panic: general protection fault from uipc_sockaddr+0x4c
Mark Johnston
markj at freebsd.org
Tue Dec 8 16:05:38 UTC 2020
On Tue, Dec 08, 2020 at 04:40:16PM +0100, Mateusz Guzik wrote:
> I think this is a long standing bug against exiting processes.
>
> filedesc_out only increments *hold* count, but that does not prevent
> fdescfree_fds from progressing and freeing everything without any
> locks held.
I think it is fallout from r367777: before that, fdescfree() acquired
and released the exclusive fd table lock between decrementing
fdp->fd_refcount and calling fdescfree_fds(). This would serialize with
the loop in kern_proc_fildesc_out(), which checks fdp->fd_refcount > 0
at the beginning of each iteration. Now there is no serialization and
they can race.
> A hotfix (for mfc) would add locking around it, but a long term fix
> should wait for hold count to drain. By that point there can't be any
> new arrivals due to:
>
> PROC_LOCK(p);
> p->p_fd = NULL;
> PROC_UNLOCK(p);
>
> I'll code both later today.
More information about the freebsd-current
mailing list