From a61a584a5fdbc5be40f0690213d0fa938e2a9ade Mon Sep 17 00:00:00 2001 From: hselasky Date: Fri, 22 May 2020 09:02:40 +0000 Subject: [PATCH] MFC r361075: Assign process group of the TTY under the "proctree_lock". This fixes a race where concurrent calls to doenterpgrp() and leavepgrp() while TIOCSCTTY is executing may result in tp->t_pgrp changing value so that tty_rel_pgrp() misses clearing it to NULL. For more details refer to the use of pgdelete() in the kernel. No functional change intended. Panic backtrace: __mtx_lock_sleep() # page fault due to using destroyed mutex tty_signal_pgrp() tty_ioctl() ptsdev_ioctl() kern_ioctl() sys_ioctl() amd64_syscall() Sponsored by: Mellanox Technologies git-svn-id: svn://svn.freebsd.org/base/stable/9@361359 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/kern/tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 11dac8655..dfd3e2bf9 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1611,7 +1611,6 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, tp->t_session = p->p_session; tp->t_session->s_ttyp = tp; tp->t_sessioncnt++; - sx_xunlock(&proctree_lock); /* Assign foreground process group. */ tp->t_pgrp = p->p_pgrp; @@ -1619,6 +1618,7 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, p->p_flag |= P_CONTROLT; PROC_UNLOCK(p); + sx_xunlock(&proctree_lock); return (0); } case TIOCSPGRP: { -- 2.45.0