From nobody Wed Apr 5 14:35:46 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ps6cf3Gldz43Z0H; Wed, 5 Apr 2023 14:35:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ps6cf2FDhz3lHS; Wed, 5 Apr 2023 14:35:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680705346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RV8C7NOlOv78S/c1i9+FN3eLh7yp9CP6qXtWXqTafNY=; b=pYXjiZweeSG7cRp0Ye7/gEXvfhawoywQYgz4B3wecXGAYszPCDNreYLC+kth2mSeXvjUix m5hBGUMh2T1EFzLkFcDgGZhT3z9eVJy/pAvADUYPUL+g8o9IKz8N9zccViqIM0VH0arCT2 UB9ZENT08uFvoSepME6QtvzKunykSkdB3/doMNV/eJC3ZyOWQrcmYdHuUreQiITNhdRKGk t+9kxzj4GNC7JIrzwHyETBfoAktffSxN7L2tWmc/UD6lhv14dDKSodLOePCBmFvQXxSZBg UzPYkpUq82y4yzK8PVDR7qaGWb0b/ir0FgIBXUTXx4y/iRdEaWTe2gSfnrvazQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680705346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RV8C7NOlOv78S/c1i9+FN3eLh7yp9CP6qXtWXqTafNY=; b=KF8/ccNf4hXvASZB52KTKzp2OSNiMi6nOYki9EJSm3jhiAytOxI2KquNAi6fQDnk8XHHvc NQipXnR5zR9XNTK5Y2w6PiHn4kmdRb7chlq/vvUo1ZXRAcN5byQtFfCV0IJ2ZKgOmecRlK 9G+Y17sHq3hhQ+m06bmFy0XY85Mi12URZzrG0SuC5NecwtYTFhDSV95vMpZI7NGd7GWGg3 n24aR4oKU5kmWmxIXEV7jT+p5IwLcojKLav5NTBPzLmyocadSskJndP58ueRzsi4FFZhTB mH4lbDZ2rMiwArEvytqRFFwa6yPG7GMdPb1px8zKX3aBSMxNVQz0IEXchiXaDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680705346; a=rsa-sha256; cv=none; b=yob/FaTIHLcdMsVg4jaw4Vi7Ht0tIQmUnyLwhXsY87x/Djr12zXF3r07LK24lC+oEOogja w4meCQhpxnU0P7rovdlH0auxFrUi3gMX+Ql7FBzaP+CnxGM9wh+0IMbna0Z0GGYi530hnr yFaQkD3PrU18WIQ+EyH0qKZz+z7zuTG/cPOiH4iezJWPLluMh/ZFExExi7U0PGpI1LToZl DPXQInnu36gS9UVI5Wv9NDCpefHTjtsftUF5ZaXndl/29wgGjbjDdhWrrkIfpkrw14tqF8 I1ttdSuOhZJIYc8oIKzvIJTLxNjbY77Vo4EexvNBBr5bLzcs/24IkmeB6TttsA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ps6cf1LTMzRFG; Wed, 5 Apr 2023 14:35:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 335EZkVt083809; Wed, 5 Apr 2023 14:35:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 335EZk8S083808; Wed, 5 Apr 2023 14:35:46 GMT (envelope-from git) Date: Wed, 5 Apr 2023 14:35:46 GMT Message-Id: <202304051435.335EZk8S083808@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: cfae554b7866 - stable/13 - fdescfs: Fix a file ref leak List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: cfae554b786636c3d2c8fb96c3804941a18245b3 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=cfae554b786636c3d2c8fb96c3804941a18245b3 commit cfae554b786636c3d2c8fb96c3804941a18245b3 Author: Mark Johnston AuthorDate: 2023-03-22 12:52:57 +0000 Commit: Mark Johnston CommitDate: 2023-04-05 14:29:29 +0000 fdescfs: Fix a file ref leak In fdesc_lookup(), vn_vget_ino_gen() may fail without invoking the callback, in which case the ref on fp is leaked. This happens if the fdescfs mount is being concurrently unmounted. Moreover, we cannot safely drop the ref while the dvp is locked. So: - Use a flag variable to indicate whether the ref is dropped. - Reorganize things to handle the leak. Reported by: C Turt Reviewed by: mjg, kib Tested by: pho MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D39189 (cherry picked from commit 0f5b6f9a041e9cca3b376f6ec909374938887a3b) --- sys/fs/fdescfs/fdesc_vnops.c | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c index 17320b2c8354..81b6690efc80 100644 --- a/sys/fs/fdescfs/fdesc_vnops.c +++ b/sys/fs/fdescfs/fdesc_vnops.c @@ -258,6 +258,7 @@ struct fdesc_get_ino_args { int ix; struct file *fp; struct thread *td; + bool fdropped; }; static int @@ -280,6 +281,7 @@ fdesc_get_ino_alloc(struct mount *mp, void *arg, int lkflags, error = fdesc_allocvp(a->ftype, a->fd_fd, a->ix, mp, rvp); } fdrop(a->fp, a->td); + a->fdropped = true; return (error); } @@ -300,6 +302,7 @@ fdesc_lookup(struct vop_lookup_args *ap) int nlen = cnp->cn_namelen; u_int fd, fd1; int error; + bool fdropped; struct vnode *fvp; if ((cnp->cn_flags & ISLASTCN) && @@ -343,24 +346,10 @@ fdesc_lookup(struct vop_lookup_args *ap) */ if ((error = fget(td, fd, &cap_no_rights, &fp)) != 0) goto bad; + fdropped = false; - /* Check if we're looking up ourselves. */ - if (VTOFDESC(dvp)->fd_ix == FD_DESC + fd) { - /* - * In case we're holding the last reference to the file, the dvp - * will be re-acquired. - */ - vhold(dvp); - VOP_UNLOCK(dvp); - fdrop(fp, td); - - /* Re-aquire the lock afterwards. */ - vn_lock(dvp, LK_RETRY | LK_EXCLUSIVE); - vdrop(dvp); - fvp = dvp; - if (VN_IS_DOOMED(dvp)) - error = ENOENT; - } else { + /* Make sure we're not looking up the dvp itself. */ + if (VTOFDESC(dvp)->fd_ix != FD_DESC + fd) { /* * Unlock our root node (dvp) when doing this, since we might * deadlock since the vnode might be locked by another thread @@ -374,8 +363,27 @@ fdesc_lookup(struct vop_lookup_args *ap) arg.ix = FD_DESC + fd; arg.fp = fp; arg.td = td; + arg.fdropped = fdropped; error = vn_vget_ino_gen(dvp, fdesc_get_ino_alloc, &arg, LK_EXCLUSIVE, &fvp); + fdropped = arg.fdropped; + } + + if (!fdropped) { + /* + * In case we're holding the last reference to the file, the dvp + * will be re-acquired. + */ + vhold(dvp); + VOP_UNLOCK(dvp); + fdrop(fp, td); + fdropped = true; + + vn_lock(dvp, LK_RETRY | LK_EXCLUSIVE); + vdrop(dvp); + fvp = dvp; + if (error == 0 && VN_IS_DOOMED(dvp)) + error = ENOENT; } if (error)