From owner-svn-src-head@FreeBSD.ORG Thu Feb 27 14:52:54 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2ABE7C0; Thu, 27 Feb 2014 14:52:54 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F3825128E; Thu, 27 Feb 2014 14:52:53 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id E926FB962; Thu, 27 Feb 2014 09:52:52 -0500 (EST) From: John Baldwin To: Mateusz Guzik Subject: Re: svn commit: r262309 - head/sys/kern Date: Thu, 27 Feb 2014 09:06:31 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.4-CBSD-20130906; KDE/4.5.5; amd64; ; ) References: <201402212229.s1LMT9BF093587@svn.freebsd.org> <201402261529.31942.jhb@freebsd.org> <20140226212200.GB329@dft-labs.eu> In-Reply-To: <20140226212200.GB329@dft-labs.eu> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201402270906.31359.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 27 Feb 2014 09:52:53 -0500 (EST) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 14:52:54 -0000 On Wednesday, February 26, 2014 4:22:00 pm Mateusz Guzik wrote: > On Wed, Feb 26, 2014 at 03:29:31PM -0500, John Baldwin wrote: > > On Wednesday, February 26, 2014 2:23:48 pm Mateusz Guzik wrote: > > > On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote: > > > > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote: > > > > > Author: mjg > > > > > Date: Fri Feb 21 22:29:09 2014 > > > > > New Revision: 262309 > > > > > URL: http://svnweb.freebsd.org/changeset/base/262309 > > > > > > > > > > Log: > > > > > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading > > > > > to use-after-free. > > > > > > > > > > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but > > > > > kern_proc_{o,}filedesc_out only checked for hold count. > > > > > > > > Can you describe the race in more detail? The kern_* routines hold > > > > FILEDESC_SLOCK() while they read the file which should prevent > > > > fdescfree() from free'ing any files. Note that fdfree() (called > > > > under FILEDESC_XLOCK() clears the file pointer to NULL via the > > > > bzero(), so the sysctl handler should only see non-NULL pointers > > > > for files that are not yet free'd. > > > > > > > > > > oops, you are right. I somehow misread the code. > > > > > > Still, the change is harmless and matches other loop which iterates the > > > table (see sysctl_kern_file), so I think it can stay. > > > > Actually, I think that should be undone. That was a hacky workaround for > > a long time ago when the FILEDESC locking wasn't a simple sx lock but was > > a mtx + sleep lock combo thing that had fast and slow variants. > > > > > Other thing is that with that change in place we can get rid of > > > XLOCK/XUNLOCK around fdfree in fdescfree. > > > > I would rather remove the fd_refcnt checks, or do them differently (not > > in the loop). Right now a reader might be confused to think that > > fd_refcnt can change within the loop when it cannot and then worry about > > unhandled races that don't exist (i.e. if fd_refcnt can change within > > the loop, what prevents the individual file objects from being freed out > > from under the loop?) > > > > But it can change. > > kern_proc_filedesc_out calls export_fd_to_sb which drops the lock for > each fp and sysctl_kern_proc_ofiledesc drops the lock when dealing with > vnodes. > > As far as I can say all this is safe - either data is refed (vref on a > vnode) or the lock is still held while the data is being read, so by the > time fp can be freed it is no longer used. Ugh, ok. Then the change is fine as-is, but I think we have to leave the locking in place around fdfree() still as a result. -- John Baldwin