DragonFlyBSD Kernel Audit
DF-0014 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -761,7 +761,13 @@
 		n = PGRP_HASH(pgid);
 		prg = &procglob[n];
 
 		if ((np = pfindn(savepid)) == NULL || np != p) {
-			lwkt_reltoken(&prg->proc_token);
+			/*
+			 * prg->proc_token is NOT held here: pfindn() never
+			 * returns with the token held (curproc shortcut at
+			 * :554 or hash-path releases at :568/:572), and
+			 * enterpgrp() acquires it only on the success path
+			 * at :770 below.  Do not release it.
+			 */
 			error = ESRCH;
 			kfree(pgrp, M_PGRP);
 			goto fatal;
 		}