Date: Wed, 26 Feb 2014 15:29:31 -0500 From: John Baldwin <jhb@freebsd.org> To: Mateusz Guzik <mjguzik@gmail.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik <mjg@freebsd.org> Subject: Re: svn commit: r262309 - head/sys/kern Message-ID: <201402261529.31942.jhb@freebsd.org> In-Reply-To: <20140226192348.GA329@dft-labs.eu> References: <201402212229.s1LMT9BF093587@svn.freebsd.org> <201402251308.43875.jhb@freebsd.org> <20140226192348.GA329@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, February 26, 2014 2:23:48 pm Mateusz Guzik wrote: > On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote: > > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote: > > > Author: mjg > > > Date: Fri Feb 21 22:29:09 2014 > > > New Revision: 262309 > > > URL: http://svnweb.freebsd.org/changeset/base/262309 > > > > > > Log: > > > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading > > > to use-after-free. > > > > > > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but > > > kern_proc_{o,}filedesc_out only checked for hold count. > > > > Can you describe the race in more detail? The kern_* routines hold > > FILEDESC_SLOCK() while they read the file which should prevent > > fdescfree() from free'ing any files. Note that fdfree() (called > > under FILEDESC_XLOCK() clears the file pointer to NULL via the > > bzero(), so the sysctl handler should only see non-NULL pointers > > for files that are not yet free'd. > > > > oops, you are right. I somehow misread the code. > > Still, the change is harmless and matches other loop which iterates the > table (see sysctl_kern_file), so I think it can stay. Actually, I think that should be undone. That was a hacky workaround for a long time ago when the FILEDESC locking wasn't a simple sx lock but was a mtx + sleep lock combo thing that had fast and slow variants. > Other thing is that with that change in place we can get rid of > XLOCK/XUNLOCK around fdfree in fdescfree. I would rather remove the fd_refcnt checks, or do them differently (not in the loop). Right now a reader might be confused to think that fd_refcnt can change within the loop when it cannot and then worry about unhandled races that don't exist (i.e. if fd_refcnt can change within the loop, what prevents the individual file objects from being freed out from under the loop?) I originally thought just that when I saw this commit and was going to note that your change was not a true fix and still left the race open until I found upon further investigation that your change was just noise since there wasn't a race to begin with. In the interest of clarity, please either remove the fd_refcnt checks from these loops (including sysctl_kern_file) or fix all three of them to do a single check after the SLOCK() but before the for loop itself. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402261529.31942.jhb>