From 5079660689ae430b6aa709fcfb735b6d69a37adf Mon Sep 17 00:00:00 2001 From: hselasky Date: Fri, 15 May 2020 12:47:39 +0000 Subject: [PATCH] Assign process group of the TTY under the "proctree_lock". This fixes a race where concurrent calls to doenterpgrp() and leavepgrp() while TIOCSCTTY is executing may result in tp->t_pgrp changing value so that tty_rel_pgrp() misses clearing it to NULL. For more details refer to the use of pgdelete() in the kernel. No functional change intended. Panic backtrace: __mtx_lock_sleep() # page fault due to using destroyed mutex tty_signal_pgrp() tty_ioctl() ptsdev_ioctl() kern_ioctl() sys_ioctl() amd64_syscall() MFC after: 1 week Sponsored by: Mellanox Technologies --- sys/kern/tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index dbf92487136..4c11ff56000 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1818,7 +1818,6 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, tp->t_session = p->p_session; tp->t_session->s_ttyp = tp; tp->t_sessioncnt++; - sx_xunlock(&proctree_lock); /* Assign foreground process group. */ tp->t_pgrp = p->p_pgrp; @@ -1826,6 +1825,7 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, p->p_flag |= P_CONTROLT; PROC_UNLOCK(p); + sx_xunlock(&proctree_lock); return (0); } case TIOCSPGRP: { -- 2.45.0