From owner-svn-src-head@FreeBSD.ORG Wed Feb 26 19:23:55 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BA0D1A7C; Wed, 26 Feb 2014 19:23:55 +0000 (UTC) Received: from mail-qc0-x235.google.com (mail-qc0-x235.google.com [IPv6:2607:f8b0:400d:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1FBF1117A; Wed, 26 Feb 2014 19:23:55 +0000 (UTC) Received: by mail-qc0-f181.google.com with SMTP id c9so2001040qcz.40 for ; Wed, 26 Feb 2014 11:23:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=/0AgBSkS/RFf89Y445VGfpORnBdLgbUBja/oWWifHaQ=; b=k5jVyVF9hlsfGebp7DU60TQNyVYmt/oMaUot2lcD8mJhG6TJXytZ8QNAolNSPDC8BS h7sMuZy0n64sHCIx2CqnrZ7XhENjPu8n51vpRVzyFwO6BrGRZSPGuP+qv1f/6BAs/QdB Vv/R0vUD8s4ACGSs7B1xF21YBxcSNj1bHL9t7NfDLp7O1OHXOKOk2/++keUJkhwaqfmS VqJ5WHTGwMGwAGrMYi0Yc1caBaokWQTxXJd1Fg7HL7xV0E3Y1L9ZlscAHHIjy84lAO2n rOBk+2uNDKSISqE8kMWIOJEUzBrRZCCelQOkwBlsJxj6+UeZN4N7k/FKDIteKc9FCe28 UZhQ== X-Received: by 10.224.96.138 with SMTP id h10mr4179949qan.46.1393442634274; Wed, 26 Feb 2014 11:23:54 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id 3sm5363775qan.15.2014.02.26.11.23.51 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 26 Feb 2014 11:23:53 -0800 (PST) Date: Wed, 26 Feb 2014 20:23:48 +0100 From: Mateusz Guzik To: John Baldwin Subject: Re: svn commit: r262309 - head/sys/kern Message-ID: <20140226192348.GA329@dft-labs.eu> References: <201402212229.s1LMT9BF093587@svn.freebsd.org> <201402251308.43875.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <201402251308.43875.jhb@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 19:23:55 -0000 On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote: > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote: > > Author: mjg > > Date: Fri Feb 21 22:29:09 2014 > > New Revision: 262309 > > URL: http://svnweb.freebsd.org/changeset/base/262309 > > > > Log: > > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading > > to use-after-free. > > > > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but > > kern_proc_{o,}filedesc_out only checked for hold count. > > Can you describe the race in more detail? The kern_* routines hold > FILEDESC_SLOCK() while they read the file which should prevent > fdescfree() from free'ing any files. Note that fdfree() (called > under FILEDESC_XLOCK() clears the file pointer to NULL via the > bzero(), so the sysctl handler should only see non-NULL pointers > for files that are not yet free'd. > oops, you are right. I somehow misread the code. Still, the change is harmless and matches other loop which iterates the table (see sysctl_kern_file), so I think it can stay. Other thing is that with that change in place we can get rid of XLOCK/XUNLOCK around fdfree in fdescfree. -- Mateusz Guzik