d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1ad9ee8603
freebsd-nq/sys/kern
History
Xin LI 1ad9ee8603 Close race conditions between fork() and [sg]etpriority()'s 
PRIO_USER case, possibly also other places that deferences
p_ucred.

In the past, we insert a new process into the allproc list right
after PID allocation, and release the allproc_lock sx.  Because
most content in new proc's structure is not yet initialized,
this could lead to undefined result if we do not handle PRS_NEW
with care.

The problem with PRS_NEW state is that it does not provide fine
grained information about how much initialization is done for a
new process.  By defination, after PRIO_USER setpriority(), all
processes that belongs to given user should have their nice value
set to the specified value.  Therefore, if p_{start,end}copy
section was done for a PRS_NEW process, we can not safely ignore
it because p_nice is in this area.  On the other hand, we should
be careful on PRS_NEW processes because we do not allow non-root
users to lower their nice values, and without a successful copy
of the copy section, we can get stale values that is inherted
from the uninitialized area of the process structure.

This commit tries to close the race condition by grabbing proc
mutex *before* we release allproc_lock xlock, and do copy as
well as zero immediately after the allproc_lock xunlock.  This
guarantees that the new process would have its p_copy and p_zero
sections, as well as user credential informaion initialized.  In
getpriority() case, instead of grabbing PROC_LOCK for a PRS_NEW
process, we just skip the process in question, because it does
not affect the final result of the call, as the p_nice value
would be copied from its parent, and we will see it during
allproc traverse.

Other potential solutions are still under evaluation.

Discussed with:	davidxu, jhb, rwatson
PR:		kern/108071
MFC after:	2 weeks
2007-02-26 03:38:09 +00:00
..
bus_if.m o break newbus api: add a new argument of type driver_filter_t to 2007-02-23 12:19:07 +00:00
clock_if.m
cpufreq_if.m
device_if.m
genassym.sh
imgact_aout.c Correct two vm object reference leaks in error cases. 2006-03-16 08:51:59 +00:00
imgact_elf32.c
imgact_elf64.c
imgact_elf.c Use FOREACH_PROC_IN_SYSTEM instead of using its unrolled form. 2007-01-17 14:58:53 +00:00
imgact_gzip.c Maintain the lock on the vnode for most of exec_elfN_imgact(). 2005-12-24 04:57:50 +00:00
imgact_shell.c
inflate.c Normalize a significant number of kernel malloc type names: 2005-10-31 15:41:29 +00:00
init_main.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
init_sysent.c This commits the remake in kern/ make sysent to get 2006-11-03 18:57:49 +00:00
kern_acct.c Resort copyrights and licenses in kern_acct.c: per UCB letter, 2007-01-08 20:35:13 +00:00
kern_acl.c Re-wrap comments to wider margins now that they have been relocated from 2007-01-12 22:01:03 +00:00
kern_alq.c Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h 2006-10-22 11:52:19 +00:00
kern_clock.c Align the interfaces for the various watchdogs and make the interface 2006-12-15 21:44:49 +00:00
kern_condvar.c Add second sleep queue so that sx and lockmgr can have separate sleep 2006-12-16 06:54:09 +00:00
kern_conf.c Use int instead of u_int for the 'extra' argument to the 2007-02-02 22:27:45 +00:00
kern_context.c
kern_cpu.c - Print message about cpufreq and timecounter TSC 2006-03-03 02:06:04 +00:00
kern_descrip.c Catch up file descriptor printing function in DDB to the addition of kqueues 2007-02-15 10:55:43 +00:00
kern_environment.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
kern_event.c Save exit status of an exiting process in kn_data in the knote. 2006-11-20 22:17:50 +00:00
kern_exec.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
kern_exit.c Move sigqueue_take() call into proc_reparent(), this fixed bugs where 2006-10-25 06:18:04 +00:00
kern_fork.c Close race conditions between fork() and [sg]etpriority()'s 2007-02-26 03:38:09 +00:00
kern_idle.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
