Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Mar 2006 16:47:07 GMT
From:      Todd Miller <millert@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 92921 for review
Message-ID:  <200603071647.k27Gl7Kp009054@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=92921

Change 92921 by millert@millert_ibook on 2006/03/07 16:46:29

	Change how label handles are freed when their reference
	count reaches zero.  We no longer free label handle storage
	when the ref count == 0.  For kernel-allocated label handles,
	just deallocate the associated port.  The actual label
	handle storage is deallocated by labelh_destroy() which is
	called by ipc_kobject_destroy() after all port references
	are gone.  This fixes a race between a user program requesting
	(and accessing) the label of a labeled kernel object and
	the destruction of that object (task, port, etc).

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_labelh.c#8 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_labelh.h#9 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/ipc_kobject.c#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_labelh.c#8 (text+ko) ====

@@ -47,7 +47,7 @@
 	if (space == IS_NULL || space->is_task == NULL)
 		return (KERN_INVALID_TASK);
 
-	/* XXX - perform entrypoint check here */
+	/* XXX - perform entrypoint check here? */
 
 	/*
 	 * Note: the calling task will have a receive right for the port.
@@ -75,7 +75,7 @@
 	lh->lh_port = port;
 	lh->lh_label = *inl;
 	lh->lh_type = LABELH_TYPE_USER;
-	lh->lh_references = 1;
+	lh->lh_references = 1;		/* unused for LABELH_TYPE_USER */
 
 	/* Must call ipc_kobject_set() with port unlocked. */
 	ip_unlock(lh->lh_port);
@@ -154,6 +154,11 @@
 {
 	ipc_labelh_t lh;
 
+	/*
+	 * A label handle may only have a single reference. 
+	 * If there are no other references this is a no-op.
+	 * Otherwise, make a copy we can write to and return it.
+	 */
 	if (old->lh_references == 1)
 		return (old);
 	lh = labelh_duplicate(old);
@@ -175,6 +180,9 @@
 	return (lh);
 }
 
+/*
+ * Release a reference on an (unlocked) label handle.
+ */
 void
 labelh_release(ipc_labelh_t lh)
 {
@@ -183,10 +191,18 @@
 	lh_check_unlock(lh);
 }
 
+/*
+ * Deallocate space associated with the label handle backed by the
+ * specified port.  For kernel-allocated label handles the
+ * label handle reference count should be 0.  For user-allocated
+ * handles the ref count is not used (it was initialized to 1).
+ */
 void
-lh_free(ipc_labelh_t lh)
+labelh_destroy(ipc_port_t port)
 {
-	ipc_object_release(&lh->lh_port->ip_object);
+	ipc_labelh_t lh = (ipc_labelh_t) port->ip_kobject;
+
+	ip_release(lh->lh_port);
 	mac_destroy_port_label(&lh->lh_label);
 	zfree(ipc_labelh_zone, (vm_offset_t)lh);
 }

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_labelh.h#9 (text+ko) ====

@@ -47,19 +47,19 @@
 #define	LABELH_TYPE_KERN	0
 #define	LABELH_TYPE_USER	1
 
+void labelh_destroy(ipc_port_t port);
 ipc_labelh_t labelh_duplicate(ipc_labelh_t old);
 ipc_labelh_t labelh_modify(ipc_labelh_t old);
 ipc_labelh_t labelh_new(void);
 kern_return_t labelh_new_user(ipc_space_t, struct label *, mach_port_name_t *);
 void labelh_release(ipc_labelh_t lh);
 ipc_labelh_t labelh_reference(ipc_labelh_t lh);
-void lh_free(ipc_labelh_t lh);
 
 #define lh_reference(lh)	((lh)->lh_references++)
-#define lh_release(lh)					\
-MACRO_BEGIN						\
-  assert((lh)->lh_references > 0);			\
-	(lh)->lh_references--;				\
+#define lh_release(lh)						\
+MACRO_BEGIN							\
+	assert((lh)->lh_references > 0);			\
+	(lh)->lh_references--;					\
 MACRO_END
 
 extern zone_t ipc_labelh_zone;
@@ -67,13 +67,21 @@
 #define lh_lock io_lock
 #define lh_unlock io_unlock
 
-#define lh_check_unlock(lh) 		       			\
-MACRO_BEGIN				       			\
+/*
+ * Check the number of references the label handle a left.
+ * If there are 0 references and this is a kernel-allocated
+ * label handle, deallocate the associated port.  The
+ * storage space for the label handle will be deallocated
+ * as part of the port destruction.  User-allocated label
+ * handles are destroyed along with their ports.
+ */
+#define lh_check_unlock(lh)					\
+MACRO_BEGIN							\
 	_VOLATILE_ natural_t _refs = (lh)->lh_references;	\
-					       			\
-	lh_unlock(lh);			       			\
-	if (_refs == 0)			       			\
-		lh_free(lh);		      			\
+								\
+	lh_unlock(lh);						\
+	if (_refs == 0 && (lh)->lh_type == LABELH_TYPE_KERN)	\
+		ipc_port_dealloc_kernel((lh)->lh_port);		\
 MACRO_END
 
 #endif

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/ipc_kobject.c#4 (text+ko) ====

@@ -514,7 +514,7 @@
 		break;
 
 	case IKOT_LABELH:
-		labelh_release(port->ip_kobject);
+		labelh_destroy(port);
 		break;
 
 	default:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603071647.k27Gl7Kp009054>