From owner-p4-projects@FreeBSD.ORG Thu Mar 15 22:17:47 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9044F16A406; Thu, 15 Mar 2007 22:17:47 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 68C8C16A402 for ; Thu, 15 Mar 2007 22:17:47 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 5A1D313C44C for ; Thu, 15 Mar 2007 22:17:47 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.8/8.13.8) with ESMTP id l2FMHlmx085363 for ; Thu, 15 Mar 2007 22:17:47 GMT (envelope-from jhb@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.8/8.13.8/Submit) id l2FMHld1085360 for perforce@freebsd.org; Thu, 15 Mar 2007 22:17:47 GMT (envelope-from jhb@freebsd.org) Date: Thu, 15 Mar 2007 22:17:47 GMT Message-Id: <200703152217.l2FMHld1085360@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to jhb@freebsd.org using -f From: John Baldwin To: Perforce Change Reviews Cc: Subject: PERFORCE change 115948 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 22:17:47 -0000 http://perforce.freebsd.org/chv.cgi?CH=115948 Change 115948 by jhb@jhb_mutex on 2007/03/15 22:17:34 Move the fdrop() after the fdclose() to close the following race: - thread A calls kern_open() and vn_open() fails. - thread B close()'s the fd before thread A returns from kern_open(). - thread A calls fdrop() which free's the file object. - thread B/C creates a new file descriptor which reuses the same file object that was just free'd. It also reuses the same fd since it was just closed and is now available. - thread A calls fdclose() which sees that the file matches the file in the descriptor table, so it clears the file pointer and does an fdrop() - thread B/C returns an fd - later accesses to 'fd' return EBADF I don't think one can get a refcount underflow from this or a panic, just weirdness in userland where a fd returned from open will fail with EBADF when you use it. Affected files ... .. //depot/projects/smpng/sys/kern/vfs_syscalls.c#123 edit Differences ... ==== //depot/projects/smpng/sys/kern/vfs_syscalls.c#123 (text+ko) ==== @@ -997,11 +997,6 @@ } /* - * release our own reference - */ - fdrop(fp, td); - - /* * handle special fdopen() case. bleh. dupfdopen() is * responsible for dropping the old contents of ofiles[indx] * if it succeeds. @@ -1011,6 +1006,7 @@ (error = dupfdopen(td, fdp, indx, td->td_dupfd, flags, error)) == 0) { td->td_retval[0] = indx; + fdrop(fp, td); return (0); } /* @@ -1018,6 +1014,7 @@ * replaced or closed it. */ fdclose(fdp, fp, indx, td); + fdrop(fp, td); if (error == ERESTART) error = EINTR;