kern_intr.c o break newbus api: add a new argument of type driver_filter_t to 2007-02-23 12:19:07 +00:00
kern_jail.c Remove unused PRIV_IPC_EXEC. Renumbers System V IPC privilege. 2007-02-20 00:12:52 +00:00
kern_kse.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
kern_kthread.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
kern_ktr.c Remove slightly oddly placed suser() call from the KTR/ALQ setup sysctl: 2006-09-09 16:09:01 +00:00
kern_ktrace.c Do not do a vn_close for all references to the ktraced file if we are 2007-02-13 00:20:13 +00:00
kern_linker.c Drop the global kernel linker lock while executing the sysinit's for a 2007-02-23 19:46:59 +00:00
kern_lock.c track lock class name in a way that doesn't break WITNESS 2006-11-13 05:41:46 +00:00
kern_lockf.c
kern_malloc.c Increase usefulness of "show malloc" by moving from displaying the basic 2006-10-26 10:17:13 +00:00
kern_mbuf.c Fix for problems that occur when all mbuf clusters migrate to the mbuf packet 2007-01-25 01:05:23 +00:00
kern_mib.c
kern_module.c Address a problem I missed in removing Giant from the kernel linker. Not 2006-06-26 18:34:45 +00:00
kern_mtxpool.c
kern_mutex.c - Fix some gcc warnings in lock_profile.h 2006-12-16 02:37:58 +00:00
kern_ntptime.c When ntp_gettime() was converted from a sysctl + wrapper to a system 2007-01-12 07:40:30 +00:00
kern_physio.c
kern_pmc.c Fix -Wundef. 2005-12-04 02:12:43 +00:00
kern_poll.c Threading cleanup.. part 2 of several. 2006-12-06 06:34:57 +00:00
kern_priv.c Add a new priv(9) kernel interface for checking the availability of 2006-11-06 13:37:19 +00:00
kern_proc.c Threading cleanup.. part 2 of several. 2006-12-06 06:34:57 +00:00
kern_prot.c Sort copyrights together. 2007-01-08 20:37:02 +00:00
kern_resource.c Close race conditions between fork() and [sg]etpriority()'s 2007-02-26 03:38:09 +00:00
kern_rwlock.c track lock class name in a way that doesn't break WITNESS 2006-11-13 05:41:46 +00:00
kern_sema.c
kern_shutdown.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
kern_sig.c Give which signal caller has attempted to deliver when panicking. 2007-02-09 17:48:28 +00:00
kern_subr.c Removes useless (flags | ) KASSERT. The ^ one that actually 2007-01-16 11:40:55 +00:00
kern_switch.c - Change types for necent runq additions to u_char rather than int. 2007-02-08 01:52:25 +00:00
kern_sx.c track lock class name in a way that doesn't break WITNESS 2006-11-13 05:41:46 +00:00
kern_synch.c Add a new kernel sleep function pause(9). pause(9) is for places that 2007-02-23 16:22:09 +00:00
kern_syscalls.c Make system call modules a bit more robust: 2006-08-01 16:32:20 +00:00
kern_sysctl.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
kern_tc.c Commit the results of the typo hunt by Darren Pilgrim. 2006-08-04 07:56:35 +00:00
kern_thr.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
kern_thread.c Prefer a more traditional spelling of inhibited in comments and panic 2006-12-31 15:56:04 +00:00
kern_time.c - Remove third parameter of itimer_find, the parameter is always zero. 2006-11-28 03:24:34 +00:00
kern_timeout.c Improve ktr(4) logging for callout(9) subsystem. Log all inserts and 2006-10-11 14:57:03 +00:00
kern_umtx.c Add a lwpid field into per-cpu structure, the lwpid represents current 2006-12-20 04:40:39 +00:00
kern_uuid.c Separate functions with a newline. 2006-07-17 21:00:42 +00:00
kern_xxx.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
ksched.c Threading cleanup.. part 2 of several. 2006-12-06 06:34:57 +00:00
link_elf_obj.c Linker set support depends on the magic __start_<section> and 2006-11-30 10:50:29 +00:00
link_elf.c Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h 2006-10-22 11:52:19 +00:00
linker_if.m
Make.tags.inc Makefile changes to reflect moving sys/isofs/cd9660 to sys/fs/cd9660. 2007-02-11 14:01:32 +00:00
Makefile Add support for the generated file systrace_args.c. 2006-08-05 19:25:14 +00:00
makesyscalls.sh Merge posix4/* into normal kernel hierarchy. 2006-11-11 16:26:58 +00:00
md4c.c
