Date: Sat, 19 Jan 2002 18:15:20 -0500 (EST) From: Alexander Viro <viro@math.psu.edu> To: iedowse@FreeBSD.org Cc: freebsd-bugs@FreeBSD.org Subject: Re: kern/8498: Race condition between unp_gc() and accept(). Message-ID: <Pine.GSO.4.21.0201191801310.5397-100000@weyl.math.psu.edu> In-Reply-To: <200201192247.g0JMlQh78530@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Jan 2002 iedowse@FreeBSD.org wrote:
> Synopsis: Race condition between unp_gc() and accept().
>
> State-Changed-From-To: open->feedback
> State-Changed-By: iedowse
> State-Changed-When: Sat Jan 19 14:47:11 PST 2002
> State-Changed-Why:
>
> Does this problem still exist?
As far as I can see it's still there in HEAD - analysis from the original
bug report still applies.
BTW, there is another problem: uipc_userreq.c:1378 has
extra_ref = malloc(nfiles * sizeof(struct file *), M_FILE, M_WAITOK);
which can block. During that time we might get new files opened and sent
in SCM_RIGHTS cookies. Notice that
a) we will have them _not_ marked, so the code after that will try
to kill them.
b) nfiles might have grown!
The former means that legitimate stuff gets killed. The latter is a buffer
overrun in kernel space waiting to happen.
Fix: invert the logics with "marked". I.e. start with marking everything,
then unmark those you want to stay around. Then by the end of the first
phase you have marked exactly the stuff that needs to die. New struct
file won't be marked, so the loop populating extra_ref will skip it...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21.0201191801310.5397-100000>