CVS commit: src/sys/kern

Mon, 20 Apr 2020 09:32:35 -0700 

Module Name:    src
Committed By:   maxv
Date:           Mon Apr 20 16:32:03 UTC 2020

Modified Files:
        src/sys/kern: kern_proc.c

Log Message:
Add three KASSERTs, to detect refcount bugs.

This narrows down an unknown bug in some place near, that has manifested
itself in various forms (use-after-frees, uninit accesses, page faults,
segmentation faults), all pointed out by syzbot.

The first KASSERT in fixjobc() fires when the bug is encountered.


To generate a diff of this commit:
cvs rdiff -u -r1.244 -r1.245 src/sys/kern/kern_proc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/kern_proc.c
diff -u src/sys/kern/kern_proc.c:1.244 src/sys/kern/kern_proc.c:1.245
--- src/sys/kern/kern_proc.c:1.244	Sun Apr 19 20:31:59 2020
+++ src/sys/kern/kern_proc.c	Mon Apr 20 16:32:03 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_proc.c,v 1.244 2020/04/19 20:31:59 thorpej Exp $	*/
+/*	$NetBSD: kern_proc.c,v 1.245 2020/04/20 16:32:03 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2006, 2007, 2008, 2020 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.244 2020/04/19 20:31:59 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.245 2020/04/20 16:32:03 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_kstack.h"
@@ -554,6 +554,7 @@ proc_sessrele(struct session *ss)
 {
 
 	KASSERT(mutex_owned(proc_lock));
+	KASSERT(ss->s_count > 0);
 	/*
 	 * We keep the pgrp with the same id as the session in order to
 	 * stop a process being given the same pid.  Since the pgrp holds
@@ -1181,8 +1182,11 @@ fixjobc(struct proc *p, struct pgrp *pgr
 		if (entering) {
 			pgrp->pg_jobc++;
 			p->p_lflag &= ~PL_ORPHANPG;
-		} else if (--pgrp->pg_jobc == 0)
-			orphanpg(pgrp);
+		} else {
+			KASSERT(pgrp->pg_jobc > 0);
+			if (--pgrp->pg_jobc == 0)
+				orphanpg(pgrp);
+		}
 	}
 
 	/*
@@ -1197,8 +1201,11 @@ fixjobc(struct proc *p, struct pgrp *pgr
 			if (entering) {
 				child->p_lflag &= ~PL_ORPHANPG;
 				hispgrp->pg_jobc++;
-			} else if (--hispgrp->pg_jobc == 0)
-				orphanpg(hispgrp);
+			} else {
+				KASSERT(hispgrp->pg_jobc > 0);
+				if (--hispgrp->pg_jobc == 0)
+					orphanpg(hispgrp);
+			}
 		}
 	}
 }

Reply via email to