panic: general protection fault from uipc_sockaddr+0x4c
Mateusz Guzik
mjguzik at gmail.com
Tue Dec 8 16:12:39 UTC 2020
On 12/8/20, Mark Johnston <markj at freebsd.org> wrote:
> On Tue, Dec 08, 2020 at 04:40:16PM +0100, Mateusz Guzik wrote:
>> I think this is a long standing bug against exiting processes.
>>
>> filedesc_out only increments *hold* count, but that does not prevent
>> fdescfree_fds from progressing and freeing everything without any
>> locks held.
>
> I think it is fallout from r367777: before that, fdescfree() acquired
> and released the exclusive fd table lock between decrementing
> fdp->fd_refcount and calling fdescfree_fds(). This would serialize with
> the loop in kern_proc_fildesc_out(), which checks fdp->fd_refcount > 0
> at the beginning of each iteration. Now there is no serialization and
> they can race.
>
Oh I forgot consumers keep checking for fd_refcount. In that case
probably would be best to add sx_wait_unlocked.
>> A hotfix (for mfc) would add locking around it, but a long term fix
>> should wait for hold count to drain. By that point there can't be any
>> new arrivals due to:
>>
>> PROC_LOCK(p);
>> p->p_fd = NULL;
>> PROC_UNLOCK(p);
>>
>> I'll code both later today.
>
--
Mateusz Guzik <mjguzik gmail.com>
More information about the freebsd-current
mailing list