From owner-dev-commits-src-branches@freebsd.org  Wed Sep  8 12:41:46 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DD22A67A1CB;
 Wed,  8 Sep 2021 12:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4H4MG25dlFz3hW9;
 Wed,  8 Sep 2021 12:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A165F25B40;
 Wed,  8 Sep 2021 12:41:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 188CfkC2065176;
 Wed, 8 Sep 2021 12:41:46 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 188Cfkh4065175;
 Wed, 8 Sep 2021 12:41:46 GMT (envelope-from git)
Date: Wed, 8 Sep 2021 12:41:46 GMT
Message-Id: <202109081241.188Cfkh4065175@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 617d22e2e85f - stable/13 - kevent: Fix races between timer
 detach and kqtimer_proc_continue()
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 617d22e2e85fa5665c23b759a9fcf86ef50b5539
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2021 12:41:46 -0000

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=617d22e2e85fa5665c23b759a9fcf86ef50b5539

commit 617d22e2e85fa5665c23b759a9fcf86ef50b5539
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-09-01 18:18:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-09-08 12:39:38 +0000

    kevent: Fix races between timer detach and kqtimer_proc_continue()
    
    - When detaching a knote, we need to double check the enqueued flag
      after acquiring the process lock, as kqtimer_proc_continue() may have
      toggled it.
    - kqtimer_proc_continue() could in principle reschedule a stopped
      callout after filt_timerdetach() drains the callout.  So, we need to
      re-check.
    
    Reported by:    syzbot+4a4cebb3ec07892cb040@syzkaller.appspotmail.com
    Reported by:    syzbot+a9c04bc76078a3b7dd8d@syzkaller.appspotmail.com
    Reviewed by:    kib
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit c511383de7a0325a80b9c5d2b8678b438db146dc)
---
 sys/kern/kern_event.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index bf04dae2ee5c..47aec4d12e9e 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -859,14 +859,24 @@ filt_timerdetach(struct knote *kn)
 {
 	struct kq_timer_cb_data *kc;
 	unsigned int old __unused;
+	bool pending;
 
 	kc = kn->kn_ptr.p_v;
-	callout_drain(&kc->c);
-	if ((kc->flags & KQ_TIMER_CB_ENQUEUED) != 0) {
+	do {
+		callout_drain(&kc->c);
+
+		/*
+		 * kqtimer_proc_continue() might have rescheduled this callout.
+		 * Double-check, using the process mutex as an interlock.
+		 */
 		PROC_LOCK(kc->p);
-		TAILQ_REMOVE(&kc->p->p_kqtim_stop, kc, link);
+		if ((kc->flags & KQ_TIMER_CB_ENQUEUED) != 0) {
+			kc->flags &= ~KQ_TIMER_CB_ENQUEUED;
+			TAILQ_REMOVE(&kc->p->p_kqtim_stop, kc, link);
+		}
+		pending = callout_pending(&kc->c);
 		PROC_UNLOCK(kc->p);
-	}
+	} while (pending);
 	free(kc, M_KQUEUE);
 	old = atomic_fetchadd_int(&kq_ncallouts, -1);
 	KASSERT(old > 0, ("Number of callouts cannot become negative"));