svn commit: r262309 - head/sys/kern

John Baldwin jhb at freebsd.org
Thu Feb 27 14:52:54 UTC 2014 

On Wednesday, February 26, 2014 4:22:00 pm Mateusz Guzik wrote:
> On Wed, Feb 26, 2014 at 03:29:31PM -0500, John Baldwin wrote:
> > On Wednesday, February 26, 2014 2:23:48 pm Mateusz Guzik wrote:
> > > On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote:
> > > > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote:
> > > > > Author: mjg
> > > > > Date: Fri Feb 21 22:29:09 2014
> > > > > New Revision: 262309
> > > > > URL: http://svnweb.freebsd.org/changeset/base/262309
> > > > > 
> > > > > Log:
> > > > >   Fix a race between kern_proc_{o,}filedesc_out and fdescfree 
leading
> > > > >   to use-after-free.
> > > > >   
> > > > >   fdescfree proceeds to free file pointers once fd_refcnt reaches 0, 
but
> > > > >   kern_proc_{o,}filedesc_out only checked for hold count.
> > > > 
> > > > Can you describe the race in more detail?  The kern_* routines hold
> > > > FILEDESC_SLOCK() while they read the file which should prevent
> > > > fdescfree() from free'ing any files.  Note that fdfree() (called
> > > > under FILEDESC_XLOCK() clears the file pointer to NULL via the
> > > > bzero(), so the sysctl handler should only see non-NULL pointers
> > > > for files that are not yet free'd.
> > > > 
> > > 
> > > oops, you are right. I somehow misread the code.
> > > 
> > > Still, the change is harmless and matches other loop which iterates the
> > > table (see sysctl_kern_file), so I think it can stay.
> > 
> > Actually, I think that should be undone.  That was a hacky workaround for
> > a long time ago when the FILEDESC locking wasn't a simple sx lock but was
> > a mtx + sleep lock combo thing that had fast and slow variants.
> > 
> > > Other thing is that with that change in place we can get rid of
> > > XLOCK/XUNLOCK around fdfree in fdescfree.
> > 
> > I would rather remove the fd_refcnt checks, or do them differently (not
> > in the loop).  Right now a reader might be confused to think that
> > fd_refcnt can change within the loop when it cannot and then worry about
> > unhandled races that don't exist (i.e. if fd_refcnt can change within
> > the loop, what prevents the individual file objects from being freed out
> > from under the loop?)
> > 
> 
> But it can change.
> 
> kern_proc_filedesc_out calls export_fd_to_sb which drops the lock for
> each fp and sysctl_kern_proc_ofiledesc drops the lock when dealing with
> vnodes.
> 
> As far as I can say all this is safe - either data is refed (vref on a
> vnode) or the lock is still held while the data is being read, so by the
> time fp can be freed it is no longer used.

Ugh, ok.  Then the change is fine as-is, but I think we have to leave
the locking in place around fdfree() still as a result.

-- 
John Baldwin

More information about the svn-src-head mailing list