md5c.c Fix a panic on sparc64 related to inproper aligment - we cannot assume, 2006-03-30 18:45:50 +00:00
p1003_1b.c Update #includes list. 2006-11-11 16:19:12 +00:00
posix4_mib.c Fix mispatch of includes list; allows my kernel to build successfully. 2006-11-12 03:34:03 +00:00
sched_4bsd.c Move the seting of the idle_mask bits to a place where they 2007-02-02 05:14:22 +00:00
sched_core.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
sched_ule.c - Change types for necent runq additions to u_char rather than int. 2007-02-08 01:52:25 +00:00
serdev_if.m MFp4: Add the ipend() method to the serdev I/F to allow umbrella 2006-04-23 22:12:39 +00:00
subr_acl_posix1e.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
subr_autoconf.c Add a mutex to protect the list of interrupt config hooks. We do assume 2006-07-19 18:53:56 +00:00
subr_blist.c
subr_bus.c o break newbus api: add a new argument of type driver_filter_t to 2007-02-23 12:19:07 +00:00
subr_clist.c
subr_clock.c Use utc_offset() where applicable, and hide the internals of it 2006-10-02 18:23:37 +00:00
subr_devstat.c
subr_disk.c Add a new I/O request - BIO_FLUSH, which basically tells providers below to 2006-10-31 21:11:21 +00:00
subr_eventhandler.c
subr_fattime.c Better naming of fattime conversion functions, they do convert to timespec 2006-10-24 10:27:23 +00:00
subr_firmware.c Cleanup and document the implementation of firmware(9) based on 2007-02-15 17:21:31 +00:00
subr_hints.c Use a sleep mutex instead of an sx lock for the kernel environment. This 2006-07-09 21:42:58 +00:00
subr_kdb.c Add a funny sysctl: debug.kdb.trap_code . 2006-06-18 12:27:59 +00:00
subr_kobj.c Increment kobj_lookup_misses on a miss rather than decrementing it. 2005-12-29 18:00:42 +00:00
subr_lock.c Bug fix for obscenely large wait times on uncontested locks 2006-12-04 22:15:50 +00:00
subr_log.c
subr_mbpool.c
subr_mchain.c
subr_module.c
subr_msgbuf.c
subr_param.c Partially revert revision 1.66, which contained a change that did not 2005-10-14 19:15:10 +00:00
subr_pcpu.c Fix 'show allpcpu' ddb command on non-x86. CPU IDs are in the range 0 .. 2005-11-03 21:06:29 +00:00
subr_power.c General consensus is that it would be even better to run this in a 2005-11-09 16:22:56 +00:00
subr_prf.c Flushing the buffer is conditional on actually using the buffer. Oops. 2006-11-30 07:25:52 +00:00
subr_prof.c Change the addupc_*() functions to use the uintfptr_t type for pc rather 2005-12-16 22:08:32 +00:00
subr_rman.c Fix a case in rman_manage_region() where the resource list would get missorted. 2007-02-23 22:53:56 +00:00
subr_rtc.c Use utc_offset() where applicable, and hide the internals of it 2006-10-02 18:23:37 +00:00
subr_sbuf.c Make sbuf_copyin() return the number of bytes copied on success. 2005-12-23 11:49:53 +00:00
subr_scanf.c
subr_sleepqueue.c Cleaner fix for handling declaration of loop variable under INVARIANTS 2006-12-17 00:14:20 +00:00
subr_smp.c Rename the KDB_STOP_NMI kernel option to STOP_NMI and make it apply to all 2005-10-24 21:04:19 +00:00
subr_stack.c Correct typos 2006-05-28 22:15:28 +00:00
subr_taskqueue.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
subr_trap.c Threading cleanup.. part 2 of several. 2006-12-06 06:34:57 +00:00
subr_turnstile.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
subr_unit.c
subr_witness.c Remove unnecessary privilege and privilege check for WITNESS sysctl. 2007-02-20 23:49:31 +00:00
sys_generic.c Prevent IOC_IN with zero size argument (this is only supported 2006-10-14 19:01:55 +00:00
sys_pipe.c Use pipe_direct_write() optimization only if the data is in process' memory. 2006-12-19 12:52:22 +00:00
sys_process.c Make KSE a kernel option, turned on by default in all GENERIC 2006-10-26 21:42:22 +00:00
sys_socket.c Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h 2006-10-22 11:52:19 +00:00
syscalls.c This commits the remake in kern/ make sysent to get 2006-11-03 18:57:49 +00:00
syscalls.master Ok, here it is, we finally add SCTP to current. Note that this 2006-11-03 15:23:16 +00:00
