On Thu, Aug 01, 2019 at 04:20:16AM +0000, Visa Hankala wrote:
> On Wed, Jul 31, 2019 at 08:22:55PM +0200, Alexandr Nedvedicky wrote:
> > Looks like it can be related to my commit from May:
> >
> >
> > https://github.com/openbsd/src/commit/b50d0c1cf040666aed872208cd6f6ba609197b11#diff-7922ad1d2f6422aa72d4bacd1bf41909
> >
> > I'll try to take a look. The steps to reproduce would be handy.
> >
> > as the first aid I would give a try to apply a reverse patch
> > to commit above. The reverse patch is below.
>
> Wait, the cause is not understood yet. It looks that the crash happened
> because of a NULL pointer dereference in the loop in SLIST_REMOVE(),
> the element kn was not on the list, or the memory was corrupted.
>
> The system should detach event filters before the object is destroyed.
> That should not need reference counting on the level of the object.
lldpd uses privilege separation and is linked with libevent,
which uses kqueue(2). The crash also does not make much sense
to me so far, because knote_fdclose() gets called before
closef(), which in turn calls bpfclose().
I'd like to better understand what happens at kernel side, when
/dev/bpf file descriptor is passed from privileged process to
unprivileged child. That's something where I'd like to look at
once will be back home tonight.
regards
sashan
