Differential D31759

itimer: Serialize accesses to p->p_itimers
ClosedPublic
Actions

Authored by markj on Aug 31 2021, 7:19 PM.

Details

Reviewers

kib

Commits

rG3138392a46a4: itimer: Serialize access to the p_itimers array

Summary

Fix a subtle race between itimer_proc_continue() and process exit.

itimer_proc_continue() may be called via realitexpire(), the real
interval timer. Note that exit1() drains this timer _after_ draining
and freeing itimers. Moreover, itimers_exit() is called without the
process lock held; it only acquires the proc lock when deleting
individual itimers, so once they are drained we free p->p_itimers
without any synchronization. Thus, itimer_proc_continue() may load a
non-NULL p->p_itimers array and iterate over it after it has been freed.

Fix the problem by using the process lock to synchronize with
itimer_proc_continue(). Since itimers are allocated lazily I think the
extra overhead is acceptable. Another solution may be to short-circuit
execution of itimer_proc_continue() if P_WEXIT is set.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Aug 31 2021, 7:19 PM

Herald added a subscriber: imp. · View Herald TranscriptAug 31 2021, 7:19 PM

markj requested review of this revision.Aug 31 2021, 7:19 PM

Harbormaster completed remote builds in B41301: Diff 94450.Aug 31 2021, 7:19 PM

kib accepted this revision.Aug 31 2021, 8:17 PM

kib added inline comments.

sys/kern/kern_time.c
1825–1826	I think an explanation is needed there, that the lock is not about protecting the assignment as is, but to sync assignment with the itimer_proc_continue().

This revision is now accepted and ready to land.Aug 31 2021, 8:17 PM