systrace_args.c Ok, here it is, we finally add SCTP to current. Note that this 2006-11-03 15:23:16 +00:00
sysv_ipc.c Sync up PRIV_IPC_{ADMIN,READ,WRITE} priv checks in ipcperm() with 2007-02-20 00:06:59 +00:00
sysv_msg.c Do allow privilege to create over-sized messages on System V IPC 2007-02-19 13:23:45 +00:00
sysv_sem.c Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h 2006-10-22 11:52:19 +00:00
sysv_shm.c Remove call to ipcperm() in shmget_existing(). The flags argument is 2007-02-19 22:56:10 +00:00
tty_compat.c Move the old BSD4.3 tty compatibility from (!BURN_BRIDGES && COMPAT_43) 2006-01-10 09:19:10 +00:00
tty_conf.c
tty_cons.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
tty_pts.c Canonicalize copyrights in some files I hold copyrights on: 2007-01-08 17:49:59 +00:00
tty_pty.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
tty_subr.c
tty_tty.c Use ctty instead of just returning. ctty just has a simple open that 2006-09-27 16:41:15 +00:00
tty.c Back out rev. 1.266. The real cause for the recent panics has been fixed 2006-12-20 02:49:59 +00:00
uipc_accf.c
uipc_cow.c Previously, nothing prevented the page that was returned by pmap_extract() 2005-10-23 07:41:56 +00:00
uipc_debug.c Teach DDB how to print sockets, socket buffers, protosw's, and domain 2007-02-15 01:28:22 +00:00
uipc_domain.c soreceive_generic(), and sopoll_generic(). Add new functions sosend(), 2006-07-24 15:20:08 +00:00
uipc_mbuf2.c Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h 2006-10-22 11:52:19 +00:00
uipc_mbuf.c Unbreak writes of 0 bytes. Zero byte writes happen when only ancillary 2007-01-22 14:50:28 +00:00
uipc_mqueue.c Merge posix4/* into normal kernel hierarchy. 2006-11-11 16:26:58 +00:00
uipc_sem.c Merge posix4/* into normal kernel hierarchy. 2006-11-11 16:26:58 +00:00
uipc_sockbuf.c Use sysctl_handle_long() instead of duplicating it's logic for 2006-09-06 21:59:36 +00:00
uipc_socket2.c Change two XXX's to two notes: the fact that SOCK_LOCK(so) == 2006-08-02 16:23:52 +00:00
uipc_socket.c Rename somaxconn_sysctl() to sysctl_somaxconn() so that I will be able to 2007-02-15 10:11:00 +00:00
uipc_syscalls.c Fixes the MSG_PEEK for sctp_generic_recvmsg() the msg_flags 2007-01-24 12:59:56 +00:00
uipc_usrreq.c Add an additional MAC check to the UNIX domain socket connect path: 2007-02-22 09:37:44 +00:00
vfs_acl.c Re-wrap comments to wider margins now that they have been relocated from 2007-01-12 22:01:03 +00:00
vfs_aio.c Merge posix4/* into normal kernel hierarchy. 2006-11-11 16:26:58 +00:00
vfs_bio.c Use LIST_EMPTY() instead of unrolled version (LIST_FIRST() [!=]= NULL) 2007-02-22 14:52:59 +00:00
vfs_cache.c Axe Giant from vn_fullpath(9). The vnode -> pathname lookup should be 2006-06-16 05:09:28 +00:00
vfs_cluster.c Replace PG_BUSY with VPO_BUSY. In other words, changes to the page's 2006-10-22 04:28:14 +00:00
vfs_default.c Remove VFS_VPTOFH entirely. API is already broken and it is good time to 2007-02-16 17:32:41 +00:00
vfs_export.c Move vnode-to-file-handle translation from vfs_vptofh to vop_vptofh method. 2007-02-15 22:08:35 +00:00
vfs_extattr.c Update comments to reflect changes in the extattrctl() code. 2006-12-23 00:30:03 +00:00
vfs_hash.c In vfs_hash_get(): mount point should never be changed 2006-04-18 08:05:08 +00:00
vfs_init.c Remove VFS_VPTOFH entirely. API is already broken and it is good time to 2007-02-16 17:32:41 +00:00
vfs_lookup.c If both ISDOTDOT and NOCROSSMOUNT are set then lookup() might breaks out 2007-02-15 09:53:49 +00:00
vfs_mount.c Make vfs_getopts() set *error to ENOENT if the option wasn't found, so that 2007-02-13 01:28:48 +00:00
vfs_subr.c change vop_lock handling to allowing tracking of callers' file and line for 2006-11-13 05:51:22 +00:00
vfs_syscalls.c Remove union_dircheckp hook, it is not needed by new unionfs code anymore. 2007-02-19 10:56:09 +00:00
vfs_vnops.c Add a VNASSERT to vn_close to detect if v_writecount is going 2007-02-12 22:53:01 +00:00
vnode_if.src Move vnode-to-file-handle translation from vfs_vptofh to vop_vptofh method. 2007-02-15 22:08:35 +00:00