From owner-svn-src-all@freebsd.org Wed Dec 9 14:05:09 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3EEB947DE1C; Wed, 9 Dec 2020 14:05:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Crf2F1Lmbz3CwJ; Wed, 9 Dec 2020 14:05:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 158B027847; Wed, 9 Dec 2020 14:05:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0B9E58es050583; Wed, 9 Dec 2020 14:05:08 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0B9E58Yq050582; Wed, 9 Dec 2020 14:05:08 GMT (envelope-from markj@FreeBSD.org) Message-Id: <202012091405.0B9E58Yq050582@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Wed, 9 Dec 2020 14:05:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r368486 - head/sys/kern X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: head/sys/kern X-SVN-Commit-Revision: 368486 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 14:05:09 -0000 Author: markj Date: Wed Dec 9 14:05:08 2020 New Revision: 368486 URL: https://svnweb.freebsd.org/changeset/base/368486 Log: Plug a race between fd table teardown and several loops To export information from fd tables we have several loops which do this: FILDESC_SLOCK(fdp); for (i = 0; fdp->fd_refcount > 0 && i <= lastfile; i++) ; FILDESC_SUNLOCK(fdp); Before r367777, fdescfree() acquired the fd table exclusive lock between decrementing fdp->fd_refcount and freeing table entries. This serialized with the loop above, so the file at descriptor i would remain valid until the lock is dropped. Now there is no serialization, so the loops may race with teardown of file descriptor tables. Acquire the exclusive fdtable lock after releasing the final table reference to provide a barrier synchronizing with these loops. Reported by: pho Reviewed by: kib (previous version), mjg Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27513 Modified: head/sys/kern/kern_descrip.c Modified: head/sys/kern/kern_descrip.c ============================================================================== --- head/sys/kern/kern_descrip.c Wed Dec 9 14:04:54 2020 (r368485) +++ head/sys/kern/kern_descrip.c Wed Dec 9 14:05:08 2020 (r368486) @@ -2463,6 +2463,13 @@ fdescfree_fds(struct thread *td, struct filedesc *fdp, struct file *fp; int i, lastfile; + KASSERT(refcount_load(&fdp->fd_refcnt) == 0, + ("%s: fd table %p carries references", __func__, fdp)); + + /* Serialize with threads iterating over the table. */ + FILEDESC_XLOCK(fdp); + FILEDESC_XUNLOCK(fdp); + lastfile = fdlastfile_single(fdp); for (i = 0; i <= lastfile; i++) { fde = &fdp->fd_ofiles[i]; @@ -2536,6 +2543,11 @@ pdescfree(struct thread *td) void fdescfree_remapped(struct filedesc *fdp) { +#ifdef INVARIANTS + /* fdescfree_fds() asserts that fd_refcnt == 0. */ + if (!refcount_release(&fdp->fd_refcnt)) + panic("%s: fd table %p has extra references", __func__, fdp); +#endif fdescfree_fds(curthread, fdp, 0); }