Page MenuHomeFreeBSD

Don't acquire evclass_lock with a spinlock held
ClosedPublic

Authored by asomers on Jul 10 2018, 11:05 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 24, 1:55 PM
Unknown Object (File)
Mon, Dec 16, 8:37 PM
Unknown Object (File)
Thu, Dec 5, 7:54 AM
Unknown Object (File)
Sat, Nov 30, 7:37 AM
Unknown Object (File)
Sat, Nov 30, 5:34 AM
Unknown Object (File)
Sat, Nov 30, 5:01 AM
Unknown Object (File)
Nov 26 2024, 6:28 PM
Unknown Object (File)
Oct 26 2024, 11:17 PM
Subscribers

Details

Summary

When the "pc" audit class is enabled and auditd is running, witness will
panic during thread exit because au_event_class tries to lock an rwlock
while holding a spinlock acquired upstack by thread_exit.

To fix this, move AUDIT_SYSCALL_EXIT futher upstack, before the spinlock is
acquired. Of thread_exit's 16 callers, it's only necessary to call
AUDIT_SYSCALL_EXIT from two, exit1 (for exiting processes) and kern_thr_exit
(for exiting threads). The other callers are all kernel threads, which
needen't call AUDIT_SYSCALL_EXIT because since they can't make syscalls
there will be nothing to audit.

PR: 228444

Test Plan

The audit(4) test suite

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

@aniketp are there any exit-related audit events that you haven't tested yet? It would be good to check that this change doesn't break them.

sys/kern/kern_exit.c
311 ↗(On Diff #45124)

@asomers Don't we already have AUDIT_SYSCALL_EXIT(0, td) here in the initial part of exit1()?

Other than the (possible?) repetition of AUDIT_SYSCALL_EXIT in kern_exit.c. The issue with exa(1) seems to have gone away. Also, the regression tests for audit of _exit(2) in D16099 don't fail on introducing this change.

Other than the (possible?) repetition of AUDIT_SYSCALL_EXIT in kern_exit.c. The issue with exa(1) seems to have gone away. Also, the regression tests for audit of _exit(2) in D16099 don't fail on introducing this change.

Yeah, I didn't notice the other AUDIT_SYSCALL_EXIT. I guess the second one can be removed. And what about the _exit(2) test? How was it previously failing?

Don't duplicate AUDIT_SYSCALL_EXIT in exit1

Oh, no. _exit(2) wasn't failing previously. In fact, I hadn't even created its test. I apparently overlooked it just because process-control has a _lot_ of syscalls.

sys/kern/kern_exit.c
648 ↗(On Diff #45156)

Btw, is this space intentional? It wasn't there before.

This revision is now accepted and ready to land.Jul 11 2018, 2:33 PM
This revision was automatically updated to reflect the committed changes.