https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382
--- Comment #26 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8f3227f527567aef53da845ab78da8e16d9051c1 commit 8f3227f527567aef53da845ab78da8e16d9051c1 Author: Mark Johnston <[email protected]> AuthorDate: 2026-03-27 00:24:18 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-03-27 00:24:18 +0000 kqueue: Fix a race when adding an fd-based knote to a queue When registering a new kevent backed by a file descriptor, we first look up the file description with fget(), then lock the kqueue, then see if a corresponding knote is already registered. If not, and KN_ADD is specified, we add the knote to the kqueue. closefp_impl() interlocks with this process by calling knote_fdclose(), which locks each kqueue and checks to see if the fd is registered with a knote. But, if userspace closes an fd while a different thread is registering it, i.e., after fget() succeeds but before the kqueue is locked, then we may end up with a mismatch in the knote table, where the knote kn_fp field points to a different file description than the knote ident. Fix the problem by double-checking before registering a knote. Add a new fget_noref_unlocked() helper for this purpose. It is a clone of fget_noref(). We could simply use fget_noref(), but I like having an explicit unlocked variant. PR: 293382 Reviewed by: kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D55852 sys/kern/kern_event.c | 14 +++++++++++++- sys/sys/filedesc.h | 17 +++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
