Fix a pair of races in sigio handling
ClosedPublic
Actions

Authored by markj on Nov 10 2020, 12:10 AM.

Details

Reviewers

Commits

rS367588: Fix a pair of races in SIGIO registration

Summary

First, funsetownlst() list looks at the first element of the list to see
whether it's processing a process or a process group list. Then it
acquires the global sigio lock and processes the list. However, nothing
prevents the first sigio structure from being freed by a concurrent
funsetown() before the sigio lock is acquired.

Fix this by acquiring the global sigio lock immediately after checking
whether the list is empty. Callers of funsetownlst() ensure that new
sigios cannot be added concurrently.

Second, fsetown() uses funsetown() to remove an existing sigio structure
from a file object (e.g., a pipe or TTY). However, funsetown() uses a
racy check to avoid the sigio lock, so two threads may call fsetown() on
the same file object, observe that no sigio structure is present, and
enqueue two sigio structures for the same file object. However, if the
file object is destroyed, funsetown() will only remove one sigio
structure, and funsetownlst() may later trigger a use-after-free when it
clears *sigio->sio_myref for each sigio list entry.

Fix this by introducing funsetown_locked(), which avoids the racy check.

Test Plan

Peter reported panic on amd64 with !UMA_MD_SMALL_ALLOC in
funsetownlst() where sio_myref is dereferenced. I believe this is a
result of the second race described above.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj requested review of this revision.Nov 10 2020, 12:10 AM

markj created this revision.

Harbormaster completed remote builds in B34718: Diff 79364.Nov 10 2020, 12:10 AM

markj edited the test plan for this revision. (Show Details)Nov 10 2020, 12:14 AM

markj added a reviewer: kib.

markj added a subscriber: pho.

emaste added a subscriber: emaste.Nov 10 2020, 3:26 PM

kib accepted this revision.Nov 10 2020, 9:47 PM

kib added inline comments.

sys/kern/kern_descrip.c
1101 ↗	(On Diff #79364)	Why not save the pointer to the first element of the list (either pg_sigiolst, or p_sigiolst) to a local var, and then reinit it. Then you do not need relocking pgrp/proc, and perhaps even SIGIO as well.

This revision is now accepted and ready to land.Nov 10 2020, 9:47 PM

markj added inline comments.Nov 10 2020, 10:24 PM

sys/kern/kern_descrip.c
1101 ↗	(On Diff #79364)	I don't really follow. Reinit what, exactly? Note, the lock order is SIGIO -> PROC/PGRP, so if the SIGIO lock is dropped, the others must be reacquired as well. Actually, I don't know why we drop the SIGIO lock in this loop. Maybe there's some other LOR. In any case, I think we could move sigios to a free list and dispose of them in a separate loop. Then there's no need to drop and reacquire any locks.