From owner-cvs-all@FreeBSD.ORG Thu Jul 27 19:54:45 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00C8316A4DA; Thu, 27 Jul 2006 19:54:45 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C64743D70; Thu, 27 Jul 2006 19:54:42 +0000 (GMT) (envelope-from jhb@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k6RJsgPN014379; Thu, 27 Jul 2006 19:54:42 GMT (envelope-from jhb@repoman.freebsd.org) Received: (from jhb@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k6RJsgin014378; Thu, 27 Jul 2006 19:54:42 GMT (envelope-from jhb) Message-Id: <200607271954.k6RJsgin014378@repoman.freebsd.org> From: John Baldwin Date: Thu, 27 Jul 2006 19:54:42 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/kern uipc_syscalls.c src/sys/sys syscallsubr.h src/sys/compat/svr4 svr4_stream.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 19:54:45 -0000 jhb 2006-07-27 19:54:42 UTC FreeBSD src repository Modified files: sys/kern uipc_syscalls.c sys/sys syscallsubr.h sys/compat/svr4 svr4_stream.c Log: Fix a file descriptor race I reintroduced when I split accept1() up into kern_accept() and accept1(). If another thread closed the new file descriptor and the first thread later got an error trying to copyout the socket address, then it would attempt to close the wrong file object. To fix, add a struct file ** argument to kern_accept(). If it is non-NULL, then on success kern_accept() will store a pointer to the new file object there and not release any of the references. It is up to the calling code to drop the references appropriately (including a call to fdclose() in case of error to safely handle the aforementioned race). While I'm at it, go ahead and fix the svr4 streams code to not leak the accept fd if it gets an error trying to copyout the streams structures. Revision Changes Path 1.60 +24 -10 src/sys/compat/svr4/svr4_stream.c 1.234 +15 -5 src/sys/kern/uipc_syscalls.c 1.44 +2 -1 src/sys/sys/syscallsubr.h