: Raviprakash Darbha <[email protected]> Tested by: pho MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D7398 --8<-- [128] panic: __rw_wlock_hard: recursing but non-recursive rw unp_link_rwlock @ /usr/src/sys/kern/uipc_usrreq.c:654 [128] [128] cpuid = 1 [128] KDB: stack backtrace: [128] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [128] #1 0xffffffff80953ed6 at vpanic+0x126 [128] #2 0xffffffff80953da9 at kassert_panic+0x139 [128] #3 0xffffffff80951454 at __rw_wlock_hard+0x394 [128] #4 0xffffffff80951072 at _rw_wlock_cookie+0x92 [128] #5 0xffffffff809de636 at uipc_detach+0x36 [128] #6 0xffffffff809d217a at sofree+0x1da [128] #7 0xffffffff809d1da4 at sonewconn+0x324 [128] #8 0xffffffff809e0496 at unp_connectat+0x326 [128] freebsd#9 0xffffffff809de4ac at uipc_connect+0x4c [128] freebsd#10 0xffffffff809d8cf6 at kern_connectat+0x126 [128] freebsd#11 0xffffffff809d8b87 at sys_connect+0x77 [128] freebsd#12 0xffffffff80d6bab4 at amd64_syscall+0x2c4 [128] freebsd#13 0xffffffff80d4f6db at Xfast_syscall+0xfb [128] Uptime: 2m8s [128] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit cfea0ef) Signed-off-by: Oliver Pinter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
clang-3.4 <
gcc ?
The text was updated successfully, but these errors were encountered: