Date: Sun, 29 Oct 2000 15:00:23 -0800 (PST) From: Matt Dillon <dillon@earth.backplane.com> To: Alexander Viro <viro@math.psu.edu> Cc: Jordan Hubbard <jkh@winston.osd.bsdi.com>, freebsd-stable@freebsd.org Subject: Re: Proposed patch related to August discussion on file descriptor races and kern/11629 Message-ID: <200010292300.e9TN0N071594@earth.backplane.com> References: <Pine.GSO.4.21.0010291702140.27484-100000@weyl.math.psu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
: Thread A: Thread B:
: dup2(0,1); fd = open(...);
:with both threads succeeding and fd being 1. It _is_ a correct use (target
:descriptor is opened, so it's not a case of inherently racey userland) and
:result is clearly wrong: fd suddenly becomes an alias of stdin.
:
:Proposed fix: start with fhold(oldf = fdp->fd_ofiles[old]); then exchange oldf
:with fdp->fd_ofiles[new] + set flags, _then_ do if (oldf) closef(oldf);
:- obviously correct and has all manipulations of the table well-contained.
:Actually I would (OK, did) put the first part (prior to closef()) under the
:spinlock - the descriptor layer was the first part of SMP threading in our
:VFS, but that's another story.
Ah, ok, I see that hole now. It can occur if closef() blocks (which it
can). This also reveals another hole where two dup2() calls with the same
(in-use) destination can cause struct file leakage.
I think the problem is solved by removing the code in dup2() that
deals with the case where the destination already exists and moving
it into finishdup(). Then using your description above in finishdup().
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010292300.e9TN0N071594>