NetBSD Problem Report #3840

Received: (qmail 21015 invoked from network); 8 Jul 1997 19:54:35 -0000
Message-Id: <199707081959.MAA16596@nooksack.ldc.cs.wwu.edu>
Date: Tue, 8 Jul 1997 12:59:13 -0700 (PDT)
From: r.black@ic.ac.uk
To: gnats-bugs@gnats.netbsd.org
Subject: Race condition in the kernel log() and printf() functions
X-Send-Pr-Version: www-1.0

>Number:         3840
>Category:       kern
>Synopsis:       Race condition in the kernel log() and printf() functions
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 08 13:05:01 +0000 1997
>Closed-Date:    
>Last-Modified:  
>Originator:     Rob Black
>Release:        Various, including 1.2G
>Organization:
arm32 port team
>Environment:

>Description:
If either the log() or printf() function is called within a routine which
is capable of interrupting spltty then there is a potential race
condition if the console output has been redirected with ioctl TIOCCONS
(or anything else which sets the constty variable). The culprit is a
line in putchar() in kern/subr_prf.c which sets the TOTTY flag. This
redirects any output flagged as TOCONS to the constty device. It is
not safe to use the tty subsystem under these circumstances. These
conditions are sufficient to cause a race in printf(). To cause a race
in log() requires the additional condition that syslogd is not running
(if the log device is open then log() only writes to that and not to
the console - except via syslogd of course).

Note for anyone who is interested: this problem also affects FreeBSD.

>How-To-Repeat:
Its a race condition. Run xconsole, add suitable debugging and wait.

>Fix:
A partial fix is as follows. This patch just disables the setting of the
TOTTY flag. The output will normally be duplicated via syslogd. If syslogd
is not running then the output is dumped to the screen regardless of the
setting of constty so that no messages are lost. This fix is a bit of a
hack but it prevents the race and a proper fix is a lot of work. It is
also arguable that the TOLOG section should be guarded by splhigh().

*** subr_prf.c  Tue Jul  8 20:40:42 1997
--- subr_prf.c.new      Tue Jul  8 20:47:07 1997
***************
*** 544,550 ****
                constty = NULL;
        if ((flags & TOCONS) && tp == NULL && constty) {
                tp = constty;
-               flags |= TOTTY;
        }
        if ((flags & TOTTY) && tp && tputchar(c, tp) < 0 &&
            (flags & TOCONS) && tp == constty)
--- 544,549 ----
***************
*** 560,566 ****
                if (mbp->msg_bufx < 0 || mbp->msg_bufx >= MSG_BSIZE)
                        mbp->msg_bufx = 0;
        }
!       if ((flags & TOCONS) && constty == NULL && c != '\0')
                (*v_putc)(c);
  }

--- 559,565 ----
                if (mbp->msg_bufx < 0 || mbp->msg_bufx >= MSG_BSIZE)
                        mbp->msg_bufx = 0;
        }
!       if ((flags & TOCONS) && (constty == NULL || !log_open) && c != '\0')
                (*v_putc)(c);
  }

>Release-Note:
>Audit-Trail:
>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.