Page MenuHomeFreeBSD
Differential D39830

killpg1: Fix a race between fork(2) and killpg1()
AbandonedPublic
Actions

Authored by dchagin on Apr 26 2023, 12:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 30, 11:12 PM
Unknown Object (File)
Sun, Nov 23, 11:11 AM
Unknown Object (File)
Sun, Nov 23, 5:57 AM
Unknown Object (File)
Fri, Nov 21, 4:52 PM
Unknown Object (File)
Nov 8 2025, 8:13 AM
Unknown Object (File)
Oct 29 2025, 8:30 AM
Unknown Object (File)
Oct 29 2025, 8:12 AM
Unknown Object (File)
Oct 27 2025, 2:23 PM
View All 61 Files
Subscribers
imp

Details

Reviewers
kib
Summary

We might not yes see a new child when signalling a process. Ensure that
this cannot happen by stoping all corresponding processes, which ensures
that the child is not inside a syscall, in particular fork(2).

The patch modeled after the series of PROC_REAP_KILL commits.

Test Plan

Note that pgsignal also should be modified, I propose to fix it when killpg1 is ready

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 51208
Build 48099: arc lint + arc unit

Event Timeline

dchagin created this revision.Apr 26 2023, 12:46 PM
Herald added a subscriber: imp. · View Herald TranscriptApr 26 2023, 12:46 PM
dchagin requested review of this revision.Apr 26 2023, 12:46 PM
Harbormaster completed remote builds in B51208: Diff 121076.Apr 26 2023, 12:46 PM
dchagin edited the test plan for this revision. (Show Details)Apr 26 2023, 12:58 PM
dchagin added a reviewer: kib.
kib added a comment.Apr 27 2023, 1:46 AM

Can this code be somewhat unified with reaper kill, instead of copied?

dchagin added a comment.Apr 27 2023, 7:49 AM
In D39830#906945, @kib wrote:

Can this code be somewhat unified with reaper kill, instead of copied?

Well, I tried that from the beginning, but there are too many differences in the main part (subtree). I can try to unify taskqueue part, is it ok to move it to kern_sig.c?

kib added a comment.Apr 28 2023, 9:06 PM

Note that stopping process could cause spurious EINTRs returned from some syscalls.
Another thing I am curious about, is the overhead of this approach for more common operation killpg(2) then the reap kill. Are there any consumers that would note the difference?

Did you consider other approaches? For instance, we can add a generation counter to the struct pgrp and increment it on the process addition. I am not sure that this could be made into proper fix for all races, but might be worth trying.

sys/kern/kern_sig.c
1806

The code from this function, starting from this point, up to the end, except two lines, can be shared with reap_kill_proc_locked(). I see that the block after cr_cansignal() cannot be easily shared.

dchagin added a comment.May 1 2023, 9:04 PM
In D39830#907696, @kib wrote:

Note that stopping process could cause spurious EINTRs returned from some syscalls.

Thats sad, then a differ approach is needed indeed.

Another thing I am curious about, is the overhead of this approach for more common operation killpg(2) then the reap kill. Are there any consumers that would note the difference?

I think that broadcast case is most important here as it used by jail subsystem which is widely used.

Did you consider other approaches? For instance, we can add a generation counter to the struct pgrp and increment it on the process addition. I am not sure that this could be made into proper fix for all races, but might be worth trying.

Due to broadcast case of killpg1() we need another approach, for now i dont have a good idea. What if we going to mark signals as broadcast in killpg1() and then ‘copy' such signals to the newly created child during dofork()?

dchagin abandoned this revision.Jun 12 2023, 8:48 AM

https://reviews.freebsd.org/D40493

Revision Contents
Changeset List

PathSize
sys/
kern/
9 lines
191 lines
sys/
2 lines

Diff 121076

View Options

sys/kern/kern_jail.c

Loading...
View Options

sys/kern/kern_sig.c

Loading...
View Options

sys/sys/signalvar.h

Loading...