Several hwpmc(4) fixes mostly for logging.
ClosedPublic
Actions

Authored by kib on Oct 31 2017, 8:02 PM.

Details

Reviewers

jhb
markj

Commits

rS325277: Do not run pmclog_configure_log() without pmc_sx protection.

Summary

Patch makes some number of random fixes for hwpmc(4) after pho applied fuzzing to the hpwmc syscall. I intend to try to split the patch into logically separated commits, but it is too hard to do now if reviewers request changes.

First, r195005 is perhaps worse than the bug it fixed. The pmclog_configure_log() runs without pmx_sx protection at all, causing too many failure modes, esp. with the flush or closelog running in parallel. So I reverted r195005 and instead I pre-create the logging process, allowing it to run after the set up succeeded, otherwise the process terminates itself.

Second, hwpmc(4) must not voluntarily call fo_close(), this causes double-close of the file. It seems to almost avoid bad consequences for pipes, but other types of files demonstrate random memory access. So remove fo_close() calls, which also do not provide the declared wake-up of waiters consistently. Instead, send a signal to the logger and configure the logger process to not block it. Since logger never returns to userspace, the signal only causes termination of the interruptible sleeps in fo_write().

Remove unneeded Giant drop inside hwpmc syscall handler.

Use designated initializers for sysent.

Do some style adjustments in the nearby code.

Reported and tested by: pho

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kib created this revision.Oct 31 2017, 8:02 PM

Herald added subscribers: gnn, imp. · View Herald TranscriptOct 31 2017, 8:02 PM

kib edited the summary of this revision. (Show Details)Oct 31 2017, 8:03 PM

kib added a subscriber: pho.

markj added inline comments.Oct 31 2017, 8:42 PM

sys/dev/hwpmc/hwpmc_logging.c
330 ↗	(On Diff #34564)	I'd consider setting ia = NULL here to avoid leaving a dangling pointer.
618 ↗	(On Diff #34564)	Is there anything preventing a privileged user from sending SIGHUP to the thread from userland?
642 ↗	(On Diff #34564)	This comment is bogus now.

kib marked 2 inline comments as done.Oct 31 2017, 9:43 PM

kib added inline comments.

sys/dev/hwpmc/hwpmc_logging.c
618 ↗	(On Diff #34564)	I do not think so. Such user can signal the logger. Should we care ? For instance, logging can be initiated with the pipe as a sink, and then pipe could be closed, causing the same effect. So if we should, this is a separate bug and fix.

Mark' notes.

markj accepted this revision.Nov 1 2017, 3:36 AM

markj added inline comments.

sys/dev/hwpmc/hwpmc_logging.c
618 ↗	(On Diff #34564)	Probably it would be sufficient to ensure that we don't crash, hang or leak memory in that case. Of course, fo_write() can return an error for a variety of reasons besides SIGHUP delivery, and I can't see any issues with the error handling. So I don't think there's anything more to do.