untrusted comment: verify with openbsd-71-base.pub
RWR2eHwZTOEiTZu1Ef/K1xXVdqk6Yl1KVYqsIXG14Bs2YkTc1SKAXtCZuWgvbzYT1pnTWKuT1Fct6pq6WYzPzYzqVudcufGaLA4=

OpenBSD 7.1 errata 003, May 16, 2022:

The kernel could crash due to a race in kqueue.

Apply by doing:
   signify -Vep /etc/signify/openbsd-71-base.pub -x 003_kqueue.patch.sig \
       -m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
   KK=`sysctl -n kern.osversion | cut -d# -f1`
   cd /usr/src/sys/arch/`machine`/compile/$KK
   make obj
   make config
   make
   make install

Index: sys/kern/kern_event.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_event.c,v
diff -u -p -r1.186 kern_event.c
--- sys/kern/kern_event.c       31 Mar 2022 01:41:22 -0000      1.186
+++ sys/kern/kern_event.c       13 May 2022 20:41:18 -0000
@@ -121,8 +121,8 @@ void        knote_dequeue(struct knote *kn);
int    knote_acquire(struct knote *kn, struct klist *, int);
void   knote_release(struct knote *kn);
void   knote_activate(struct knote *kn);
-void   knote_remove(struct proc *p, struct kqueue *kq, struct knlist *list,
-           int purge);
+void   knote_remove(struct proc *p, struct kqueue *kq, struct knlist **plist,
+           int idx, int purge);

void   filt_kqdetach(struct knote *kn);
int    filt_kqueue(struct knote *kn, long hint);
@@ -1563,10 +1563,10 @@ kqueue_purge(struct proc *p, struct kque

       mtx_enter(&kq->kq_lock);
       for (i = 0; i < kq->kq_knlistsize; i++)
-               knote_remove(p, kq, &kq->kq_knlist[i], 1);
+               knote_remove(p, kq, &kq->kq_knlist, i, 1);
       if (kq->kq_knhashmask != 0) {
               for (i = 0; i < kq->kq_knhashmask + 1; i++)
-                       knote_remove(p, kq, &kq->kq_knhash[i], 1);
+                       knote_remove(p, kq, &kq->kq_knhash, i, 1);
       }
       mtx_leave(&kq->kq_lock);
}
@@ -1801,13 +1801,15 @@ knote(struct klist *list, long hint)
 * remove all knotes from a specified knlist
 */
void
-knote_remove(struct proc *p, struct kqueue *kq, struct knlist *list, int purge)
+knote_remove(struct proc *p, struct kqueue *kq, struct knlist **plist, int idx,
+    int purge)
{
       struct knote *kn;

       MUTEX_ASSERT_LOCKED(&kq->kq_lock);

-       while ((kn = SLIST_FIRST(list)) != NULL) {
+       /* Always fetch array pointer as another thread can resize kq_knlist. */
+       while ((kn = SLIST_FIRST(*plist + idx)) != NULL) {
               KASSERT(kn->kn_kq == kq);

               if (!purge) {
@@ -1875,7 +1877,7 @@ knote_fdclose(struct proc *p, int fd)
       LIST_FOREACH(kq, &fdp->fd_kqlist, kq_next) {
               mtx_enter(&kq->kq_lock);
               if (fd < kq->kq_knlistsize)
-                       knote_remove(p, kq, &kq->kq_knlist[fd], 0);
+                       knote_remove(p, kq, &kq->kq_knlist, fd, 0);
               mtx_leave(&kq->kq_lock);
       }
}

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.