https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203332
Mateusz Guzik <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Status|New |In Progress --- Comment #1 from Mateusz Guzik <[email protected]> --- This looks like a use-after-free I mentioned some time ago. do_fork makes newproc runnable and fork1 does not pin it in any way, thus by the time do_fork returns the process could have already exited. Interestingly do_fork itself has this problem. Here faulting address 0xa8 matches what would be linked list access in a struct racct if read pointer was null. Pointer in question is nullified on process exit and initialized on fork. I'll ponder a reasonable fix. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
